TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion
嗯,用户让我总结一下这篇文章的内容,控制在100个字以内,而且不需要特定的开头。我先看看文章内容。这篇文章讲的是TinyOS中的一个漏洞,具体是在printfUART的实现中存在一个全局缓冲区溢出问题。 首先,问题出在sprintf函数的自定义实现上,它使用了strcat函数进行字符串拼接,但没有做边界检查。这样当传入的字符串长度超过固定大小的debugbuf时,就会导致缓冲区溢出。 接下来,影响方面包括内存损坏、服务中断、信息泄露等。而且在AVR和MSP430平台上,这些设备没有内存保护、堆栈保护和ASLR,所以问题更严重。 用户的需求是总结内容,所以我要抓住关键点:漏洞的位置、原因、影响以及平台情况。然后用简洁的语言表达出来,控制在100字以内。 可能的结构是:TinyOS ZigBee/IEEE 802.15.4堆栈中的printfUART存在全局缓冲区溢出漏洞,由sprintf自定义实现中的strcat无界拼接导致。攻击者可控字符串超出256字节buffer时引发内存损坏、DoS或信息泄露。AVR/MSP430平台无内存保护机制加剧问题。 检查一下字数是否符合要求,并确保信息准确无误。 </think> TinyOS ZigBee/IEEE 802.15.4堆栈中的printfUART存在全局缓冲区溢出漏洞,由sprintf自定义实现中的strcat无界拼接导致。攻击者可控字符串超出256字节buffer时引发内存损坏、DoS或信息泄露。AVR/MSP430平台无内存保护机制加剧问题。 2026-1-11 04:23:53 Author: seclists.org(查看原文) 阅读量:4 收藏
嗯,用户让我总结一下这篇文章的内容,控制在100个字以内,而且不需要特定的开头。我先看看文章内容。这篇文章讲的是TinyOS中的一个漏洞,具体是在printfUART的实现中存在一个全局缓冲区溢出问题。 首先,问题出在sprintf函数的自定义实现上,它使用了strcat函数进行字符串拼接,但没有做边界检查。这样当传入的字符串长度超过固定大小的debugbuf时,就会导致缓冲区溢出。 接下来,影响方面包括内存损坏、服务中断、信息泄露等。而且在AVR和MSP430平台上,这些设备没有内存保护、堆栈保护和ASLR,所以问题更严重。 用户的需求是总结内容,所以我要抓住关键点:漏洞的位置、原因、影响以及平台情况。然后用简洁的语言表达出来,控制在100字以内。 可能的结构是:TinyOS ZigBee/IEEE 802.15.4堆栈中的printfUART存在全局缓冲区溢出漏洞,由sprintf自定义实现中的strcat无界拼接导致。攻击者可控字符串超出256字节buffer时引发内存损坏、DoS或信息泄露。AVR/MSP430平台无内存保护机制加剧问题。 检查一下字数是否符合要求,并确保信息准确无误。 </think> TinyOS ZigBee/IEEE 802.15.4堆栈中的printfUART存在全局缓冲区溢出漏洞,由sprintf自定义实现中的strcat无界拼接导致。攻击者可控字符串超出256字节buffer时引发内存损坏、DoS或信息泄露。AVR/MSP430平台无内存保护机制加剧问题。 2026-1-11 04:23:53 Author: seclists.org(查看原文) 阅读量:4 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Thu, 8 Jan 2026 10:17:43 -0500
A global buffer overflow vulnerability exists in the TinyOS printfUART
implementation used within the ZigBee / IEEE 802.15.4 networking stack. The
issue arises from an unsafe custom sprintf() routine that performs
unbounded string concatenation using strcat() into a fixed-size global
buffer. The global buffer debugbuf, defined with a size of 256 bytes, is
used as the destination for formatted output. When a %s format specifier is
supplied with a string longer than the available buffer space, the
implementation appends the string without any bounds checking, resulting in
a write beyond the end of the global buffer. This condition allows memory
corruption and can lead to denial-of-service, unintended behavior, or
information disclosure. The vulnerability is deterministic and independent
of the hardware platform.
*Root Cause:*
The vulnerability occurs in the following code path:
#define DEBUGBUF_SIZE 256
char debugbuf[DEBUGBUF_SIZE];
case 's':
ptr = va_arg(ap, char *);
strcat(buf, ptr); // no bounds checking
The printfUART() macro ultimately calls the custom sprintf() implementation
with debugbuf as the destination buffer. The use of strcat() without
validating the remaining capacity of debugbuf allows attacker-controlled
strings passed via %s to overflow the buffer.
*Impact:*
- Global memory corruption
- Denial of service (device crash)
- Information disclosure via UART output
- Undefined behavior affecting adjacent global state or interrupt-driven
execution
On typical TinyOS deployments (AVR / MSP430):
- No memory protection
- No stack canaries
- No ASLR
This significantly increases the severity of memory corruption.
*Proof of Concept:*
The issue was validated using AddressSanitizer, which reported a
global-buffer-overflow during execution:
./printUART
*Output:*
=================================================================
==492203==ERROR: AddressSanitizer: global-buffer-overflow on address
0xaaaaea1774a0 at pc 0xaaaae972eee4 bp 0xfffff642d3a0 sp 0xfffff642cb90
WRITE of size 1024 at 0xaaaaea1774a0 thread T0
#0 0xaaaae972eee0 in strcat (/root/tinyos-main/printfuart+0xbeee0)
(BuildId: b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826)
#1 0xaaaae978d024 in sprintf
/tinyos-main/tos/lib/net/zigbee/ieee802154/includes/printfUART.h:266:13
#2 0xaaaae978e1b8 in main /root/tinyos-main/printfuart.c:47:5
#3 0xffffac4a2598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0xffffac4a2678 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0xaaaae96a592c in _start (/root/tinyos-main/printfuart+0x3592c)
(BuildId: b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826)
0xaaaaea1774a0 is located 0 bytes after global variable 'debugbuf' defined
in '/tinyos-main/tos/lib/net/zigbee/ieee802154/includes/printfUART.h:81'
(0xaaaaea1773a0) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow
(/root/tinyos-main/printfuart+0xbeee0) (BuildId:
b934c9b9563afd45c9ae2cf4ccdfab5bf9a33826) in strcat
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- TinyOS 2.1.2 printfUART Global Buffer Overflow via Unbounded Format Expansion Ron E (Jan 10)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/13
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh