Security advisory 1

Buffer-overflow in some unreleased intermediate versions between 0.1 and 0.2

Summary

Some unreleased intermediate versions of VpnCloud between 0.1 and 0.2 contain a critical flaw that allows arbitrary code execution.

Details

When parsing the claimed address ranges contained in an Init message, the code first reads one byte that determines the size of the address and then it reads that many bytes into a buffer of 16 bytes without checking the length. An attacker can exploit this to write up to 255 bytes in a 16 byte buffer and thereby overflowing the buffer by up to 239 bytes. The buffer is defined with fixed size and therefore allocated on the stack. This flaw can be exploited using special-crafted UDP packets. If encryption is enabled, the attacker needs to be able to encrypt packets with the correct shared-key to exploit the flaw.

Severity: Critical

Exploiting the flaw to execute arbitrary code should be simple. Since the flaw can be triggered by UDP packets and the process is running with root privileges, the severity is to be considered critical.

Affected Versions

The bug was introduced on 2015-11-24 with commit 946e384 and fixed 2 days later on 2015-11-26 with commit f933c54 (without realizing the full severity). No released versions of VpnCloud were affected.

Further Steps

The programming language normally guarantees that no such errors are possible unless one uses the unsafe keyword to explicitly disable security checks which is sometimes necessary. As a result of the incident, the usages of unsafe have been removed where possible and all remaining instances have been reviewed.