Denial of Service vulnerability caused by improper exception handling while parsing of CoAP messages

Question

Denial of Service vulnerability caused by improper exception handling while parsing of CoAP messages

cve-reporting opened this issue 6 years ago · 1 comments

Multiple sample applications from CoAPthon library are vulnerable to Denial of Service attacks caused by maliciously crafted CoAP messages.
Method Serialize.deserialize() improperly handle multiple exception types leading to crash of applications (including standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client).

Example payloads and unhandled exceptions:

File: crash_000_UnicodeDecodeError.raw (attached)

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 335, in convert_to_raw
return bytearray(value, "utf-8")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xb9 in position 5: ordinal not in range(128)

File: crash_001_TypeError.raw

Error message:
File "CoAPthon-master/coapthon/messages/message.py", line 390, in add_option
raise TypeError("Option : %s is not repeatable", option.name)
TypeError: ('Option : %s is not repeatable', 'If-None-Match')

File: crash_002_UnboundLocalError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 307, in read_option_value_len_from_byte
length = s.unpack_from(values[pos:])[0] + 269
UnboundLocalError: local variable 's' referenced before assignment

File: crash_003_OverflowError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 339, in convert_to_raw
return bytearray(value)
OverflowError: cannot fit 'long' into an index-sized integer

File: crash_004_IndexError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 304, in read_option_value_len_from_byte
length = struct.unpack("!B", values[pos])[0] + 13
IndexError: string index out of range

Proposed CVSS score:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 - High)

Mitigation:
All exception types should be handled in the main loop of CoAPthon applications (including standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client), to provide uninterruptible service.
CoAPthon_crashes.zip

Issue was reported via email on 23rd of February 2018 to CoAPthon developers and registered in CVE database (reserved id is: CVE-2018-12680).

Answer 1 · 2019-04-02T15:22:59.000Z

Following versions of CoAPthon are vulnerable: 3.1, 4.0.0, 4.0.1 4.0.2.