“Security is in the mind of the programmer and in the mind of the designer.
Not so much in the code.”
— Alisa Esage

Summary

Welcome to another episode in my journey as a glorified static analysis tool for real-time operating systems!

This time, our target of choice is RT-Thread, an open-source, community-based real-time operating system (RTOS). RT-Thread can be used in sensing nodes, wireless connection chips, and many other resource-constrained scenarios. It is also widely applied in gateways, IPC, smart speakers, and other high-performance IoT applications.

I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution.

During the source code review I also audited the lwIP and TinyDir codebases on which some RT-Thread functionalities depend, and found some additional vulnerabilities that were subsequently fixed by the respective maintainers.

My detailed advisories are available here:

• https://github.com/hnsecurity/vulns/blob/main/HNS-2024-05-rt-thread.txt
• https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt

Background

After my recent vulnerability disclosures, I decided to keep assisting open-source projects in the IoT space in finding and fixing security vulnerabilities by reviewing their source code. RT-Thread was selected as a target of interest. Other RTOSes will be featured in future advisories and writeups. So, stay tuned.

During this review, I made use of my Semgrep C/C++ ruleset to identify hotspots in code on which to focus my attention. I also took advantage of this opportunity to improve and update the ruleset.

Vulnerabilities

The vulnerabilities resulting from my source code review are:

• CVE-2024-24335 – Buffer overflow in RT-Thread dfs_v2 romfs filesystem
• CVE-2024-24334 – Heap buffer overflows in RT-Thread dfs_v2 dfs_file
• CVE-2024-25389 – Weak random source in RT-Thread rt_random driver
• CVE-2024-25388 – Heap buffer overflow in RT-Thread wlan driver
• CVE-2024-25390 – Heap buffer overflows in RT-Thread finsh
• CVE-2024-25391 – Stack buffer overflow in RT-Thread IPC
• CVE-2024-25393 – Stack buffer overflow in RT-Thread AT server
• CVE-2024-25395 – Static buffer overflow in RT-Thread rt-link utility
• CVE-2024-25392 – Out-of-bounds static array access in RT-Thread var_export utility
• CVE-2024-25394 – Multiple vulnerabilities in RT-Thread ymodem utility
• Use of outdated lwIP and TinyDir dependencies in RT-Thread

For additional information about these vulnerabilities and their fixes, please refer to the detailed advisory.

Since a few months, I’ve started to consistently keep track of my research efforts using the excellent Be Focused pomodoro timer app. Therefore, I know that it took me about 32 hours to complete this project (not including the time spent for the disclosure process).

Disclosure and fixes

I reported the vulnerabilities discussed in this article to RT-Thread in November 2023, by opening issues on GitHub as directed by the maintainers. Following my request, MITRE assigned CVE IDs to all vulnerabilities in February 2024.

RT-Thread developers have fixed some of the vulnerabilities discussed in this advisory. However, some of the reported vulnerabilities are still open. Even though not all vulnerabilities were fixed, I decided to go ahead with public disclosure after about 90 days since the initial reports. This decision was taken mainly based on the fact that the vulnerability reports were already publicly accessible as GitHub issues.

The detailed coordinated disclosure timeline follows:

• 2023-11-12: Asked on GitHub how to report potential security issues.
• 2023-11-13: RT-Thread founder replied to open issues directly on GitHub.
• 2023-11-20: Opened the first issue on GitHub.
• 2023-11-24: First vulnerability fixed; reported some other vulnerabilities.
• 2023-11-28: Second (and third) vulnerability fixed.
• 2023-12-24: Asked maintainers for updates.
• 2024-01-17: Requested the first batch of CVE IDs from MITRE.
• 2024-01-26: Informed maintainers of plan to publish advisory in February.
• 2024-02-02: Requested the second batch of CVE IDs from MITRE.
• 2024-02-07: CVE IDs for all reported vulnerabilities assigned by MITRE.
• 2024-02-08: Communicated CVE IDs and new 2024-03-05 publication date.
• 2024-02-18: Maintainers acknowledge publication date and inform about new fixes.
• 2024-03-05: Published advisory and writeup.

Please check the official RT-Thread channels for further information about fixes.

Acknowledgments

I would like to thank RT-Thread, lwIP, and TinyDir developers for the time dedicated to triaging the reported vulnerabilities. I would also like to thank MITRE for assigning CVE IDs upon my request.

Plug

You should submit an article to Phrack! Clicky-clicky 🧑‍💻

You should write an article for Phrack #71 !! I hear it's coming out by summer time. 👀

Let's open the windows and get some phresh air back into the scene.

If you've got a story to tell, you should send it in by April 1st and keep the vibe going. 🙂https://t.co/Zc77uUWgvR pic.twitter.com/Q44xnCkug0

— Battle Programmer Yuu (@netspooky) January 11, 2024