Exploiting a remote heap overflow with a custom TCP stack

We discussed this vulnerability during Episode 190 on 21 February 2023

A hard to reach bug condition leading to a buffer overflow in Western Digital’s MyCloudHome, a consumer-grade NAS.

The core of the bug is rather straight-forward. When the handler receives an unknown command identifier it will end up calling dsi_writeinit Which takes in a buffer pointer and size. It writes any already buffered data from the look-ahead buffer into the given buffer and clears the look-ahead buffer. The problem is that despite taking in the buflen parameter, it doesn’t actually check the size before copying. So its possible to overflow the target buffer.

The challenge in exploiting this is that the look-ahead buffer will only read 8KB of data at a time, and the buffer to be overflowed is 64KB. This is an edge case though where more data will be read in. During a period of congestion when a write to the socket fails, it’ll try and peek the incoming buffer, reading in any pending data in hopes that it will clear the write-block. At this point it’ll read in more data, allowing for the look-ahead buffer to have enough content to overflow the target. The challenge is that to exploit the issue they need to fake congestion at the TCP level to block further writes, this where the custom TCP stack comes in (using Scapy, and an iptables rule).

Exploitation

Once they had the overflow they were in a pretty nice exploit situation. The overflow was controlled in terms of data being written and in terms of how far it would overflow. The target buffer also existed in the middle of a struct with other sensitive information following the buffer in memory.

To create an information disclosure there was a datalen value that could be overflowed, making it much larger. Then abusing the command replay cache when they cause the request to be replayed by making the same request back to back it would send back the data buffer, but with a corrupted length it would send back far more data.Aproximately 80% of the time they could leak a data structure containing pointers useful to break ASLR. In the failure case however it would mean the needed data couldn’t be leaked without the entire service being restarted.

With an information leak, the same structure had the input buffer pointers that could be corrupted granting the ability to write attacker controlled data to any location in member, they could also corrupt another size value to control how much data they wrote to the buffer.

With this arbitrary write ability and the information leak from earlier they replaced a function pointer for a command handler to execute the afprun function which is basically a built-in win() function like a CTF. It can run commands and even takes in a flag as to whether it should execute them as root.

Definitely a nice primitive chain for this exploit, pretty fortunate area for the overflow to happen (atleast fortunate for the attacker). It provided some great primitives and what should be a fairly stable exploit (granted the limits information disclosure). It was great to see Scapy used as part of the exploitation too, its a cool tool.