{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "api_remote",
    "expected_impact": "memory_corruption",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "authenticate",
    "submission_reason": "ticket_derived",
    "trigger_class": null,
    "upstream_verdicts": null
  },
  "latest_description": "**OBJECTIVE: Prove Remote Code Execution, Not Just Crash**\n\n**VULNERABILITY OVERVIEW:**\nStack-based buffer overflow in Cesanta Mongoose mDNS record handler (handle_mdns_record in mongoose.c) allows remote unauthenticated attackers to execute arbitrary code. The vulnerability exists in v7.20 and earlier, fixed in v7.21.\n\n**ROOT CAUSE:**\nFixed-size stack buffer `uint8_t buf[1500]` in mDNS response construction lacks bounds checking when building DNS-SD service records (PTR, SRV, TXT, A). Crafted mDNS queries with oversized service names and TXT records cause buffer overflow.\n\n**EXPLOITABILITY EVIDENCE:**\n1. **Historical Precedent**: Talos achieved RCE in same codebase (CVE-2017-2894, MQTT SUBSCRIBE buffer overflow) - same attack class, same codebase\n2. **Embedded Device Conditions FAVOR Exploitation**:\n   - ASLR: Often disabled or weak on embedded Linux/MIPS/ARM\n   - NX/DEP: Stack frequently executable in embedded builds\n   - Stack Canaries: Rarely enabled in production IoT firmware\n   - PIE: Not typically compiled with PIE for embedded\n3. **Unauthenticated Remote Attack**: mDNS runs on UDP/5353, no auth required\n\n**AFFECTED CODE LOCATION:**\n- File: mongoose.c (compiled to mongoose.o)\n- Function: handle_mdns_record() or handle_mdns_query()\n- Buffer: uint8_t buf[1500] on stack\n- Vulnerable versions: ≤ 7.20\n- Fixed: 7.21 (commit 0d882f1b added bounds check)\n\n**PATCH ANALYSIS (What Changed):**\nBefore (vulnerable):\n```\nuint8_t buf[1500];\n// Build mDNS response records without size validation\n```\nAfter (patched 7.21):\n```\nif ((sizeof(*h) + req.r->srvcproto.len + 8 + respname->len + 13 + 2 +\n     respname->len + 19 + 2 + req.r->txt.len + 10 + 2 + 14) > sizeof(buf))\n  return;  // Bounds check prevents overflow\n```\n\n**REPRODUCTION STRATEGY - PROVE RCE:**\n\nStep 1: Build vulnerable version with embedded-like conditions\n```\n# Clone vulnerable version\ngit clone https://github.com/cesanta/mongoose.git\ncd mongoose\ngit checkout 7.20\n\n# Build mDNS example with embedded-like flags (stack executable, no canaries)\nmake CFLAGS=\"-g -fno-stack-protector -z execstack -no-pie -O0\"\n# Or compile examples/mdns directly:\ngcc -g -fno-stack-protector -z execstack -no-pie -O0 -I. mongoose.c examples/mdns/*.c -o mdns_vuln\n```\n\nStep 2: Start mDNS server\n```\n./mdns_vuln  # Starts listening on UDP 5353\n```\n\nStep 3: Craft malicious mDNS query\nTarget buffer overflow by sending:\n- Service name: 400+ bytes (triggers overflow)\n- TXT record: Large payload (200+ bytes)\n- Protocol: UDP multicast or unicast to port 5353\n- Query type: PTR or SRV for crafted service\n\nPayload structure to achieve RCE:\n```\n[1500 bytes to fill buf] + [saved RBP] + [saved RIP] + [NOP sled + shellcode]\n```\n\nStep 4: Exploit for RCE (ARM/x86 target)\n- Use stack address leak or predictable stack layout (no ASLR)\n- Overwrite return address with stack shellcode address\n- Shellcode targets: execve(\"/bin/sh\") or connect-back reverse shell\n\n**TARGET BUILD RECOMMENDATION:**\nUse x86_64 Linux with embedded-simulation flags:\n- -fno-stack-protector (disable canaries)\n- -z execstack (executable stack)\n- -no-pie (disable PIE for binary)\n- Disable system ASLR: echo 0 > /proc/sys/kernel/randomize_va_space\n\nThis simulates typical embedded device conditions where exploit is most viable.\n\n**EXPLOITATION RESOURCES:**\n- Mongoose mDNS tutorial: https://mongoose.ws/documentation/tutorials/mdns/\n- CVE-2017-2894 (prior RCE in same codebase): https://talosintelligence.com/vulnerability_reports/TALOS-2017-0400\n- mDNS protocol RFC 6762/RFC 6763\n\n**BLAST RADIUS:**\n- Hundreds of millions of embedded devices (per vendor claims)\n- Fortune 500 companies, NASA ISS, industrial automation, healthcare\n- ESP32, ESP8266, STM32, Raspberry Pi, embedded Linux deployments\n\n**SUCCESS CRITERIA:**\n- Crash is NOT enough\n- Must achieve code execution (e.g., spawn shell, execute command)\n- Document the full exploit chain from crafted packet → arbitrary code execution",
  "product": "Cesanta Mongoose",
  "severity": "critical",
  "status": "open",
  "summary": "Cesanta Mongoose mDNS Stack Buffer Overflow - Remote Code Execution PoC",
  "ticket_id": "CVE-2026-5245"
}