New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue in FlyingSocks Socket.write
#26
Comments
stackotter
added a commit
to stackotter/FlyingFox
that referenced
this issue
Apr 7, 2022
The issue was caused by incorrect handling of data slices with non-zero start indices and could lead to arbitrary memory being leaked to the socket
swhitty
added a commit
that referenced
this issue
Apr 7, 2022
Fix security vulnerability in Socket.write (#26)
Thank you for the great explanation and fix. I love learning about this stuff. |
You're welcome! I also enjoyed writing the explanation and creating the proof of concept, so it's a win win :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
If the data passed to
Socket.write
is a slice with a non-zerostartIndex
, memory after the end of the data buffer will be leaked to the recipient.Cause
The issue is on line 229 of Socket.swift:
The code assumes that
buffer.baseAddress! + index
correctly gets the byte atindex
in the data, howeverbaseAddress
points to the byte atstartIndex
not at index 0. For example, consider the following code:Proof of concept
First, run the following command to start a tcp listener that simply prints out any data it receives.
Next, run this code snippet with
swift run
for the highest chance of reproducing, because that's how I ran it:When I run that snippet, I get the following output:
As you can see, it sent the first half of
secretPassword
instead of the contents of the data slice. This bug could have pretty bad side-effects if it appeared in any unfortunate situations.Mitigation
Make the following change:
I'll make a PR to fix this soon.
And I know this full on bug report might be a bit overkill, but I had fun getting that proof of concept to work, so I did it anyway.
The text was updated successfully, but these errors were encountered: