Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption · Advisory · espressif/arduino-esp32 · GitHub

Vulnerability Overview Title: Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption Description: Vulnerability Type: Remotely reachable memory corruption issue Trigger Condition: When NetBIOS is enabled via , the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. Core Issue: The request parser trusts the attacker-controlled field and does not enforce bounds consistent with the fixed-size target buffer. Affected Components: Repository: espressif/arduino-esp32 Component: libraries/NetBIOS File: libraries/NetBIOS/src/NetBIOS.cpp Root Cause: In , is treated as trusted input. When calling , there is no validation that is safe for the available input buffer. Subsequent operation copies attacker-controlled length into a fixed 33-byte buffer. Impact Scope Attack Vector: Adjacent network Required Privileges: None User Interaction: None Primary Impact: Memory corruption leading to crash/reset Secondary Impact: Depending on target conditions, possible control flow impact CVSS Score: 8.8 / 10 CVE ID: CVE-2020-41429 Weakness: CWE-121 Remediation Recommended Measures: Reject any packet where exceeds the protocol-expected encoded hostname size. Validate that the declared length fits within the received packet before dereferencing or decoding. Enforce target buffer boundaries before copying to / . Avoid directly trusting variable-length fields when unpacking network structures. Fixed Versions: Affected Version: < 3.3.8 Fixed Version: 3.3.8 POC / Reproduction Materials Attachment Files: 1. netbios_read_repro.c: Minimal reproduction of out-of-bounds read in . 2. netbios_write_repro.c: Minimal reproduction of stack buffer overflow in . 3. netbios_read_write_repro: Shows AddressSanitizer output triggered by stack buffer overflow read/write. Reproduction Steps: 1. Use local AddressSanitizer to reproduce test cases verifying the issue. 2. Trigger out-of-bounds read in via an oversized . 3. After satisfying the name comparison branch, trigger stack buffer overflow via the path. Code Example: Specific Vulnerable Operations: Read-side Issue: Write-side Issue:

Goal Reached Thanks to every supporter — we hit 100%!

Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption · Advisory · espressif/arduino-esp32 · GitHub

More from this source