ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write.
- RCE via tcache poisoning+GOT overwrite exploit for x86-64 target
- RCE via tcache poisoning+RIP overwrite exploit for arm32 target (Netgear RAX30)
- source code dir tweaked for fuzzing
- libfuzzer harnesses used to find the bug
vulnerable source code that can be built to reproduce/test exploits