Conversation

Notices

1. Embed this notice
   da_667 (da_667@infosec.exchange)'s status on Friday, 10-Jan-2025 13:42:15 JST da_667

   Another banger by watchtowr. Openconnect is an open-source VPN client that can be made to pretend its a VPN client for different VPNS, because of course, they all have a unique and serially miserable way of connecting to their special VPN appliance.

   One of ivanti's connect methods is IF-T. There is a Client Capabilities field that IF-T supports that, if you provide it with more than 256bytes of data, boom, segfault. Also possible RCE if you can guess the right return addresses without knocking over the stack.

   https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 10-Jan-2025 13:55:39 JST Rich Felker

     in reply to

     @da_667 LMAO this os exactly why the MSVC "secure"/Annex K interfaces are utterly useless. Passing the wrong size twice is no more a deterrent than passing the wrong size once.

     (FWIW strncpy is also the wrong thing to use here, as it's for null padded buffers not null terminated and will fail to terminate when buffer is full. It can be used to construct thr right thing but that's not its purpose and it's not well suited.)

     Haelwenn /элвэн/ :triskell: likes this.