30 days of bugs: Day 6
Welcome to "30 Days of Bugs," a campaign by 3Flatline, a startup that's all about making code safer. Our product, the Dixie Code Scanner, enabled by AI and machine learning (but also lots of normal and boring regular processes) to catch vulnerabilities that other tools miss. It doesn’t just find bugs—it also suggests fixes and writes test code to see if those vulnerabilities can be exploited. We're sharing a new bug every day from open-source projects to show just how powerful the Dixie Code Scanner is. These are real bugs that other tools didn't catch, highlighting that our scanner can make a real difference for developers and security researchers.
This is real output from our code scanner, minus the “tests” or code to help exploit the vulnerability (for obvious reasons). One day, we hope that we can stop prioritizing bugs based on CVEs and just automatically fix security vulnerabilities. Until then, we leverage the below output to reduce the amount of time you spend validating false positives or figuring out what your scanner is telling you.
And yes, for all you sneaky researchers out there: we have an offline version including LLM that can be run locally, or deploy into your tenant to keep you code secret and safe.
If you want to learn more, check out https://3flatline.ai or reach out to me here on LinkedIn. I’m happy to talk or give out free trial codes!
Today’s bug showcases Dixie's ability to work on assembly languages and comes from . . .
Out of Bounds Write in wifi driver in Mircotik routerOS.
File:
routeros-7.15.3-arm64/fileSystem/bndl/wifi/nova/bin/ww2
Code Description:
The code defines a function named sub_cbbe4 that takes five parameters: two integers (`arg1`, arg2), a character pointer (`arg3`), a void pointer (`arg4`), and another integer (`arg5`). The function appears to perform a series of operations related to some form of data processing, likely involving cryptographic or data manipulation tasks.
Initially, the function checks the result of a call to sub_9f930(), which seems to return a pointer. If this pointer is null, the function sets a return value (`r4_1`) to 0xffffffff and exits. If the pointer is valid, it proceeds to call several other functions (`sub_9fb98`, sub_9fa28, etc.) to manipulate or retrieve data based on the pointer and the arguments provided.
领英推荐
The function includes conditional logic that determines which processing function to call based on the value of arg5. It handles different cases (3, 5, or 1) and performs additional checks to ensure the validity of the data being processed. If certain conditions are not met, it sets error codes and calls a logging or error handling function (`sub_a8c58`).
The function also includes various checks and manipulations involving pointers and memory, indicating that it may be working with dynamically allocated resources. It performs cleanup operations at the end, ensuring that any allocated memory is properly freed before returning the final result.
Overall, the function appears to be part of a larger system that processes data, possibly in a cryptographic context, with extensive error handling and memory management.
Vuln Class: Out of Bounds Write
Summary:
int32_t* r2_20;
if ((r3_9 & 0x100) == 0)
{
int32_t var_3c;
sub_9efa4(&var_3c);
int32_t* r2_17 = *(arg4 + 0x18);
var_3c = *r2_17;
int32_t var_38_1 = r2_17[1];
int32_t var_34_1 = r2_17[2];
int32_t var_30_1 = r2_17[3];
r2_20 = &var_3c;
int32_t var_2c;
int32_t var_2c_1 = (((var_2c & 1) | (r2_17[4] & 0xfffffffe)) | 6);
goto label_cbf50;
}
The code accesses elements of the array r2_17 without validating its size. If arg4 does not point to a valid structure with at least 5 integers, accessing r2_17[4] will lead to an out-of-bounds write. This can result in memory corruption, crashes, or exploitation by an attacker. To mitigate this issue, ensure that the size of the array is validated before accessing its elements.
Assessment:
Report: True
Confidence Level: High confidence.
The report accurately identifies a potential out-of-bounds write vulnerability due to the lack of size validation for the array r2_17. Accessing r2_17[4] without confirming that arg4 points to a valid structure with sufficient elements can indeed lead to memory corruption or exploitation. The analysis of the code aligns with the vulnerability described in the report.
Co-Founder of Altrosyn and DIrector at CDTECH | Inventor | Manufacturer
6 个月Deconstructing firmware vulnerabilities at the assembly level, bridging the gap between hardware and software security that's the 3Flatline ethos! Your Pseudo C conversion technique is ingenious, illuminating the hidden logic within Microtik's ww2 driver. How does your approach to decompilation translate to securing embedded systems against increasingly sophisticated side-channel attacks?