AIS-catcher Heap Buffer Overflow Vulnerability in AIS::Message Class Allowing Remote Code Execution

A heap buffer overflow vulnerability has been identified in the AIS-catcher application, specifically within the AIS::Message class, in versions prior to 0.64. This vulnerability allows an attacker to write approximately 1KB of arbitrary data into a buffer that is only 128 bytes in size. The issue arises from a logical error in the bounds checking, where the length is incorrectly compared in bytes instead of bits. Exploitation of this vulnerability can lead to remote code execution by overwriting adjacent memory objects and hijacking control flow.

Impact

Exploitation of this vulnerability allows for remote code execution, with the executed code running under the privileges of the AIS-catcher process. Additionally, the vulnerability can be exploited to cause a denial-of-service by crashing the application with oversized packets.

Reproduction

The vulnerability can be reproduced by using the 'setUint' method of the 'AIS::Message' class. By sending a value that exceeds the buffer's capacity, such as writing to a bit offset of 2000, the buffer overflow can be triggered. This can be done using a crafted AIS message that exploits the incorrect bounds checking, causing the application to overwrite adjacent memory and potentially execute arbitrary code.

Remediation

Users are advised to update to AIS-catcher version 0.64 or later, where this vulnerability has been patched.