漏洞总结:minmea buffer overflow 漏洞概述 漏洞类型:Buffer Overflow 漏洞描述:存在一个验证函数 ,该函数限制溢出字节只能为可打印 ASCII 字符(0x20-0x7E),因此 RCE 并不容易实现。 影响组件: 攻击类型:Context-dependent 影响:Denial of Service (DoS) 攻击向量: - GPS 接收器解析来自不受信任源的 NMEA 句子。 - 攻击者伪造 GPS 信号或执行 MITM 攻击。 - 恶意 NMEA 句子包含过长的字段 4,导致应用程序的栈缓冲区溢出。 影响范围 受影响产品代码库:minmea A11 具体版本:kosma minmea 0.3.0 漏洞详情:在 kosma minmea 0.3.0 中发现一个问题。 函数的格式说明符将 NMEA 字段数据复制到调用者提供的缓冲区中,可能导致栈缓冲区溢出。 修复方案 参考链接:https://github.com/kosma/minmea/blob/master/minmea.c#L231-L240 POC 代码 ```c >> [Vulnerability Type] >> Buffer Overflow >> [Additional Information] >> There is a validation function (minmea_isfield) that >> restricts it so that the overflow bytes must only be >> printable ASCII (0x20-0x7E), so RCE is not trivial >> [Affected Component] >> minmea.c >> [Attack Type] >> Context-dependent >> [Impact Denial of Service] >> true >> [Attack Vectors] >> 1. GPS receiver parses NMEA sentences from an untrusted >> source 2. Attacker spoofs GPS signal or performs MITM on >> serial line 3. Malicious NMEA sentence contains overly long >> field 4. Application's stack buffer overflows >> [Discoverer] >> David Williams >> [Reference] >> https://github.com/kosma/minmea/blob/master/minmea.c#L231-L240 >> [Vendor of Product] >> kosma >> [Affected Product Code Base] >> minmea A11 >> An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer, which can lead to a stack buffer overflow.