Espressif Arduino-ESP32 WebServer Stack Buffer Overflow Vulnerability in Multipart Form Parsing Allows Remote Code Execution

A stack buffer overflow vulnerability has been identified in the WebServer multipart form parser of the Espressif Arduino-ESP32 core, affecting versions through 3.3.7. The vulnerability arises because the parser allocates a Variable Length Array (VLA) on the stack, with the size determined by an attacker-controlled HTTP header field, without any length validation. This flaw allows for the exploitation of the 8192-byte task stack in the loopTask, leading to a crash and potential remote code execution.

Impact

Exploitation of this vulnerability causes a stack overflow, crashing the device and potentially allowing for remote code execution, depending on the heap layout and the content of the attacker-controlled boundary.

Reproduction

To reproduce this vulnerability, upload a file using an HTTP POST request to a server running the Espressif Arduino-ESP32 WebServer with a file upload handler. The request must include a multipart boundary string longer than 8000 characters, which will overflow the stack and cause the device to crash.

Remediation

Users can upgrade to Arduino-ESP32 version 3.3.8 or later, where this vulnerability has been fixed.