CVE-2022-28664: Memory Corruption Vulnerability in FreshTomato's HTTPD Unescape Functionality - Exploit Details and Analysis

A memory corruption vulnerability (CVE-2022-28664) has been discovered in the httpd unescape functionality of the open-source firmware project, FreshTomato, version 2022.1. A carefully crafted HTTP request can trigger this vulnerability, leading to memory corruption. This discovery has significant security implications for devices running vulnerable versions of the firmware. In this post, we will examine the exploit in detail, including code snippets, links to original references, and a description of the exploit.

Background

FreshTomato is a project aimed at providing an alternative to the stock firmware of various routers, offering more features and better stability. However, like any software, vulnerabilities can still be discovered, and CVE-2022-28664 is a prime example of this. The vulnerability is present in freshtomato-mips, a specific build of the project designed for MIPS-based devices. The affected module can be found within the firmware's URL decoding feature, which is part of the httpd unescape functionality.

Exploit Details

The memory corruption vulnerability is triggered by a specially crafted HTTP request targeting the httpd unescape functionality of FreshTomato.

The vulnerability exists in the following code snippet

void inbuf[256];
int i = ;
int j = ;

while (inbuf[i] != '\') {
    if (inbuf[i] == '%') {
        inbuf[j++] = (char) unescape(&inbuf[i + 1]);
        i += 3;
    } else {
        inbuf[j++] = inbuf[i++];
    }
}

The root of the problem lies in how the unescape() function is called. When calling unescape(), the &inbuf[i + 1] parameter provides an address to two characters representing a URL-encoded character. However, if the '%' character appears at the end of the string, it would lead to two NULL bytes being read by unescape() and cause an out-of-bounds write, resulting in memory corruption.

To exploit this vulnerability, an attacker can send a maliciously crafted network request to a device running FreshTomato 2022.1. By manipulating the input in a specific way, the attacker can cause memory corruption and potentially gain unauthorized access to the system or even execute arbitrary code.

Mitigation

As of now, FreshTomato has not released an official fix for this vulnerability. However, users are advised to be cautious when using their devices and apply any available updates as soon as possible. Access to the device's web-based administration interface should be restricted to trusted networks only, and strong authentication credentials should be used.

For more information on this vulnerability, you can refer to the following source

- CVE-2022-28664

Conclusion

This post has provided an in-depth analysis of the memory corruption vulnerability found within the httpd unescape functionality of FreshTomato 2022.1 (CVE-2022-28664). As demonstrated, a maliciously crafted HTTP request can trigger this vulnerability, potentially leading to unauthorized system access or arbitrary code execution. Users are encouraged to be cautious when using vulnerable versions of the firmware and should apply any updates as they become available.

Timeline

Published on: 08/05/2022 22:15:00 UTC
Last modified on: 08/09/2022 19:28:00 UTC