Eclipse ThreadX FileX Buffer Overflow Vulnerability in RAM Disk Driver Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in the FileX RAM disk driver of Eclipse ThreadX, in versions prior to 6.4.2. This vulnerability allows for remote code execution by sending a crafted sequence of network packets. The issue arises because the RAM disk driver can be improperly configured, leading to memory buffers being overwritten and potentially allowing for the execution of arbitrary code.

Impact

Exploitation of this vulnerability causes a buffer overflow in the RAM disk driver, which can overwrite function pointers and lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initializing the FileX RAM disk driver with a configuration that allocates insufficient memory for the total sectors specified. This can be done by setting the total sectors and sector size in a way that the calculated total exceeds the allocated RAM disk memory, without proper validation. Once the RAM disk driver is formatted and initialized, the NetXDuo HTTP server can be used to send a PUT request that triggers the buffer overflow by writing data beyond the allocated memory limit.

Remediation

Users should ensure that the total sectors multiplied by the sector size is less than the size of the allocated RAM disk memory when initializing the driver. This can be verified by checking that the total sectors and sector size values do not exceed the memory buffer size.