jCoAP crashes on malformed packets received
Hello developers of jCoAP,
My name is Bruno, and I'm an MSc. student in Brazil within the Institute of Computing from the University of Campinas.
As part of my research on the application of fuzzing techniques for robustness and security black-box testing of CoAP implementations, I've tested your library. The sample used in my research was compiled from distribution/commit 673fa682 @ 2017-06-21. The application used to test it was org.ws4d.coap.test.PlugtestServer
.
I'm contacting you because the application mentioned above was one of the samples for which our tool was able to detect robustness and/or security issues. In a broad sense, every failure we found can actually be classified as a security vulnerability, because they impact availability --- the application either aborts or needs forceful restart in order to restore servicing CoAP requests. However, we didn't go as far as performing a thorough root-cause analysis for those failures, since it would be unfeasible for us (more than 100 failures were detected across 25 samples, each one using a different CoAP library, spanning 8 programming languages) and thus out-of-scope of this particular research.
We think that one of our main contributions is the opportunity to make a real-world impact on IoT security by reporting those failures to CoAP libraries' maintainers, with a comprehensible and easy way to replicate them so developers can further investigate and fix those failures.
We found 15 failure on this sample. You can find the folowing files attached:
- [1] A script to reproduce the failures; jCoAP_Crash_Script.py
- [2] A pcap file used by the script, containing the packets causing the failures; jCoAP_Crash.pcapng
- [3] A logfile with the stacktraces we got for each reported failure.jCoAP_Crash.log
The script uses Scapy [4] to read the packets from the pcapng file as well as sending them, which unfortunately requires sudo to send packets in the network. Although sudo for this is ugly (imho), you can still easily inspect the very small and simple script.
Please let us know if you were able to reproduce it and/or if further support is needed for that.
[4] https://github.com/secdev/scapy/
Thanks & Regards,
Bruno Melo.