Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-28231 PoC — Manipulated DATA Submessage causes a heap-buffer-overflow error

Source
https://github.com/grimmmbo/ros2_CVE-2024-28231
Associated Vulnerability
Title:Manipulated DATA Submessage causes a heap-buffer-overflow error (CVE-2024-28231)
Description:eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue.
Description
Demonstrating the usage of Fastrtps-DDS vulnerability CVE-2024-28231 within Ros2
Readme
This repo includes a vulnerable Docker image of ros2 iron based on ubuntu 22 and a matching exploit. We exploit the vulnerability in fastrtps version [2.10.3](https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w), enabling denial of service of a remote subscriber via heap buffer overflow. 


## Vulnerable base image
Fast RTPS version 2.10.3 and dependencies are built from source in folder `target` in a Docker container, and ros iron is installed. 

> Disclaimer: This vulnerability was not found by us and is already patched in the upstream repository of Fastdds and ros2 iron. This vulnerability was reproduced for research purposes. This repository is a proof-of-concept code intended for security researchers to reproduce and understand the vulnerability in a controlled environment. Do not run this code on production systems or systems you do not own or have explicit permission to test.

## Exploit
The executable `exploit`, respectively the file `src/exploit.py` realize DoS for the next data message it observes after start. You can add an input to specify the attacked ros topic (default is '/chatter') topic. 
The script waits for the next message on the topic (on all interfaces except 'lo') and then manipulates and re-sends to the original target.
The `prepare_exploit.sh` script can be used to generate the exploit executable.

Requirements for attack:
- Topic needs to be published and subscribed
- Subscriber and Publisher run on different IP addresses. E.g. two containers on one host, without network mode host, or two containers on different hosts
- Denial of Service works only for message types that have a variable length, ie. all types with lists, such as `std_msgs/Float32MultiArray`.
File Snapshot

 [4.0K]  /data/pocs/118e57e5c5d457e8d6ad5b424be68c64622eda6c
├── [2.2K]  Dockerfile.exploit
├── [ 21M]  exploit
├── [1.0K]  LICENSE
├── [ 214]  prepare_exploit.sh
├── [1.7K]  README.md
├── [4.0K]  src
│   └── [3.2K]  exploit.py
└── [4.0K]  target
    ├── [2.4K]  Dockerfile
    └── [ 145]  Readme.md

3 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →