Off-by-one Error in v2fly/v2ray-core

Valid

Reported on

Nov 7th 2021


Description

Good afternoon. While looking at your code, we discovered an off-by-one index comparison against length may lead to out-of-bounds read flaw in your v2ray-core repository. Indexing operations on arrays, slices or strings should use an index at most one less than the length. If the index to be accessed is checked for being less than or equal to the length (<=), instead of less than the length (<), the index could be out of bounds.

Proof of Concept

Please review lines 140-144 of proxy/vmess/encoding/commands.go, most specifically line 142.

cmd.Level = uint32(data[levelStart])
    timeStart := levelStart + 1
    if len(data) < timeStart {
        return nil, newError("insufficient length.")
    }

Impact

This vulnerability is capable of an out of bounds read.

We are processing your report and will contact the v2fly/v2ray-core team within 24 hours. 7 months ago
We have contacted a member of the v2fly/v2ray-core team and are waiting to hear back 7 months ago
We have sent a follow up to the v2fly/v2ray-core team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the v2fly/v2ray-core team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the v2fly/v2ray-core team. This report is now considered stale. 6 months ago
v2fly/v2ray-core maintainer
6 months ago

Maintainer


Thanks for your report. This report is received by V2Fly Team, we are analyzing this report. Shelikhoo

v2fly/v2ray-core maintainer
6 months ago

Maintainer


Thanks for your report and responsible disclosure. I would like to say sorry for the slow response, it seems the mail from this platform went to the spam box...

The preliminary investigation on this shows that this vulnerability allows a VMess Server to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. Is this understanding of vulnerability correct?

We don't have a paid bounty program. This is not a substitution of monetary reward but, we would like to give you a special thanks in the release note when the fix is released. The credit will be given to this Github account: https://github.com/geeknik

geeknik
6 months ago

Researcher


Yes, your root cause analysis is correct. The huntr.dev platform handles the bounty payments at no cost to your organization once you mark the issue as valid. Please. credit the posted GitHub account. Thank you.

v2fly/v2ray-core maintainer validated this vulnerability 6 months ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
v2fly/v2ray-core maintainer
6 months ago

Maintainer


We have issued an security update to fix this vulnerability. The commit that fixed this vulnerability: https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c . The security update release that includes this fix: https://github.com/v2fly/v2ray-core/releases/tag/v4.44.0

Jamie Slome confirmed that a fix has been merged on c1af2b 3 months ago
The fix bounty has been dropped
commands.go#L142 has been validated
to join this conversation