nanoMODBUS Stack-Based Buffer Overflow Vulnerability in Modbus TCP Register Reading Functions

A stack-based buffer overflow vulnerability has been identified in the nanoMODBUS library, specifically in versions through 1.22.0. The issue arises in the function recv_read_registers_res() within nanomodbus.c. When a client uses the library to read holding or input registers, the library writes the received register data into a user-provided buffer. This is done based on the byte_count field of the response, but without first verifying that the byte_count aligns with the amount of data requested. As a result, a malicious Modbus TCP server can exploit this by sending a response with a fabricated byte_count value, leading to an overflow of the buffer with attacker-controlled data. This vulnerability could potentially be exploited to execute remote code.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, which could be leveraged for remote code execution.

Reproduction

To reproduce this vulnerability, a Modbus TCP client application must be created using the nanoMODBUS library. The client should connect to a Modbus TCP server (which could be malicious or compromised) and invoke the nmbs_read_holding_registers() or nmbs_read_input_registers() functions. The server must then respond with a crafted Modbus message that includes a byte_count value of 250, indicating 125 registers, regardless of the actual quantity requested. This response will cause up to 248 bytes of data to overflow the buffer, exploiting the vulnerability.