Skip to content

Avast HNS crashes Nodemcu in SoftAP mode #6964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
KilianB opened this issue Dec 30, 2019 · 2 comments
Closed

Avast HNS crashes Nodemcu in SoftAP mode #6964

KilianB opened this issue Dec 30, 2019 · 2 comments
Assignees
@d-a-v
Labels
waiting for feedback Waiting on additional info. If it's not received, the issue may be closed.

Comments

@KilianB
Copy link

KilianB commented Dec 30, 2019
edited
Loading

The Avast Home Network Security (HNS) checks for router vulnerabilities which leads to a crash of my Nodemcu running in SOFT_AP mode. When reading the issue description please keep in mind that I am not well versed in network related topics.

Avast queries vulnerable files and protocols. e.g:

  • request/ and /HNAP1/ on port 80
  • perform a tcp port scan

MCVE Sketch

#include <ESP8266WebServer.h>

ESP8266WebServer server(80);

void setup() {
  Serial.begin(115200);
  WiFi.mode(WIFI_AP);
  WiFi.softAP("Foo");
}

void loop() {
  server.handleClient();
  delay(50);
}

Wireshark

Bildschirmfoto 2019-12-30 um 10 47 18

While this looks like a port scan it basically works as a dos leading to tcp retransmissions down the line due to the server not being able to handle all requests

Bildschirmfoto 2019-12-30 um 10 52 25

tcpdump -k NP

Resolving for process:

10:30:52.206343 (proc com.avast.hns:11459) IP 192.168.4.2.54501 > 192.168.4.1.domain: 55106+ A? wpad.local. (28)
10:30:52.206355 (proc com.avast.hns:11459) IP 192.168.4.2.51300 > 192.168.4.1.domain: 7271+ NS? _msdcs.local. (30)

Stack trace

Arduino/tools/sdk/lwip/src/app/dhcpserver.c

Line 1102 in 5e4c2e9

node_remove_from_list(&plist,pmac_node); 

Exception 3: LoadStoreError: Processor internal physical address or data error during load or store
Decoding 53 results
0x4023dea8: node_remove_from_list at ?? line ?
0x4022f00c: parse_msg at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-lwip/esp-dhcpserver.c line 626
:  (inlined by) handle_dhcp at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-lwip/esp-dhcpserver.c line 717
0x4022efcc: handle_dhcp at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-lwip/esp-dhcpserver.c line 679
0x401008cb: free at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/umm_malloc/umm_malloc.cpp line 362
0x40212aa4: udp_input at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/lwip2-src/src/core/udp.c line 404
0x402178cc: ip4_input at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/lwip2-src/src/core/ipv4/ip4.c line 1461
0x401008cb: free at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/umm_malloc/umm_malloc.cpp line 362
0x40229ab4: ppRecycleRxPkt at ?? line ?
0x4020e93d: ethernet_input_LWIP2 at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/lwip2-src/src/netif/ethernet.c line 188
0x4020e760: esp2glue_ethernet_input at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-lwip/lwip-git.c line 469
0x4022e7ce: ethernet_input at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-esp/lwip-esp.c line 365
0x4022e7df: ethernet_input at /home/gauchard/dev/esp8266/esp8266/tools/sdk/lwip2/builder/glue-esp/lwip-esp.c line 373
0x402296df: ppPeocessRxPktHdr at ?? line ?
0x402305c3: ets_snprintf at ?? line ?
0x40104781: call_user_start_local at ?? line ?
0x40104787: call_user_start_local at ?? line ?
0x4010000d: call_user_start at ?? line ?
0x402285c0: cont_ret at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/cont.S line 142
0x40228579: cont_continue at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/cont.S line 51
0x40100154: ets_post at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 160
0x401013ec: pp_post at ?? line ?
0x40104683: lmacTxFrame at ?? line ?
0x4010385e: lmacRecycleMPDU at ?? line ?
0x40103ccf: lmacRecycleMPDU at ?? line ?
0x40100640: umm_free_core at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/umm_malloc/umm_malloc.cpp line 316
0x40103797: lmacProcessTxSuccess at ?? line ?
0x40100154: ets_post at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 160
0x40100154: ets_post at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 160
0x40104683: lmacTxFrame at ?? line ?
0x401013ec: pp_post at ?? line ?
0x4010469b: lmacRxDone at ?? line ?
0x40101f87: rcReachRetryLimit at ?? line ?
0x40102164: rcReachRetryLimit at ?? line ?
0x40102626: wDev_ProcessFiq at ?? line ?
0x40102348: wDev_ProcessFiq at ?? line ?
0x4020634c: loop_wrapper() at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 180
0x4020634c: loop_wrapper() at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 180
0x40206266: esp_yield_within_cont at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 100
:  (inlined by) __yield at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 118
0x4020628b: optimistic_yield at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 128
0x40204c86: WiFiServer::available(unsigned char*) at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/libraries/ESP8266WiFi/src/WiFiServer.cpp line 120
0x40105065: ets_timer_arm_new at ?? line ?
0x40206234: esp_yield_within_cont at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 100
:  (inlined by) __esp_yield at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 105
0x402067ee: __delay at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_wiring.cpp line 54
0x4020312a: loop at /Users/Kilian/Documents/Arduino/APCrashTest/APCrashTest.ino line 14
0x4020634c: loop_wrapper() at /Users/Kilian/Library/Arduino15/packages/esp8266/hardware/esp8266/2.6.3/cores/esp8266/core_esp8266_main.cpp line 180

I can't tell if this is simply a memory leak or an issue that will get fixed with #5380. Do we need to acknowledge requests we receive of ports we are not listening to (due to the tcp specs?) or can we implement a basic firewall to silently drop those packages? The devices crashes periodically within several minutes when the computer connects to it. It doesn't matter if the access point it open or uses wpa2.

Platform

  • Core Version: [2.6.3 latest release via board manager]
  • Development Env: [Arduino IDE]
  • Operating System: [MacOS]

Settings in IDE

  • Module: [NodeMCU 1.0 ESP12-E Module]
  • Flash Size: [4MB]
  • Flash Frequency: [40Mhz]
  • CPU Frequency: [80Mhz]
  • Upload Using: [SERIAL]

Temporary mitigation

While this will not solve the overall problem you can disable the port scanning feature for selected Wifis
Bildschirmfoto 2019-12-30 um 11 26 28_censored (1)
@KilianB KilianB changed the title Avast HNS crashes Nodemcu in SoftAP Avast HNS crashes Nodemcu in SoftAP mode Dec 30, 2019
@d-a-v d-a-v self-assigned this Dec 30, 2019
@d-a-v d-a-v added this to the 3.0.0 milestone Dec 30, 2019
@d-a-v d-a-v mentioned this issue Feb 6, 2020
Merged
@d-a-v
Copy link
Collaborator

d-a-v commented Mar 5, 2020

@KilianB Can you retry with latest beta release (v0.0.1) ?

@d-a-v d-a-v added the waiting for feedback Waiting on additional info. If it's not received, the issue may be closed. label Mar 6, 2021
@d-a-v d-a-v modified the milestones: 3.0.0, 3.0.1 Mar 31, 2021
@d-a-v d-a-v modified the milestones: 3.0.1, 3.1 Jun 16, 2021
@d-a-v
Copy link
Collaborator

d-a-v commented Jun 11, 2022

Closing as not updated for two years.

@d-a-v d-a-v closed this as completed Jun 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-a-v d-a-v

Labels
waiting for feedback Waiting on additional info. If it's not received, the issue may be closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d-a-v @KilianB