SoftEtherVPN icon indicating copy to clipboard operation
SoftEtherVPN copied to clipboard

Published 20 hours ago verified publisher icon SoftEtherVPN

Buffer copy without checking size of input (CWE-120)

Open jishanshaikh4 opened this issue 4 years ago • 5 comments

Prerequisites

  • [x] Can you reproduce?
  • [x] Are you running the latest version of SoftEtherVPN?

SoftEther version: Component: [Server, Client, Bridge, etc.] Operating system: [Windows, Linux, BSD, macOS, etc.] Architecture: [64 bit, 32 bit]

[In case it's a computer with known specs, such as the Raspberry Pi, you can specify it omitting the details.] Processor: [Specify brand and model. Example: AMD Ryzen 7 1800x]

Description

Not a feature bug, source code bug. Potential format string problem (CWE-134). Format string problems may lead to buffer overflow attacks.

LABEL: Bug SEVERITY: Major SOLUTION: Make format string constant.

Instances found in the GitHub repository:

  • [ ] src\vpnweb\vpnwebdlg.c:338
  • [ ] src\vpnweb\vpnwebdlg.c:318
  • [ ] src\vpnweb\vpnwebdlg.c:301
  • [ ] src\vpnweb\vpnwebdlg.c:272
  • [ ] src\vpnweb\vpnwebdlg.c:228
  • [ ] src\vpnweb\vpnwebdlg.c:201
  • [ ] src\vpnweb\vpnwebdlg.c:172
  • [ ] src\vpnweb\vpnwebdlg.c:101
  • [ ] src\vpnweb\vpnwebdlg.c:64
  • [ ] src\vpninstall\vpninstall.c:94

jishanshaikh4 avatar Jun 23 '21 20:06 jishanshaikh4

Does not check for buffer overflows (CWE-120).

LABEL: Bug SEVERITY: Major SOLUTION: Use sprintf_s, snprintf, or vsnprintf.

Similar vulnerability hotspots:

  • [ ] src\SeLow\SeLow.c:248
  • [ ] src\SeLow\SeLow.c:247
  • [ ] src\Neo6\NDIS6.c:627
  • [ ] src\Neo6\NDIS6.c:623
  • [ ] src\Neo6\NDIS6.c:601
  • [ ] src\Neo6\NDIS6.c:599
  • [ ] src\Neo6\NDIS6.c:325
  • [ ] src\Neo\NDIS5.c:540
  • [ ] src\Neo\NDIS5.c:538
  • [ ] src\Neo\NDIS5.c:222

jishanshaikh4 avatar Jun 23 '21 20:06 jishanshaikh4

Possible race condition (CWE-362). This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362).

LABEL: Bug SEVERITY: Major SOLUTION: Use fchmod( ) instead.

  • [ ] src\Mayaqua\Unix.c:820

jishanshaikh4 avatar Jun 23 '21 20:06 jishanshaikh4

Thank you for documenting these. What is CWE?

Could you please create a separate issue per CWE id(?)?

paulmenzel avatar Jun 24 '21 08:06 paulmenzel

CWE is Common Weakness Enumeration; An initiative to organize common vulnerability roots/practices/functions. For more info refer here

CWE™ is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

jishanshaikh4 avatar Jun 24 '21 09:06 jishanshaikh4

Other issues created are #1397 and #1398.

jishanshaikh4 avatar Jun 24 '21 09:06 jishanshaikh4