Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. This issue affects Apache NuttX RTOS: from 7.20 before 12.11.0. Users of virtual filesystem based services with write access especially when exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.11.0 that fixes the issue.
Apache NuttX RTOS is vulnerable to a Use-After-Free vulnerability in its filesystem rename functionality, potentially allowing attackers to achieve arbitrary code execution or data corruption. This flaw, stemming from improper memory management, is particularly dangerous for systems with network-exposed virtual filesystems, enabling attackers to manipulate file operations and compromise the system's integrity.
Step 1: Trigger Rename Operation: An attacker initiates a file rename operation, potentially through a network service like FTP, targeting a file or directory within the NuttX RTOS filesystem.
Step 2: Recursive Trigger: The initial rename operation, due to the structure of the filesystem or the specific file/directory being renamed, recursively calls the rename function again. This could be due to internal filesystem operations or triggers within the virtual filesystem.
Step 3: Buffer Reallocation: During the recursive call, the shared buffer used by the rename function is reallocated. The attacker can influence the size of this reallocation.
Step 4: Use-After-Free: Pointers to the original, now freed, buffer still exist within the code.
Step 5: Controlled Write: The attacker leverages the reallocated buffer and the existing pointers to write data to the previously freed memory region. The attacker can control the data written and its location.
Step 6: Exploitation: Depending on the data overwritten, the attacker can achieve various outcomes, including: overwriting function pointers to execute arbitrary code, corrupting filesystem metadata leading to denial of service, or gaining unauthorized access to sensitive data.
The vulnerability lies within the fs_rename function in Apache NuttX RTOS, specifically in the fs/vfs/fs_rename.c file. The root cause is a Use-After-Free condition. The code uses a single buffer for handling file rename operations, and due to a recursive implementation, the buffer can be reallocated while pointers to the original buffer are still in use. This occurs when a rename operation triggers a nested rename operation (e.g., due to directory changes). The reallocation allows an attacker to control the size of the reallocated buffer and subsequently write to the freed memory. This can lead to overwriting critical data structures, potentially leading to arbitrary code execution, denial of service, or data corruption. The vulnerability is exacerbated by the fact that the affected code is within the kernel, granting high privileges to any successful exploit.