CVE-2017-7185

HIGH

Cesanta Mongoose Library <6.7 & OS <1.2 Use-After-Free via Multipart POST

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7185. PoCs published by Compass Security.

AI-analyzed exploit summary This advisory details a use-after-free vulnerability in Mongoose OS's HTTP multipart handling, leading to a denial-of-service condition. The issue arises from improper boundary validation in malformed requests, causing a crash due to an uninitialized string being passed to `c_strnstr`.

Description

Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.

Exploits (1)

exploitdb WRITEUP

by Compass Security · textdoshardware

https://www.exploit-db.com/exploits/41826

View Code ZIP pw:eip

This advisory details a use-after-free vulnerability in Mongoose OS's HTTP multipart handling, leading to a denial-of-service condition. The issue arises from improper boundary validation in malformed requests, causing a crash due to an uninitialized string being passed to `c_strnstr`.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Mongoose OS <= Release 1.2

No auth needed

Prerequisites: Network access to the Mongoose OS HTTP server

MITRE ATT&CK