支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 118e57e5c5d457e8d6ad5b424be68c64622eda6c

来源
https://github.com/grimmmbo/ros2_CVE-2024-28231
关联漏洞
标题:eProsima Fast DDS 安全漏洞 (CVE-2024-28231)
Description:eProsima Fast DDS是eProsima公司的OMG(对象管理组)DDS(数据分发服务)标准的 C++ 实现。 eProsima Fast DDS v2.13.3及之前版本存在安全漏洞,该漏洞源于存在堆溢出错误,可能导致进程被远程终止。
Description
Demonstrating the usage of Fastrtps-DDS vulnerability CVE-2024-28231 within Ros2
介绍
This repo includes a vulnerable Docker image of ros2 iron based on ubuntu 22 and a matching exploit. We exploit the vulnerability in fastrtps version [2.10.3](https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w), enabling denial of service of a remote subscriber via heap buffer overflow. 


## Vulnerable base image
Fast RTPS version 2.10.3 and dependencies are built from source in folder `target` in a Docker container, and ros iron is installed. 

> Disclaimer: This vulnerability was not found by us and is already patched in the upstream repository of Fastdds and ros2 iron. This vulnerability was reproduced for research purposes. This repository is a proof-of-concept code intended for security researchers to reproduce and understand the vulnerability in a controlled environment. Do not run this code on production systems or systems you do not own or have explicit permission to test.

## Exploit
The executable `exploit`, respectively the file `src/exploit.py` realize DoS for the next data message it observes after start. You can add an input to specify the attacked ros topic (default is '/chatter') topic. 
The script waits for the next message on the topic (on all interfaces except 'lo') and then manipulates and re-sends to the original target.
The `prepare_exploit.sh` script can be used to generate the exploit executable.

Requirements for attack:
- Topic needs to be published and subscribed
- Subscriber and Publisher run on different IP addresses. E.g. two containers on one host, without network mode host, or two containers on different hosts
- Denial of Service works only for message types that have a variable length, ie. all types with lists, such as `std_msgs/Float32MultiArray`.
文件快照

 [4.0K]  /data/pocs/118e57e5c5d457e8d6ad5b424be68c64622eda6c
├── [2.2K]  Dockerfile.exploit
├── [ 21M]  exploit
├── [1.0K]  LICENSE
├── [ 214]  prepare_exploit.sh
├── [1.7K]  README.md
├── [4.0K]  src
│   └── [3.2K]  exploit.py
└── [4.0K]  target
    ├── [2.4K]  Dockerfile
    └── [ 145]  Readme.md

3 directories, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。