--[ HNS-2024-05 - HN Security Advisory - https://security.humanativaspa.it/
* Title: Multiple vulnerabilities in RT-Thread RTOS
* OS: RT-Thread <= 5.0.2
* A --[ HNS-2024-05 - HN Security Advisory - https://security.humanativaspa.it/
* Title: Multiple vulnerabilities in RT-Thread RTOS
* OS: RT-Thread <= 5.0.2
* Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it>
* Date: 2024-03-05
* CVE IDs and advisory URLs:
* CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282
* CVE-2024-24335 - https://github.com/RT-Thread/rt-thread/issues/8271
* CVE-2024-25388 - https://github.com/RT-Thread/rt-thread/issues/8285
* CVE-2024-25389 - https://github.com/RT-Thread/rt-thread/issues/8283
* CVE-2024-25390 - https://github.com/RT-Thread/rt-thread/issues/8286
* CVE-2024-25391 - https://github.com/RT-Thread/rt-thread/issues/8287
* CVE-2024-25392 - https://github.com/RT-Thread/rt-thread/issues/8290
* CVE-2024-25393 - https://github.com/RT-Thread/rt-thread/issues/8288
* CVE-2024-25394 - https://github.com/RT-Thread/rt-thread/issues/8291
* CVE-2024-25395 - https://github.com/RT-Thread/rt-thread/issues/8289
* https://github.com/RT-Thread/rt-thread/issues/8292
* Vendor URL: https://www.rt-thread.io/
--[ 0 - Table of contents
1 - Summary
2 - Background
3 - Vulnerabilities
3.1 - CVE-2024-24335 - Buffer overflow in RT-Thread dfs_v2 romfs filesystem
3.2 - CVE-2024-24334 - Heap buffer overflows in RT-Thread dfs_v2 dfs_file
3.3 - CVE-2024-25389 - Weak random source in RT-Thread rt_random driver
3.4 - CVE-2024-25388 - Heap buffer overflow in RT-Thread wlan driver
3.5 - CVE-2024-25390 - Heap buffer overflows in RT-Thread finsh
3.6 - CVE-2024-25391 - Stack buffer overflow in RT-Thread IPC
3.7 - CVE-2024-25393 - Stack buffer overflow in RT-Thread AT server
3.8 - CVE-2024-25395 - Static buffer overflow in RT-Thread rt-link utility
3.9 - CVE-2024-25392 - Out-of-bounds static array access in RT-Thread var_export utility
3.10 - CVE-2024-25394 - Multiple vulnerabilities in RT-Thread ymodem utility
3.11 - Use of outdated lwIP and TinyDir dependencies in RT-Thread
4 - Affected products
5 - Remediation
6 - Disclosure timeline
7 - Acknowledgments
8 - References
--[ 1 - Summary
"Security is in the mind of the programmer and in the mind of the designer.
Not so much in the code."
-- Alisa Esage
RT-Thread [1] is an open-source, community-based real-time operating system
(RTOS). RT-Thread can be used in sensing nodes, wireless connection chips,
and many other resource-constrained scenarios. It is also widely applied in
gateways, IPC, smart speakers, and other high-performance IoT applications.
We reviewed RT-Thread's source code hosted on GitHub [2] and identified
multiple security vulnerabilities that may cause memory corruption and
security feature bypass. Their impacts range from denial of service to
potential arbitrary code execution.
We also audited the lwIP [3] and TinyDir [4] codebases on which some
RT-Thread functionalities depend, and found some additional vulnerabilities
that were subsequently fixed by the respective maintainers.
--[ 2 - Background
After our recent vulnerability disclosures [5] in the IoT space, we decided
to keep assisting open-source projects in finding and fixing security
vulnerabilities by reviewing their source code. RT-Thread was selected as a
target of interest. Other RTOSes will be featured in future advisories and
writeups.
During this review, we made use of our Semgrep C/C++ ruleset [6] to
identify hotspots in code on which to focus our attention. We also took
advantage of this opportunity to improve and update the ruleset [7].
