-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow (WRITE of size 1) in string_copy() #659
Comments
It does require "physical i can touch your server" access to create config files. Having the attacker be able to create/modify files owned by your application in their location of choice causes many, many other issues https://en.cppreference.com/w/c/experimental/dynamic/strndup is used in string_copy, in config parsing code. It should be using something other than nc_strncmp and returning an |
HackerOne triage said this bug was out of scope because it requires "physical i can touch your server" access in order to exploit. I believe they are wrong in their assessment, however, there is no point trying to change their mind and this issue probably needs to be fixed, so here I am.
Describe the bug
We discovered a heap-buffer-overflow in this chunk of code (
twemproxy/src/nc_string.c:96
):To Reproduce
./nutcracker -c poc.yml
poc.yml
Expected behavior
No crash.
Actual behavior
Screenshots
Environment
Clang 12, Ubuntu 18 or 21
Additional context
HackerOne triage gatekeeping bugs they don't understand is silly and needs to stop.
The text was updated successfully, but these errors were encountered: