JFrog Security Research

XRAY-194064 - QCMAP Web Interface NULL pointer dereference

CVE-2020-25858 | CVSS 7.5

JFrog Severity:high

Published 14 Oct. 2020 | Last updated 14 Oct. 2020

A null pointer dereference in the QCMAP_Web_CLIENT binary in the Qualcomm QCMAP software suite allows authenticated network attackers to cause denial of service by sending a request with a crafted URL.

Qualcomm QCMAP (closed source)

QCMAP before October 2020

Qualcomm manufactures the MDM (Mobile Data Modem) family of SoCs, which provides various mobile connectivity features in a single package. One of the software suites is the QCMAP suite, which is in charge of running many services in the mobile access point. These include a lighttpd-based web interface and a MiniDLNA-based media server. QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers.

Attackers can trigger the exploit by issuing an HTTP request with a crafted URL. A public exploit exists, which demonstrates how to invoke the web interface with an unexpected URL parameter format (http://x.x.x.x/cgi-bin/qcmap_web_cgi?a) to cause denial of service and crash the interface.

The QCMAP_Web_CLIENT library implementation has a bug in the Tokenizer() function, which parses the input data and performs the chosen operation. The input parameters are expected to be in the format var1=val1&var2=val2& var3=val3.... The function invokes strstr() to search for a = character, and then uses its return value without checking (in several implementations, the call to strstr() is replaced by a call to strchr(), which behaves in the same way). If there is no = character, the search returns NULL, causing a NULL pointer dereference. This crashes the process.

The original exploit was developed by JFrog researchers. There are two related CVEs for this component: CVE-2020-3657 and CVE-2020-25859.


No vulnerability mitigations are supplied for this issue

(JFrog) Vulnerabilities Discovered in Qualcomm QCMAP enable remote root access