Cesanta Mongoose Stack-Based Buffer Overflow Vulnerability in mDNS Record Handler

A stack-based buffer overflow vulnerability has been identified in Cesanta Mongoose versions prior to 7.21. The issue arises in the mDNS record handling function within 'mongoose.c', where a fixed-size stack buffer is used to construct responses. This buffer can be overflowed by manipulating the response data, leading to potential corruption of the stack and execution control.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, overwriting saved registers and the return address on the MIPS stack. This corruption leads to a crash when the function returns, as execution jumps to a corrupted address.

Reproduction

The vulnerability can be reproduced by sending a standard mDNS PTR query for a service type to UDP port 5353. The server responds by building a PTR response that includes additional DNS records (SRV, TXT, and A) which collectively exceed the buffer size, causing the overflow. This can be automated with a Python script that sends the crafted mDNS query and checks if the server crashes.

Remediation

Users are advised to upgrade to Cesanta Mongoose version 7.21, which addresses this vulnerability.