Created
May 27, 2017 20:53
-
-
Save jackmcbride/c9328627f1ee104ce84f3fb7eff42f1e to your computer and use it in GitHub Desktop.
Contiki MQTT and XSS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
An issue was discovered in Contiki Operating System 3.0. | |
Use-after-free vulnerability in httpd-simple.c in cc26xx-web-demo httpd, where upon a connection | |
close event, the http_state structure was not deallocated properly, | |
resulting in a null pointer dereference in the output processing | |
function. This resulted in a board crash, which can be used to perform | |
denial of service. | |
------------------------------------------ | |
[Additional Information] | |
Reported to and acknowledged by one of the Contiki maintainers. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Denial of service | |
------------------------------------------ | |
[Vendor of Product] | |
Contiki | |
------------------------------------------ | |
[Affected Product Code Base] | |
Contiki Operating System - 3.0 | |
------------------------------------------ | |
[Affected Component] | |
cc26xx-web-demo httpd | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Denial of Service] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
Sending a POST request via Firefox Web Browser. | |
------------------------------------------ | |
[Reference] | |
https://github.com/contiki-os/contiki/blob/master/examples/cc26xx/cc26xx-web-demo/httpd-simple.c | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Alex Stanoev, Alex Pop [University of Bristol], Jack McBride, Arthur Taggart [University of Kent] | |
Use CVE-2017-7295. | |
[Suggested description] | |
An issue was discovered in Contiki Operating System 3.0. | |
A Persistent XSS vulnerability is present in the MQTT/IBM Cloud Config page (aka mqtt.html) of | |
cc26xx-web-demo. | |
The cc26xx-web-demo features a webserver that runs on a constrained | |
device. That particular page allows a user to remotely configure that | |
device's operation by sending HTTP POST requests. The vulnerability | |
consists of improper input sanitisation on the text fields on the | |
MQTT/IBM Cloud config page, allowing for JavaScript code injection. | |
------------------------------------------ | |
[Additional Information] | |
Reported to and acknowledged by one of the Contiki maintainers. | |
See video: | |
https://www.youtube.com/watch?v=9vphsNolRJA&feature=youtu.be | |
------------------------------------------ | |
[Vulnerability Type] | |
Cross Site Scripting (XSS) | |
------------------------------------------ | |
[Vendor of Product] | |
Contiki | |
------------------------------------------ | |
[Affected Product Code Base] | |
Contiki Operating System - 3.0 | |
------------------------------------------ | |
[Affected Component] | |
cc26xx-web-demo example | |
/mqtt.html | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
persistent cross site scripting | |
------------------------------------------ | |
[Attack Vectors] | |
Insert specially crafted string into any text field on /mqtt.html | |
MQTT/IBM Cloud Config page. e.g. "<scriptalert(1)</script<!--" | |
------------------------------------------ | |
[Reference] | |
https://github.com/contiki-os/contiki/blob/master/examples/cc26xx/cc26xx-web-demo/mqtt-client.c#L177 | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Alex Stanoev, Alex Pop [University of Bristol], Jack McBride, Arthur Taggart [University of Kent] | |
Use CVE-2017-7296. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment