Summary
An integer underflow vulnerability exists in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Eclipse ThreadX NetX Duo git commit 6c8e9d1
Product URLs
Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo
Details
Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. It offers a dual network stack supporting both IPv4 and IPv6
When processing an HTTP PUT request it is possible to cause an integer underflow condition which could result in a very large file to be written to the file system. This could cause a denial of service by consuming all of the file system resources. This vulnerability affects both HTTP server implementations within NetX Duo.
Upon receipt of an HTTP PUT request, the function _nx_web_http_server_put_process is invoked. The content length is extracted from the request at [1] and stored in the variable length. Next, the data contained in the request will be written to the requested file at [2]. Then, the number of bytes of data is calculated at [3] ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset). The variable offset is the beginning of the data in the HTTP request, after the HTTP headers, and packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr is the entire size of the request. For illustration purposes, let's say that the offset of data in the packet offset is 20, and the total packet length ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) is 80 , this means that 60 bytes of data are included in the packet ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset) = 60. If the Content-Length value in the HTTP header length is 59, then this will cause an integer underflow at [3]. After the calculation at [3], length will be -1. Since the variable length is unsigned, this will be interpreted as the very large number 0xffffffff at [4]. This large number causes the code to enter and execute the loop at [4] when it otherwise shouldn't continue processing. This loop will continue to execute and receive more data at [5] and write to the requested file at [6] until 0xffffffff bytes have been received. To summarize, an attacker could send a Content-Length value that is smaller than the data included in the request, and then continue sending data resulting in writing an excessively large file being written - potentially consuming all of the file system resources.
File: netxduo\addons\web\nx_web_http_server.c
4213: VOID _nx_web_http_server_put_process(NX_WEB_HTTP_SERVER *server_ptr, NX_PACKET *packet_ptr)
4214: {
...
4217: ULONG length = 0;
...
4254: /* Calculate the content length from the request. */
4255: status = _nx_web_http_server_content_length_get(packet_ptr, &length); /*[1]*/
...
4477: /* Determine if there is any content in the first packet. */
4478: if ((UINT)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) > offset)
4479: {
4480:
4481: /* Write the content found in this packet. */
4482: status = fx_file_write(&(server_ptr -> nx_web_http_server_file), (packet_ptr -> nx_packet_prepend_ptr + offset),
4483: ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset)); /*[2]*/
...
4505: /* Update the length. */
4506: length = length - ((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset); /*[3]*/
...
4561: /* If necessary, receive more packets from the TCP socket to complete the write request. */
4562: while (length || server_ptr -> nx_web_http_server_request_chunked) /*[4]*/
4563: {
...
4565: /* Wait for a request. */
4566: status = _nx_web_http_server_packet_get(server_ptr, &data_packet_ptr); /*[5]*/
...
4597: /* Write the content of this packet. */
4598: status = fx_file_write(&(server_ptr -> nx_web_http_server_file), next_packet_ptr -> nx_packet_prepend_ptr,
4599: (ULONG)(next_packet_ptr -> nx_packet_append_ptr - next_packet_ptr -> nx_packet_prepend_ptr)); /*[6]*/
NetX Duo Web Component HTTP Server
This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
NetX Duo Component HTTP Server
This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
Credit
Discovered by Kelly Patterson of Cisco Talos.
https://talosintelligence.com/vulnerability_reports/
Timeline
2025-01-23 - Public Release
Summary
An integer underflow vulnerability exists in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Eclipse ThreadX NetX Duo git commit 6c8e9d1
Product URLs
Eclipse ThreadX NetX Duo - https://github.com/eclipse-threadx/netxduo
Details
Eclipse ThreadX NetX Duo is an industrial-grade TCP/IP network stack tailored specifically for deeply embedded real-time and IoT applications. It offers a dual network stack supporting both IPv4 and IPv6
When processing an HTTP PUT request it is possible to cause an integer underflow condition which could result in a very large file to be written to the file system. This could cause a denial of service by consuming all of the file system resources. This vulnerability affects both HTTP server implementations within NetX Duo.
Upon receipt of an HTTP PUT request, the function
_nx_web_http_server_put_processis invoked. The content length is extracted from the request at[1]and stored in the variablelength. Next, the data contained in the request will be written to the requested file at[2]. Then, the number of bytes of data is calculated at[3]((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset). The variableoffsetis the beginning of the data in the HTTP request, after the HTTP headers, andpacket_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptris the entire size of the request. For illustration purposes, let's say that the offset of data in the packetoffsetis 20, and the total packet length((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr)is 80 , this means that 60 bytes of data are included in the packet((ULONG)(packet_ptr -> nx_packet_append_ptr - packet_ptr -> nx_packet_prepend_ptr) - offset) = 60. If theContent-Lengthvalue in the HTTP headerlengthis 59, then this will cause an integer underflow at[3]. After the calculation at[3],lengthwill be -1. Since the variablelengthis unsigned, this will be interpreted as the very large number 0xffffffff at[4]. This large number causes the code to enter and execute the loop at[4]when it otherwise shouldn't continue processing. This loop will continue to execute and receive more data at[5]and write to the requested file at[6]until 0xffffffff bytes have been received. To summarize, an attacker could send aContent-Lengthvalue that is smaller than the data included in the request, and then continue sending data resulting in writing an excessively large file being written - potentially consuming all of the file system resources.NetX Duo Web Component HTTP Server
This vulnerability affects the NetX Duo Web Component HTTP Server implementation which can be found in netxduo\addons\web\nx_web_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
NetX Duo Component HTTP Server
This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in netxduo\addons\http\nxd_http_server.c
Mitigation
Developers can disable the processing of PUT requests by ending the processing of a PUT request in an application callback request notify function.
Credit
Discovered by Kelly Patterson of Cisco Talos.
https://talosintelligence.com/vulnerability_reports/
Timeline
2025-01-23 - Public Release