Closed Shark2016 closed 3 years ago
The code you reference is only executed inside the H.263 and H.264 plugin which are shared libraries themselves and don't have and provision for any config settings.
I fixed the one strcpy() and added a security note that if one uses these plugins the environment needs to be secured which probably isn't very difficult in most server installations.
If you see a way to use the plugins without any trusted environment variables, please provide a patch.
Oh yes. It's a shared library for developers, and have no any other config settings. In that way, I think that using current module path may be another optional way to locate the plugin path.
I think the developers could put the plugins and other shared libraries into the same directory with their executable file, which can be wrote to the tutorial document. In this way, GetModuleName could be used to get current executable module path in Windows platform. And in linux, readlink( "/proc/self/exe", path, PATH_MAX) can get current executable module path.
// Windows
TCHAR szPath[MAX_PATH];
GetModuleFileName(NULL, szPath, MAX_PATH));
// Linux
char path[MAX_PATH];
readlink("/proc/self/exe", path, MAX_PATH);
Hardcoded path could be always a second option way as you use in your code:
// Windows
InternalOpen("C:\\H323plus\plugin", name); // just an example path for windows
// Linux
InternalOpen("/usr/local/lib", name);
Anyway, what I mentioned above is just my advice for that. Environment variable is still widily used, and it's ok if only developers make sure that the environment variable is unable to be modified by others.
However the buffer overflow issue is nessussary to be fixed by using strcpy_s\strcat_s instead.
HI, I've found several security issue about h323plus.
I don't think it is a good idea to config plugin directiory by environment variable, it may lead to several problem. And attackers may set malicious enviroment in some way like setenv, putenv, or something like shellshock, etc. There are a few issues related to it.
Buffer Overflow in dyna.cxx
h323plus/plugins/video/common/dyna.cxx
Suggestion:
Use secure function like strcpy_s/strcat_s instead of strcpy/strcat
Dynamic Link Library Hijack
Also, untrusted source of plugin paths may lead to Dynamic Link Library hijack.
If the PTLIBPLUGINDIR is setted to some other directory with malicious dll/so with same name in it, the code in it will have a chance to be execute.
Suggestion: Don’t trust environment variable input. Using get module path or hardcoded plugin path to locate library may be much safer, or use reliable configure file instead.
Buffer Overflow in h264-x264.cxx/h264pipe_win32.cxx
h323plus/plugins/video/H.264/h264-x264.cxx h323plus/plugins/video/H.264/h264pipe_win32.cxx
Suggestion solution: Don’t trust environment variable input. Hardcoded plugin path is more safer, or use reliable configure file instead. Don’t use unsafe function like strcat. snprintf_s is recommanded.
Command Injection in h264-x264.cxx/h264pipe_win32.cxx
h323plus/plugins/video/H.264/h264-x264.cxx h323plus/plugins/video/H.264/h264pipe_win32.cxx
Suggestion: Don’t trust environment variable input. Using get module path or hardcoded plugin path to locate library may be much safer, or use reliable configure file instead.