All research
Zero-Day ResearchJune 18, 20262 min read

Project NIGHTGLASS: A Pre-Auth Memory Corruption Chain in an Edge Appliance

By Bell Labs Research

Project NIGHTGLASS: A Pre-Auth Memory Corruption Chain in an Edge Appliance

During a routine capability-development sprint, Bell Labs identified a remotely reachable memory-corruption vulnerability in the management plane of a widely deployed edge appliance. This writeup walks through discovery, root cause, and the exploitation primitives we chained to achieve reliable pre-authentication remote code execution.

Timeline: reported to the vendor on day 0, patched and coordinated public disclosure on day 74. No in-the-wild exploitation was observed prior to the fix.

Summary

  • Impact: Unauthenticated remote code execution as root.
  • Vector: A crafted HTTP request to the device management interface.
  • Root cause: An integer truncation feeding an undersized heap allocation.
  • Reliability: ~98% across the affected firmware range in lab conditions.

Discovery

We started from the attack surface that matters most: the code that parses untrusted input before authentication. Fuzzing the request parser surfaced a reproducible crash in the session-negotiation handler.

$ ./harness --target mgmt --corpus ./seeds
[+] 4,812 execs/s
[!] crash: SIGSEGV in parse_session_header (0x00417a20)
[!] minimized to 118 bytes

Root cause

The handler read a 32-bit length field, applied a bounds check against a signed 16-bit local, and then used the original 32-bit value for the copy. The signed comparison passed while the copy overflowed the destination heap chunk.

uint32_t len = read_be32(buf);
int16_t  check = (int16_t)len;      // truncation
if (check > MAX_LEN) return -1;     // bypassed for len like 0x10001
memcpy(chunk, buf + 8, len);        // heap overflow

Weaponization

From the overflow we built two primitives — a controlled heap groom and a function-pointer overwrite in an adjacent object — and chained them into a clean control-flow hijack. Full technical detail is available to affected vendors under coordinated disclosure.

Remediation

Patch to the vendor-supplied firmware release. If you cannot patch immediately, restrict management-plane access to a dedicated administrative network and put the interface behind a mutually authenticated tunnel.