--[ 3 - Vulnerabilities
The vulnerabilities resulting from our source code review are briefly
described in the following sections.
--[ 3.1 - CVE-2024-24335 - Buffer overflow in RT-Thread dfs_v2 romfs filesystem
We spotted a buffer overflow vulnerability at the following location in the
RT-Thread dfs_v2 romfs filesystem source code:
* /components/dfs/dfs_v2/filesystems/romfs/dfs_romfs.c
Lack of length check in the `dfs_romfs_getdents()` function could lead to a
buffer overflow at the marked line:
```c
static int dfs_romfs_getdents(struct dfs_file *file, struct dirent *dirp, uint32_t count)
{
rt_size_t index;
const char *name;
struct dirent *d;
struct romfs_dirent *dirent, *sub_dirent;
dirent = (struct romfs_dirent *)file->vnode->data;
if (check_dirent(dirent) != 0)
{
return -EIO;
}
RT_ASSERT(dirent->type == ROMFS_DIRENT_DIR);
/* enter directory */
dirent = (struct romfs_dirent *)dirent->data;
/* make integer count */
count = (count / sizeof(struct dirent));
if (count == 0)
{
return -EINVAL;
}
index = 0;
for (index = 0; index < count && file->fpos < file->vnode->size; index++)
{
d = dirp + index;
sub_dirent = &dirent[file->fpos];
name = sub_dirent->name;
/* fill dirent */
if (sub_dirent->type == ROMFS_DIRENT_DIR)
d->d_type = DT_DIR;
else
d->d_type = DT_REG;
d->d_namlen = rt_strlen(name);
d->d_reclen = (rt_uint16_t)sizeof(struct dirent);
rt_strncpy(d->d_name, name, rt_strlen(name) + 1); /* VULN: buffer overflow if rt_strlen(name) is larger than sizeof(d->d_name) due to missing length check */
/* move to next position */
++ file->fpos;
}
return index * sizeof(struct dirent);
}
```
Note: dfs_v1 romfs in /components/dfs/dfs_v1/filesystems/romfs/dfs_romfs.c
is not affected, because the string copy operation is implemented
differently:
```c
len = rt_strlen(name);
RT_ASSERT(len <= RT_UINT8_MAX);
d->d_namlen = (rt_uint8_t)len;
d->d_reclen = (rt_uint16_t)sizeof(struct dirent);
rt_strncpy(d->d_name, name, DFS_PATH_MAX);
```
Even if the assertion is compiled-out in production code, `len` is not used
for the copy operation anyway. Therefore, unless `DFS_PATH_MAX` is larger
than `sizeof(d->d_name)`, this code should be safe.
Fixes:
https://github.com/RT-Thread/rt-thread/pull/8278
See also:
https://github.com/RT-Thread/rt-thread/issues/8271
--[ 3.2 - CVE-2024-24334 - Heap buffer overflows in RT-Thread dfs_v2 dfs_file
We spotted some heap buffer overflow vulnerabilities at the following
location in the RT-Thread dfs_v2 dfs_file source code:
* /components/dfs/dfs_v2/src/dfs_file.c
Lack of length check in the the `dfs_nolink_path()` function could lead to
heap buffer overflows at the marked lines:
```c
static char *dfs_nolink_path(struct dfs_mnt **mnt, char *fullpath, int mode)
{
int index = 0;
char *path = RT_NULL;
char link_fn[DFS_PATH_MAX] = {0};
struct dfs_dentry *dentry = RT_NULL;
path = (char *)rt_malloc((DFS_PATH_MAX * 2) + 1); // path + syslink +
if (!path)
{
return path;
}
if (*mnt && fullpath)
{
int i = 0;
char *fp = fullpath;
while (*fp != '
RT-Thread RTOS 5.0.2 Overflows Weak Random Source
- Details
- Written by: Khalil Shreateh
- Category: Vulnerabilities
- Hits: 45