7.1 CVE-2024-57259

 

sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259

Categories

CWE-193 : Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. An "off-by-five" error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a "length calculation" error. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf(). Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines. Off-by-one vulnerability in driver allows users to modify kernel memory. Off-by-one error allows local users or remote malicious servers to gain privileges. Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries. Off-by-one buffer overflow in version control system allows local users to execute arbitrary code. Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command. Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command. Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code. Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code. Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code. This is an interesting example that might not be an off-by-one. An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string. Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension. Off-by-one buffer overflow. Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value. Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server. Off-by-one error allows read of sensitive memory via a malformed request. Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

References


 

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry