Cve 2025 25565

Summary

SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in the Command.c file via the PtMakeCert and PtMakeCert2048 functions.

To exploit this vulnerability the attacker must utilize the vpncmd binary file and enter the VPN Tools menu. The VPN Tools menu contains the MakeCert and MakeCert2048 commands that take 10 inputs, but overflow on the Expiration Date of Certificate to Create (Days)s prompt at 137 bytes.

Details

The vulnerability exists within command.c for the PtMakeCert and PtMakeCert2048 functions that setup parameter arguments for the Expires section of the certificate. This parameter calls the CmdEvalMinMax function of control.c when setting the day variable, but does not properly handle a buffer.

UINT PtMakeCert(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
...
		{"EXPIRES", CmdPrompt, _UU("CMD_MakeCert_PROMPT_EXPIRES"), CmdEvalMinMax, &minmax},
...
		days = GetParamInt(o, "EXPIRES");
		if (days == 0)
		{
			days = 3650;
		}
...

UINT PtMakeCert2048(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
{
...
		{"EXPIRES", CmdPrompt, _UU("CMD_MakeCert_PROMPT_EXPIRES"), CmdEvalMinMax, &minmax},
...
		days = GetParamInt(o, "EXPIRES");
		if (days == 0)
		{
			days = 3650;
		}
...

// Evaluation function for minimum / maximum value of the parameter
bool CmdEvalMinMax(CONSOLE *c, wchar_t *str, void *param)
{
	CMD_EVAL_MIN_MAX *e;
	wchar_t *tag;
	UINT v;
	// Validate arguments
	if (param == NULL)
	{
		return false;
	}

	e = (CMD_EVAL_MIN_MAX *)param;

	if (e->StrName == NULL)
	{
		tag = _UU("CMD_EVAL_MIN_MAX");
	}
	else
	{
		tag = _UU(e->StrName);
	}

	v = UniToInt(str);

	if (v >= e->MinValue && v <= e->MaxValue)
	{
		return true;
	}
	else
	{
		wchar_t tmp[MAX_SIZE];

		UniFormat(tmp, sizeof(tmp), tag, e->MinValue, e->MaxValue);
		c->Write(c, tmp);

		return false;
	}
}