Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebRTC usrsctp Incorrect Call Vulnerability

🗓️ 01 Aug 2020 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 466 Views

WebRTC usrsctp vulnerability with address pointer misus

Related
Code
ReporterTitlePublishedViews
Family
ALT Linux		Security fix for the ALT Linux 10 package firefox-esr version 78.1.0-alt1
28 Jul 202000:00
altlinux
ALT Linux		Security fix for the ALT Linux 10 package thunderbird version 78.1.1-alt1
18 Aug 202000:00
altlinux
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Chrome
9 Aug 202020:06
githubexploit
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Chrome
9 Aug 202020:06
githubexploit
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Chrome
9 Aug 202020:06
githubexploit
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Chrome
9 Aug 202020:06
githubexploit
Tenable Nessus		Safari < 13.1.2 Multiple Vulnerabilities
19 Feb 202400:00
nessus
Tenable Nessus		Amazon Linux 2 : thunderbird (ALAS-2020-1487)
2 Sep 202000:00
nessus
Tenable Nessus		CentOS 8 : firefox (CESA-2020:3241)
1 Feb 202100:00
nessus
Tenable Nessus		CentOS 8 : thunderbird (CESA-2020:3341)
1 Feb 202100:00
nessus
Rows per page
WebRTC: usrsctp is called with pointer as network address

When usrsctp is used with a custom transport, an address must be provided to usrsctp_conninput be used as the source and destination address of the incoming packet. WebRTC uses the address of the SctpTransport instance for this value. Unfortunately, this value is often transmitted to the peer, for example to validate signing of the cookie. This could allow an attacker access to the location in memory of the SctpTransport of a peer, bypassing ASLR.

To reproduce, place the following code on line 9529 of sctp_output.c. This will output the peer's address to the log:

        struct sctp_state_cookie cookie2;
        struct sctp_state_cookie* cookie3;
  cookie3 = sctp_get_next_param(cookie, 4, &cookie2, sizeof(struct sctp_state_cookie));


  LOGE(\"COOKIE INITACK ADDRESS %llx laddress %llx\", *((long long*)cookie3->address), *((long long*)cookie3->address));

Or, view the SCTP packets sent by WebRTC before they are sent to the encryption layer. They are full of pointers. 

This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visible to the public. The scheduled disclosure
date is 2020-Jul-28. Disclosure at an earlier date is possible if
agreed upon by all parties.


Related CVE Numbers: CVE-2020-6514.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Aug 2020 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 24.3
CVSS 3.16.5
EPSS0.0779
webrtcusrsctpvulnerabilityaddress pointermemory accessaslrexploitcve-2020-6514
466