Vigil@nce - strongSwan: buffer overflow via snprintf
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can use a malicious X.509 certificate
in order to generate a buffer overflow, leading to a denial of
service or to code execution.
Severity: 2/4
Creation date: 11/08/2010
DESCRIPTION OF THE VULNERABILITY
The strongSwan product processes key exchanges for Linux IPsec
tunnel creation.
The snprintf() function stores a formatted string in a fixed size
array. If the array size is too short, the function either returns
-1 or the size requested to store the full string.
Several strongSwan functions (identification, X.509 certificates
loading, authentication) use the return value of snprintf() in
buffer position computations. However, error cases are not
properly handled and position offsets become out of bounds.
An unauthenticated attacker can therefore use a malicious X.509
certificate in order to generate a buffer overflow, leading to a
denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/strongSwan-buffer-overflow-via-snprintf-9840