mirror of https://github.com/dswd/vpncloud.git
Updated Security Advisories (markdown)
dswd
parent
16cec931f1
commit
3ef0ad0e95
|
|
@ -1,16 +1 @@
|
||||||
# Advisory 1: Buffer-overflow in some unreleased intermediate versions between 0.1 and 0.2
|
Please see https://vpncloud.ddswd.de/security-advisory/
|
||||||
|
|
||||||
## Summary
|
|
||||||
Some unreleased intermediate versions of VpnCloud between 0.1 and 0.2 contain a critical flaw that allows arbitrary code execution.
|
|
||||||
|
|
||||||
## Details
|
|
||||||
When parsing the claimed address ranges contained in an `Init` message, the code first reads one byte that determines the size of the address and then it reads that many bytes into a buffer of 16 bytes without checking the length.
|
|
||||||
An attacker can exploit this to write up to 255 bytes in a 16 byte buffer and thereby overflowing the buffer by up to 239 bytes. The buffer is defined with fixed size and therefore allocated on the stack.
|
|
||||||
This flaw can be exploited using special-crafted UDP packets. If encryption is enabled, the attacker needs to be able to encrypt packets with the correct shared-key to exploit the flaw.
|
|
||||||
|
|
||||||
## Severity: Critical
|
|
||||||
Exploiting the flaw to execute arbitrary code should be simple. Since the flaw can be triggered by UDP packets and the process is running with root privileges, the severity is to be considered critical.
|
|
||||||
|
|
||||||
## Affected Versions
|
|
||||||
The bug was introduced on 2015-11-24 with commit [946e384](https://github.com/dswd/vpncloud.rs/commit/946e384660810c46d86ee859af5bbce11112ee5d) and fixed on 2015-11-26 with commit [f933c54](https://github.com/dswd/vpncloud.rs/commit/f933c541f88a4ae20008c1be37b55213ebe421b3) (without realizing the full severity). No released versions of VpnCloud were affected.
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue