in toxcore , reference implementation of the P2P messaging protocol Tox , vulnerability ( CVE-2021-44847 ), which potentially allows you to initiate code execution when processing a specially decorated UDP package. Vulnerabilities are subject to all users on the toxcore database, in which the UDP transport is not disabled. For an attack, it is enough to send a UDP package, knowing the IP address, network port and open DHT key victim (these information is available public in DHT, i.e. Attack could be done on any user or DHT node).
The problem was manifested in the releases toxcore with 0.1.9 0.2.12 and in version 0.2.13 . From client applications Update with the elimination of vulnerability while released only the QTox project. As a workaround of protection, you can disable UDP use, leaving TCP support.
Vulnerability is caused by buffer overflow in the handle_request () function resulting from incorrectly calculating the size of the data in the network packet. In particular, the length of encrypted data determined macro CRYPTO_SIZE, defined as “1 + CRYPTO_PUBLIC_KEY_SIZE * 2 + CRYPTO_NONCE_SIZE” which was later used in the subtraction operation “Length – Crypto_size”. Due to the lack of brackets in the macro instead of subtracting the sum of all values, subtraction 1 and the addition of the other parts was performed. For example, instead of “Length – (1 + 32 * 2 + 24)” The buffer size was calculated as “Length – 1 + 32 * 2 + 24”, which resulted in overwriting the data in the stack located abroad.