Dire Wolf Stack-Based Buffer Overflow Vulnerability in KISS Frame Processing

A stack-based buffer overflow vulnerability has been identified in Dire Wolf versions through 1.8, prior to commit 694c954. The issue arises in the function kiss_rec_byte() within src/kiss_frame.c. When the application processes crafted KISS frames that reach the maximum allowed length, the function improperly appends a terminating FEND byte without ensuring there is enough space in the stack buffer. This flaw leads to an out-of-bounds write, followed by an out-of-bounds read in the subsequent kiss_unwrap() call, causing stack memory corruption or application crashes. As a result, remote unauthenticated attackers may exploit this vulnerability to create a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a stack memory corruption, leading to a crash. However, the memory corruption could potentially be exploited for control-flow manipulation or to destabilize the application, depending on the execution context and compiler mitigations.

Reproduction

The vulnerability can be reproduced by configuring Dire Wolf to accept KISS TCP connections on port 7002. Once the application is running, a crafted KISS frame that exceeds the maximum length can be sent via netcat. The AddressSanitizer will detect the stack-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to Dire Wolf versions including commit 694c954 or later. If an immediate upgrade is not possible, the patch can be backported by applying the recommended change in the kiss_frame.c file, then rebuilding and reinstalling the application. As a temporary measure, access to the KISS TCP port can be restricted to trusted clients or the KISS TCP functionality can be disabled if not needed.