Pre-Authentication Heap Overflow in Xlight SFTP server <= 3.9.4.2# CVE-2024-46483 - Pre-Authentication Heap Overflow in Xlight SFTP server
### Affected versions
Xlight 32 and 64-bit versions <= 3.9.4.2
### Impact
An unauthenticated attacker with access to Xlight SFTP could gain code execution or cause a denial or service.
### Root Cause
Strings sent across the wire in the SFTP protocol are prefixed with a four byte length. The function which Xlight uses to read these strings from the network packet has an integer overflow when validating the length and when allocating the required amount of memory. By crafting the four byte length for a string we can trigger a large memmove (~4GB) from an attacker-controlled buffer out-of-bounds onto the heap.
The vulnerable function is used for receiving strings throughout the SSH handshake, including pre-authentication when receiving supported algorithms, cipher suites, and a username and password from the client. We can target any of these strings with a crafted length to trigger the exploit.
### Exploitability
This is easy to trigger but the ease of exploitation depends on the bitness of the Xlight binary.
On 32-bit the copy will run off the end of the heap, clobbering everything in the process, before causing a crash. It is likely possible to corrupt an adjacent structure on the heap and exploit the multi-threaded nature of this server to access the corrupted data, before the wild copy crashes the process.
On 64-bit we can't get an OOB write, because the size argument to the memory allocation call is a size_t (i.e. 64-bits wide when compiled for 64-bit), which means we can't overflow this value with the addition of two 32-bit integers, and instead we just allocate a large ~4GB buffer. This bug results in an OOB read instead, which crashes the process.
[4.0K] /data/pocs/a7821b023a1bd6fd68174f8155be75b958652a8d
├── [ 724] exploit.py
├── [1.7K] README.md
├── [ 15] requirements.txt
└── [8.4M] xlight_sftp_heap_overflow.gif
0 directories, 4 files