Drake C.

I am a penetration tester and security researcher.

less than 1 minute read

Summary

SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in Internat.c via the UniToStrForSingleChars function.

To exploit the vulnerability, an attacker must utilize the vpncmd binary file and provide an input of 137 bytes to cause a buffer overflow condition, which will allow for control of the instruction pointer.

Details

A stack-based overflow exists in the Internat.c files from lines 2458 to lines 2503, as seen below. The tmp variable of UnitoInt is overflowed at an offset of 160.

// Convert a string to an integer
UINT UniToInt(wchar_t *str)
{
	char tmp[128];
	// Validate arguments
	if (str == NULL)
	{
		return 0;
	}

	UniToStrForSingleChars(tmp, sizeof(tmp), str);

	return ToInti(tmp);
}

// Convert only single-byte characters in the Unicode string to a char string
void UniToStrForSingleChars(char *dst, UINT dst_size, wchar_t *src)
{
	UINT i;
	// Validate arguments
	if (dst == NULL || src == NULL)
	{
		return;
	}

	for (i = 0;i < UniStrLen(src) + 1;i++)
	{
		wchar_t s = src[i];
		char d;

		if (s == 0)
		{
			d = 0;
		}
		else if (s <= 0xff)
		{
			d = (char)s;
		}
		else
		{
			d = ' ';
		}

		dst[i] = d;
	}
}

SBO1 Screenshot 2025-01-08 082053

Updated:

You may also enjoy

Cve 2025 25568

less than 1 minute read

Summary SoftEtherVPN 5.02.5187 is vulnerable to Use after Free in the Command.c file via the CheckNetworkAcceptThread function.

Cve 2025 25566

less than 1 minute read

Summary SoftEtherVPN 5.02.5187 is vulnerble to denial of service via the UnixMemoryAlloc function.

Cve 2025 25565

1 minute read

Summary SoftEther VPN 5.02.5187 is vulnerable to Buffer Overflow in the Command.c file via the PtMakeCert and PtMakeCert2048 functions.