OpenSatKit Stack Buffer Overflow Vulnerability

A stack buffer overflow vulnerability has been identified in OpenSatKit version 2.2.1. The issue arises in the file management module, specifically within the 'file.c' source file. The vulnerability is caused by the 'EventErrStr' buffer, which is fixed at 256 bytes, being populated with user-controlled filenames via 'sprintf'. This formatting is done without proper length validation or the use of safe format specifiers. If the combined length of the filenames approaches the maximum path length allowed by the operating system, the buffer can be overflowed, leading to memory corruption. This unsafe use of 'sprintf' is present in multiple functions, including 'FILE_ConcatenateCmd()' and 'ConcatenateFiles()', where it goes unchecked before the message is sent through the event reporting system.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by sending a telecommand that includes a filename exceeding the buffer limit of 256 bytes when combined with constant text. This can be done through the application's file manipulation commands that allow for user-defined file paths.