FastNetMon Community Edition BGP NLRI Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the BGP NLRI (Network Layer Reachability Information) decoder, specifically within the function 'decode_bgp_subnet_encoding_ipv4_raw()' in 'src/bgp_protocol.cpp'. The vulnerability occurs because the function reads the prefix bit length directly from the BGP packet without validating that it is less than or equal to 32 for IPv4 prefixes. This unvalidated length is then used to calculate the number of bytes needed to store the corresponding subnet mask, allowing an attacker to overflow a stack variable by up to 28 bytes. This overflow can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution. The overflow can be used to overwrite the saved return address on the stack, directing execution to attacker-controlled code. This vulnerability is particularly critical because it can be exploited remotely via BGP, with the attacker needing to be a BGP peer of the FastNetMon process.

Reproduction

To reproduce this vulnerability, establish a BGP session with a FastNetMon instance running a vulnerable version. Send a BGP UPDATE message that includes NLRI data with a prefix bit length of 255, followed by 32 bytes of attacker-controlled data. The FastNetMon BGP integration must be enabled, and the application should be running with elevated privileges to allow for successful exploitation.

Remediation

Users can rebuild FastNetMon with compiler hardening flags to mitigate this vulnerability. It is also recommended to run FastNetMon under a low-privilege user and to monitor BGP session logs for any signs of exploitation.