Arendst Tasmota Buffer Overflow Vulnerability in MJPEG Fetch Function Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in Arendst Tasmota versions through 15.3.0.3. This vulnerability allows remote code execution on ESP32-based devices. The issue arises in the 'fetch_jpg()' function within the 'xdrv_10_scripter.ino' file, where improper handling of data can lead to memory corruption and exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with access to device secrets and credentials. Additionally, the vulnerability can cause a guaranteed crash and subsequent reboot loop of the device.

Reproduction

The vulnerability can be reproduced by uploading a Tasmota script that uses the 'fetchjp()' function to connect to a malicious MJPEG server. The server must be configured to send a crafted HTTP response that exploits the buffer overflow by including a boundary string longer than 40 characters. After the initial exploitation phase, the server can send MJPEG frames with a 'Content-Length' that wraps around, causing further memory corruption and stream state disruption.

Remediation

Users can upgrade to Tasmota version 15.3.0.4 or later, where this vulnerability has been patched.