SimpleNetwork icon indicating copy to clipboard operation
SimpleNetwork copied to clipboard
verified publisher icon kashimAstro

Double Free in TCPServer

Open Halcy0nic opened this issue 3 years ago • 1 comments

Hi there!

I was running my fuzzer in the background when I discovered a double free in the SimpleNetwork TCPServer.

Impact

Triggering the double free will allow client to crash any SimpleNetwork TCP server remotely. In other situations, double free vulnerabilities can cause undefined behavior and potentially code execution in the right circumstances.

Reproduction

Create a file with a large amount of random characters

Screen Shot 2022-07-14 at 4 27 10 PM

Start a TCP server and send the large file to the server a few consecutive times

Screen Shot 2022-07-14 at 5 06 48 PM

View the crash and gdb backtrace

Screen Shot 2022-07-14 at 4 30 14 PM Screen Shot 2022-07-14 at 5 06 14 PM

Extra Resources

  • https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory
  • https://cwe.mitre.org/data/definitions/415.html

Halcy0nic avatar Jul 14 '22 22:07 Halcy0nic

Here is the valgrind output showing the invalid double free: Screen Shot 2022-07-22 at 4 45 45 PM

Halcy0nic avatar Jul 22 '22 21:07 Halcy0nic

This issue was assigned CVE-2022-36234. Proof of concept Python3 code can be found here:

https://github.com/Halcy0nic/CVE-2022-36234

Halcy0nic avatar Jan 31 '23 17:01 Halcy0nic