CVE-2024-25763 - openNDS 10.2. Use-After-Free Vulnerability Exploited

TL;DR:
openNDS 10.2., a popular open-source Captive Portal solution used on OpenWrt routers, contains a serious Use-After-Free (UAF) vulnerability in its authentication code (/openNDS/src/auth.c). A malicious attacker can exploit this flaw to cause a crash or possibly execute code on the device. In this post, we'll break down the bug, show a code example, offer exploitation insight, and provide references for further reading.

What is openNDS?

openNDS is a "network Demarcation System" -- it provides captive portal functionality for WiFi hotspots. It’s commonly used in public WiFi setups, especially on devices running OpenWrt.

About CVE-2024-25763

- CVE ID: CVE-2024-25763

Affected Version: openNDS 10.2. (and possibly earlier)

- Vulnerable File: /openNDS/src/auth.c

The Vulnerability Explained

A *Use-After-Free* bug happens when a program continues to use memory after it’s been freed. That’s risky: The memory could be overwritten with attacker-controlled data, leading to crashes, data leakage, or arbitrary code execution.

In openNDS 10.2., the bug lies in how the authentication process handles certain network requests. Specifically, if a crafted request is sent during authentication, a pointer to a structure (e.g., auth_request) can be freed but still later accessed.

Code Example (Simplified and Annotated)

Here's a simplified version that shows the essence of the problem, based on the public disclosure and hints from the commit diff.

void handle_auth_request(struct client *cl) {
    struct auth_request *auth = cl->auth; 
    // ... some validation ...
    if (needs_free(auth)) {
        free(auth);  // << Frees the memory
    }
    // ... other logic ...
    if (auth->type == AUTH_TYPE_CHALLENGE) { // << Use-after-free!
        // do something
    }
}

Here, if needs_free(auth) is true, the code frees auth but then still tries to dereference auth after, leading to a UAF condition.

How Could This Be Exploited?

The complexity of exploiting a UAF bug depends on the environment, but generally, here’s what could happen:

1. Trigger UAF via HTTP Request: An attacker crafts an HTTP or POST request that triggers the free condition in the authentication handler.
2. Heap Manipulation: The user dials the timing and content so that after free(auth), the heap space gets reallocated with controlled data (often called a heap spray).
3. Hijack Control: If openNDS reads back fields from this dangling pointer and uses them to control flow or copy data, the attacker may cause a crash or inject code.

Sample Exploit Approach (Pseudocode)

# 1. Initiate authentication normally
curl -X POST http://target-gateway/portal -d "username=admin&password=pass"

# 2. Send malformed or duplicate requests to trigger the double-free or UAF
curl -X POST http://target-gateway/portal -d "username=xxxxxx"
curl -X POST http://target-gateway/portal -d "username=trigger"

By targeting the exact data and timing, the attacker tries to shape heap allocation so the freed memory is re-used and then accessed unsafely.

Remote attack: Anyone on the same network can exploit the bug.

- Crash or own the gateway: At best, they can crash your router. At worst, they execute code with full privileges.

How To Fix

Upgrade openNDS! The maintainers have fixed this in commit 6b1aeebdd22cae015ad1a34e08982a2542a36e94.

Or, manually patch /openNDS/src/auth.c to ensure pointers are set to NULL after free, or rearrange code so no dereferencing happens post-free.

References and Further Reading

- Official NVD advisory: CVE-2024-25763
- openNDS GitHub project
- Bug-fix commit on GitHub
- Common UAF exploitation techniques
- OpenWrt and openNDS integration

Stay patched, stay safe.

If you want more deep dives into router and IoT security, stay tuned!

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 12/06/2024 21:15:06 UTC