CVE-2024-25724 - RTI Connext Pro Services Buffer Overflow — Exploit Details and Analysis

On February 2024, a critical vulnerability, tracked as CVE-2024-25724, was publicly disclosed, affecting several components of RTI Connext Professional – a widely used middleware for Data Distribution Service (DDS) systems. This long-standing security bug is found in versions 5.3.1 through 6.1. (but *before* 6.1.1), and is triggered by a buffer overflow when parsing XML across multiple Connext services – Routing Service, Recording Service, Queuing Service, and Cloud Discovery Service. The impact? A remote attacker can run arbitrary code, take control of a service, steal sensitive data, or crash the system.

Let’s break down this issue in plain terms, look at how attackers can exploit it, and see how you can protect your systems.

What is RTI Connext DDS?

RTI Connext DDS is an industrial-grade middleware used in robotics, automotive, medical devices, defense, and more. Its *Service* components let users connect and route data between systems, sometimes using custom XML to configure connections and resources. The critical functions provided include *Routing Service*, *Recording Service*, *Queuing Service,* and *Cloud Discovery Service*.

What’s the Vulnerability?

The flaw is a classic buffer overflow while parsing specifically-crafted XML files or RTPS messages. If the service (like Routing, Recording, or Queuing Service) receives malicious XML data—either over the network or from a poisoned local file—it can be convinced to write more data into memory than it should. This can:

There are several attack paths

1. Remotely Crafted RTPS Message: An attacker sends a malicious RTPS message over the network, triggering bad XML parsing in the service
2. Malicious API Call: If an attacker (or a process they've compromised) can call public APIs such as RTI_RoutingService_new, rti::recording::Service, RTI_QueuingService_new, or RTI_CDS_Service_new with maliciously-crafted parameters, they can trigger the overflow
3. Compromised Local XML File: If a service loads its configuration from a local XML file that’s been overwritten or replaced by an attacker, it can be compromised during startup or reload

How Does the Exploit Work?

When a buffer overflow exists, the attacker’s goal is to control the contents that overflow into adjoining memory. With careful planning, this can mean:

Here’s a hypothetical exploitation path

1. The attacker gains local access (or exploits a separate bug to write files) and plants a malicious XML in the service's config directory.

The service (e.g., Routing Service) restarts and loads the XML file at startup.

3. While parsing, the service copies more data than intended into a stack/heap buffer, overwriting adjacent memory structures.

Example Exploit Snippet

Below is an *illustrative* (not real) XML snippet that could trigger an overflow if length checks are missing:

<!-- malicious.xml -->
<routing_service>
  <participant name="AAAAAAAA...AAAAA"/> <!-- Overly long string to trigger buffer overflow -->
</routing_service>

👆 In vulnerable versions, an unchecked or insufficiently checked buffer could be overrun by a super-long attribute (like name string), especially if the service internally does something naive like:

// Pseudo-C code: BAD PRACTICE!
char name_buffer[128];
strcpy(name_buffer, xml_attribute_string); // no length check!

Whereas a secure parser would check the length, e.g., with strncpy and verify proper parsing.

Remote Attacker: Can connect to a service port and craft RTPS packets or XML over the wire.

- Insider or Compromised System: Controls service API usage or file system—can manipulate configs and restart services.

Note: Because these services often run with elevated privileges (sometimes root/administrator), exploitation can lead to full system compromise in critical infrastructures.

RTI Connext Pro 5.3.1, 6..x, 6.1.

- Any infrastructure/proprietary system relying on *Routing*, *Recording*, *Queuing*, *Cloud Discovery* Services

Review logs for abnormal service crashes, segmentation faults, or unexplained restarts

- Conduct static analysis on XML parsers or feed them overlong XML attributes to observe process stability

Patch Info & Recommendations

- Upgrade immediately to *RTI Connext Pro 6.1.1* or later, where the vendor has fixed the overflow (see vendor advisory)
- Restrict write access to configuration files/directories to minimize risk of local tampering

Use network firewalls to limit who can talk RTPS and XML to your service ports

- Enable security features (ASLR, stack canaries, non-executable stacks) on deployed systems to increase exploit difficulty

RTI Advisory:

RTI Security Advisory: CVE-2024-25724

NVD Entry:

CVE-2024-25724 on NIST NVD

RTI Connext Pro:

RTI Product Downloads

- Common Buffer Overflow Explanations

OWASP Buffer Overflow

Summary

CVE-2024-25724 is a severe buffer overflow flaw affecting many RTI Connext Professional core services. Attackers can exploit it to run their own code as the service user, crash critical middleware, or steal data—remotely or locally—via malicious XML or API usage. If you run vulnerable RTI Connext versions, patch now, lock down your config files, and restrict service network access. This is especially vital in safety- or mission-critical settings.

Stay safe out there, and always keep critical infrastructure software up to date!


*Exclusive analysis by OpenAI Assistant. Not affiliated with or endorsed by RTI. For demonstration and educational use only.*

Timeline

Published on: 05/21/2024 19:15:09 UTC
Last modified on: 08/01/2024 23:52:06 UTC