Bug 1218294 (CVE-2023-4233) - VUL-0: CVE-2023-4233: ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the sms_decode_address_field() function
Summary: VUL-0: CVE-2023-4233: ofono: SMS Decoder Stack-based Buffer Overflow Remote C...
Status: NEW
Alias: CVE-2023-4233
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Martin Pluskal
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/388809/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-21 08:37 UTC by SMASH SMASH
Modified: 2023-12-21 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-12-21 08:37:35 UTC 
ofono is a Open Source Telephony on Linux
stack overflow bug is triggered within the sms_decode_address_field() function during SMS PDU decoding
here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS

partial code path is here
    - at_cmt_notify()
    - ofono_sms_deliver_notify()
    - sms_decode()
    - decode_deliver()
    - sms_decode_address_field()
```

~~~C++
gboolean sms_decode_address_field(const unsigned char *pdu, int len,
                                        int *offset, gboolean sc,
                                        struct sms_address *out)
{
        unsigned char addr_len;
        unsigned char addr_type;
        int byte_len;

        if (!next_octet(pdu, len, offset, &addr_len))
                return FALSE;

        if (sc && addr_len == 0) {
                out->address[0] = '\0';
                return TRUE;
        }

        if (!next_octet(pdu, len, offset, &addr_type))
                return FALSE;

        if (sc)
                byte_len = addr_len - 1;
        else
                byte_len = (addr_len + 1) / 2;

        if ((len - *offset) < byte_len)
                return FALSE;

        out->number_type = bit_field(addr_type, 4, 3);
        out->numbering_plan = bit_field(addr_type, 0, 4);

        if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
                extract_bcd_number(pdu + *offset, byte_len, out->address);                      // overflow within extract_bcd_number(), addr_len is from SMS PDU
                *offset += byte_len;
        } else {
...
}

void extract_bcd_number(const unsigned char *buf, int len, char *out)
{
        static const char digit_lut[] = "0123456789*#abc\0";
        unsigned char oct;
        int i;

        for (i = 0; i < len; i++) {
                oct = buf[i];

                out[i * 2] = digit_lut[oct & 0x0f];
                out[i * 2 + 1] = digit_lut[(oct & 0xf0) >> 4];
        }

        out[i * 2] = '\0';
}
~~~

ASAN report
```
=================================================================
==116978==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd18b788ac at pc 0x556e7631ff99 bp 0x7ffd18b78450 sp 0x7ffd18b78440
WRITE of size 1 at 0x7ffd18b788ac thread T0
    #0 0x556e7631ff98 in extract_bcd_number src/smsutil.c:86
    #1 0x556e76322c72 in sms_decode_address_field src/smsutil.c:650
    #2 0x556e763237c3 in decode_deliver src/smsutil.c:761
    #3 0x556e76329456 in sms_decode src/smsutil.c:1567
    #4 0x556e762c508d in main src/main.c:225
    #5 0x7f635c42350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f635c4235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #7 0x556e76064274 in _start (/root/ofono/src/ofonod+0x12b274)

Address 0x7ffd18b788ac is located in stack of thread T0 at offset 316 in frame
    #0 0x556e762c4edd in main src/main.c:205

  This frame has 1 object(s):
    [48, 316) 'sms1' (line 212) <== Memory access at offset 316 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/smsutil.c:86 in extract_bcd_number
Shadow bytes around the buggy address:
  0x1000231670c0: 01 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x1000231670d0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00
  0x1000231670e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x1000231670f0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100023167110: 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00
  0x100023167120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116978==ABORTING
```

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4233
https://bugzilla.redhat.com/show_bug.cgi?id=2255396
https://www.zerodayinitiative.com/advisories/ZDI-23-1859/