FastNetMon Community Edition Heap-Based Buffer Overflow Vulnerability in Dynamic Binary Buffer Class

A heap-based buffer overflow vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9. The issue resides in the dynamic_binary_buffer_t class, specifically within five methods that handle data appending and copying. These methods contain an off-by-one error in their bounds checking, allowing for a write operation that extends precisely one byte beyond the allocated buffer's end. This flaw can be exploited by sending network traffic via protocols such as NetFlow, sFlow, IPFIX, or BGP, potentially leading to arbitrary code execution by manipulating heap metadata.

Impact

Exploitation of this vulnerability allows for a one-byte heap overflow, which can be leveraged to corrupt heap metadata. This type of memory corruption is a well-known exploitation technique that can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending crafted NetFlow templates or BGP UPDATE messages that exploit the off-by-one error in the dynamic_binary_buffer_t class. This can be done by filling the buffer to its maximum capacity and then attempting to append additional data, which will overwrite adjacent memory used by the heap allocator.

Remediation

Users are advised to update to FastNetMon Community Edition versions after 1.2.9, where this vulnerability has been addressed.