Tasmota Heap Buffer Overflow Vulnerability in JPEG Stream Handling

A heap buffer overflow vulnerability has been identified in Tasmota versions through 15.3.0.3. The issue arises in the 'fetch_jpg()' function within the 'xdrv_10_scripter.ino' file. When Tasmota devices fetch MJPEG frames from an attacker-controlled server, the 'Content-Length' header is read into a 'uint16_t' variable. This can lead to an integer wraparound, where values exceeding 65535 are incorrectly truncated. As a result, a smaller buffer is allocated than needed, causing heap corruption. This vulnerability can lead to a crash or potentially allow remote code execution.

Impact

Exploitation of this vulnerability causes a guaranteed crash and reboot of the device. However, on devices with an ESP32 chip, this vulnerability could be exploited for remote code execution.

Reproduction

The vulnerability can be reproduced by sending MJPEG frames with 'Content-Length' values greater than 65535 to a Tasmota device. This can be done by using a Tasmota script to fetch JPEG frames from a server that the device is scripted to connect to. The 'fetchjp' command can be used to specify the stream URL, including the malicious 'Content-Length' value.

Remediation

Tasmota has released a patch for this vulnerability in version 15.3.0.4 and later.