Project NIGHTGLASS: A Pre-Auth Memory Corruption Chain in an Edge Appliance
By Bell Labs Research

During a routine capability-development sprint, Bell Labs identified a remotely reachable memory-corruption vulnerability in the management plane of a widely deployed edge appliance. This writeup walks through discovery, root cause, and the exploitation primitives we chained to achieve reliable pre-authentication remote code execution.
Timeline: reported to the vendor on day 0, patched and coordinated public disclosure on day 74. No in-the-wild exploitation was observed prior to the fix.
Summary
- Impact: Unauthenticated remote code execution as root.
- Vector: A crafted HTTP request to the device management interface.
- Root cause: An integer truncation feeding an undersized heap allocation.
- Reliability: ~98% across the affected firmware range in lab conditions.
Discovery
We started from the attack surface that matters most: the code that parses untrusted input before authentication. Fuzzing the request parser surfaced a reproducible crash in the session-negotiation handler.
$ ./harness --target mgmt --corpus ./seeds
[+] 4,812 execs/s
[!] crash: SIGSEGV in parse_session_header (0x00417a20)
[!] minimized to 118 bytes
Root cause
The handler read a 32-bit length field, applied a bounds check against a signed 16-bit local, and then used the original 32-bit value for the copy. The signed comparison passed while the copy overflowed the destination heap chunk.
uint32_t len = read_be32(buf);
int16_t check = (int16_t)len; // truncation
if (check > MAX_LEN) return -1; // bypassed for len like 0x10001
memcpy(chunk, buf + 8, len); // heap overflow
Weaponization
From the overflow we built two primitives — a controlled heap groom and a function-pointer overwrite in an adjacent object — and chained them into a clean control-flow hijack. Full technical detail is available to affected vendors under coordinated disclosure.
Remediation
Patch to the vendor-supplied firmware release. If you cannot patch immediately, restrict management-plane access to a dedicated administrative network and put the interface behind a mutually authenticated tunnel.