BusyBox DHCPv6 Client Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the BusyBox DHCPv6 client (udhcpc6) prior to commit 42202bf. The vulnerability resides in the DNS_SERVERS option handler within the file networking/udhcp/d6_dhcpc.c. This flaw allows network-adjacent attackers to cause memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Exploitation takes advantage of incorrect heap buffer allocation calculations in the option_to_env() function, potentially leading to denial-of-service conditions or arbitrary code execution on embedded systems that lack heap hardening.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption. This type of vulnerability is commonly associated with allowing attackers to execute arbitrary code, especially on embedded systems where such exploits can be particularly impactful.

Reproduction

The vulnerability can be reproduced by sending a crafted DHCPv6 response that includes a malformed D6_OPT_DNS_SERVERS option to a device running an affected version of BusyBox with the DHCPv6 client enabled. This can be done using a network tool that allows manipulation of DHCPv6 packets, such as a custom script or a network packet generator that supports DHCPv6.

Remediation

Users can update to BusyBox versions after the patch commit (42202bf) to address this vulnerability.