TinyOS Buffer Overflow Vulnerability in printfUART Implementation

A global buffer overflow vulnerability has been identified in TinyOS versions through 2.1.2. The issue arises in the printfUART formatted output implementation within the ZigBee / IEEE 802.15.4 networking stack. The vulnerability occurs because the implementation writes output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat(), without checking the available buffer capacity. When printfUART is called with a user-controlled string that exceeds the buffer space, the unchecked string operations overwrite memory, leading to global memory corruption. This vulnerability can cause a denial-of-service, unintended behavior, or information disclosure by corrupting adjacent global state or UART output.

Impact

Exploitation of this vulnerability causes global memory corruption, which can lead to a denial-of-service by crashing the application, unintended behavior, or information disclosure through corrupted global state or UART output.

Reproduction

The vulnerability can be reproduced by invoking the printfUART function with a string that exceeds the capacity of the debugbuf global buffer. This can be done by sending a specially crafted string over UART that is longer than the available buffer space, exploiting the unbounded string concatenation with strcat().