Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential integer underflow in remote code #9201

Closed
MiguelCasaresRobles opened this issue Jul 5, 2021 · 1 comment
Closed

Potential integer underflow in remote code #9201

MiguelCasaresRobles opened this issue Jul 5, 2021 · 1 comment
Assignees
Labels
module/remote reporter/operations type/bug/vulnerability Exploitable vulnerability type/bug Something isn't working
Milestone

Comments

@MiguelCasaresRobles
Copy link
Member

MiguelCasaresRobles commented Jul 5, 2021

Wazuh version Component Install type Install method Platform
Latest Remoted Manager/Agent Packages/Sources OS version

Hello team,

After checking the remote code, we observed something that should be reviewed because it could incur an integer underflow. Specifically here: https://github.com/wazuh/wazuh/blob/master/src/remoted/secure.c#L77

After defining the size, and depending on the input value, the following can have a lower value: https://github.com/wazuh/wazuh/blob/master/src/remoted/secure.c#L477 For instance, with a buffer of !1234!

Reported by Johannes Segitz of SUSE

Regards,

Miguel Casares

@cborla
Copy link
Member

cborla commented Jul 14, 2021

First case applies only for TCP messages, while second case applies for both TCP and UDP messages.

Impact:

  • First case: Low, It could try to process an invalid message as valid.
  • Second case: Medium, it could try to process an incomplete message and cause a segmentation fault.

Probability:

  • First case: Low, It depends on the message size, limit is OS_MAXSTR.
  • Second case: Low, It depends on an invalid message coming from an agent connection.

Cost to fix it:

  • First case: Low, it could be fixed changing variable type from ssize_t to int (as nb_recv function returns). There is a PR to test this: Added message size validation and avoid ssize_t underflow #9285
  • Second case: Low, it should be extensively tested, but it could be fixed valiting recv_b bigger than 0 before call ReadSecMSG.

Estimated time:

  • Second case: 2-3 days / 1 person.

@vikman90 vikman90 added type/bug Something isn't working type/bug/vulnerability Exploitable vulnerability labels Jul 22, 2021
@vikman90 vikman90 added this to the 4.2.0-rc12 milestone Jul 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module/remote reporter/operations type/bug/vulnerability Exploitable vulnerability type/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants