# CVE-2026-5245 ## Summary Cesanta Mongoose mDNS Stack Buffer Overflow - Remote Code Execution PoC ## Description **OBJECTIVE: Prove Remote Code Execution, Not Just Crash** **VULNERABILITY OVERVIEW:** Stack-based buffer overflow in Cesanta Mongoose mDNS record handler (handle_mdns_record in mongoose.c) allows remote unauthenticated attackers to execute arbitrary code. The vulnerability exists in v7.20 and earlier, fixed in v7.21. **ROOT CAUSE:** Fixed-size stack buffer `uint8_t buf[1500]` in mDNS response construction lacks bounds checking when building DNS-SD service records (PTR, SRV, TXT, A). Crafted mDNS queries with oversized service names and TXT records cause buffer overflow. **EXPLOITABILITY EVIDENCE:** 1. **Historical Precedent**: Talos achieved RCE in same codebase (CVE-2017-2894, MQTT SUBSCRIBE buffer overflow) - same attack class, same codebase 2. **Embedded Device Conditions FAVOR Exploitation**: - ASLR: Often disabled or weak on embedded Linux/MIPS/ARM - NX/DEP: Stack frequently executable in embedded builds - Stack Canaries: Rarely enabled in production IoT firmware - PIE: Not typically compiled with PIE for embedded 3. **Unauthenticated Remote Attack**: mDNS runs on UDP/5353, no auth required **AFFECTED CODE LOCATION:** - File: mongoose.c (compiled to mongoose.o) - Function: handle_mdns_record() or handle_mdns_query() - Buffer: uint8_t buf[1500] on stack - Vulnerable versions: ≤ 7.20 - Fixed: 7.21 (commit 0d882f1b added bounds check) **PATCH ANALYSIS (What Changed):** Before (vulnerable): ``` uint8_t buf[1500]; // Build mDNS response records without size validation ``` After (patched 7.21): ``` if ((sizeof(*h) + req.r->srvcproto.len + 8 + respname->len + 13 + 2 + respname->len + 19 + 2 + req.r->txt.len + 10 + 2 + 14) > sizeof(buf)) return; // Bounds check prevents overflow ``` **REPRODUCTION STRATEGY - PROVE RCE:** Step 1: Build vulnerable version with embedded-like conditions ``` # Clone vulnerable version git clone https://github.com/cesanta/mongoose.git cd mongoose git checkout 7.20 # Build mDNS example with embedded-like flags (stack executable, no canaries) make CFLAGS="-g -fno-stack-protector -z execstack -no-pie -O0" # Or compile examples/mdns directly: gcc -g -fno-stack-protector -z execstack -no-pie -O0 -I. mongoose.c examples/mdns/*.c -o mdns_vuln ``` Step 2: Start mDNS server ``` ./mdns_vuln # Starts listening on UDP 5353 ``` Step 3: Craft malicious mDNS query Target buffer overflow by sending: - Service name: 400+ bytes (triggers overflow) - TXT record: Large payload (200+ bytes) - Protocol: UDP multicast or unicast to port 5353 - Query type: PTR or SRV for crafted service Payload structure to achieve RCE: ``` [1500 bytes to fill buf] + [saved RBP] + [saved RIP] + [NOP sled + shellcode] ``` Step 4: Exploit for RCE (ARM/x86 target) - Use stack address leak or predictable stack layout (no ASLR) - Overwrite return address with stack shellcode address - Shellcode targets: execve("/bin/sh") or connect-back reverse shell **TARGET BUILD RECOMMENDATION:** Use x86_64 Linux with embedded-simulation flags: - -fno-stack-protector (disable canaries) - -z execstack (executable stack) - -no-pie (disable PIE for binary) - Disable system ASLR: echo 0 > /proc/sys/kernel/randomize_va_space This simulates typical embedded device conditions where exploit is most viable. **EXPLOITATION RESOURCES:** - Mongoose mDNS tutorial: https://mongoose.ws/documentation/tutorials/mdns/ - CVE-2017-2894 (prior RCE in same codebase): https://talosintelligence.com/vulnerability_reports/TALOS-2017-0400 - mDNS protocol RFC 6762/RFC 6763 **BLAST RADIUS:** - Hundreds of millions of embedded devices (per vendor claims) - Fortune 500 companies, NASA ISS, industrial automation, healthcare - ESP32, ESP8266, STM32, Raspberry Pi, embedded Linux deployments **SUCCESS CRITERIA:** - Crash is NOT enough - Must achieve code execution (e.g., spawn shell, execute command) - Document the full exploit chain from crafted packet → arbitrary code execution ## Metadata - Product: Cesanta Mongoose - Severity: critical - Status: open