Skip to content

Instantly share code, notes, and snippets.

@jackmcbride

jackmcbride/gist:c9328627f1ee104ce84f3fb7eff42f1e

Created May 27, 2017 20:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e to your computer and use it in GitHub Desktop.
Save jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e to your computer and use it in GitHub Desktop.
Download ZIP
Contiki MQTT and XSS
Raw
gistfile1.txt
[Suggested description]
An issue was discovered in Contiki Operating System 3.0.
Use-after-free vulnerability in httpd-simple.c in cc26xx-web-demo httpd, where upon a connection
close event, the http_state structure was not deallocated properly,
resulting in a null pointer dereference in the output processing
function. This resulted in a board crash, which can be used to perform
denial of service.
------------------------------------------
[Additional Information]
Reported to and acknowledged by one of the Contiki maintainers.
------------------------------------------
[VulnerabilityType Other]
Denial of service
------------------------------------------
[Vendor of Product]
Contiki
------------------------------------------
[Affected Product Code Base]
Contiki Operating System - 3.0
------------------------------------------
[Affected Component]
cc26xx-web-demo httpd
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
Sending a POST request via Firefox Web Browser.
------------------------------------------
[Reference]
https://github.com/contiki-os/contiki/blob/master/examples/cc26xx/cc26xx-web-demo/httpd-simple.c
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Alex Stanoev, Alex Pop [University of Bristol], Jack McBride, Arthur Taggart [University of Kent]
Use CVE-2017-7295.
[Suggested description]
An issue was discovered in Contiki Operating System 3.0.
A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of
cc26xx-web-demo.
The cc26xx-web-demo features a webserver that runs on a constrained
device. That particular page allows a user to remotely configure that
device's operation by sending HTTP POST requests. The vulnerability
consists of improper input sanitisation on the text fields on the
MQTT/IBM Cloud config page, allowing for JavaScript code injection.
------------------------------------------
[Additional Information]
Reported to and acknowledged by one of the Contiki maintainers.
See video:
https://www.youtube.com/watch?v=9vphsNolRJA&feature=youtu.be
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
Contiki
------------------------------------------
[Affected Product Code Base]
Contiki Operating System - 3.0
------------------------------------------
[Affected Component]
cc26xx-web-demo example
/mqtt.html
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
persistent cross site scripting
------------------------------------------
[Attack Vectors]
Insert specially crafted string into any text field on /mqtt.html
MQTT/IBM Cloud Config page. e.g. "<scriptalert(1)</script<!--"
------------------------------------------
[Reference]
https://github.com/contiki-os/contiki/blob/master/examples/cc26xx/cc26xx-web-demo/mqtt-client.c#L177
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Alex Stanoev, Alex Pop [University of Bristol], Jack McBride, Arthur Taggart [University of Kent]
Use CVE-2017-7296.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment