LemonOS Stack-Based Buffer Overflow Vulnerability in HTTP Client

A stack-based buffer overflow vulnerability has been identified in LemonOS versions prior to nightly-2024-07-12. The issue resides in the 'steal' HTTP client, specifically within the 'HTTPGet' function of 'main.cpp'. The vulnerability is triggered by manipulating the 'chunkSize' parameter, which is influenced by external HTTP server responses. This exploitation can lead to a crash of the affected process, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the 'steal' process and terminating its execution. This behavior disrupts any ongoing operations within the application, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by compiling the 'steal' HTTP client with debugging symbols and OpenSSL support, then running it while a Python-based TCP server sends a chunked HTTP response with a 'chunkSize' of 10MB. This response triggers the buffer overflow by exceeding the stack's default size limit, causing the program to crash.

Remediation

The vulnerability has been fixed in a subsequent update to 'main.cpp', which is available on the author's GitHub Gist.