CVE-2023-43632

<br /> As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port<br /> 8877 in EVE, exposing limited functionality of the TPM to the clients. <br /> VTPM allows clients to<br /> execute tpm2-tools binaries from a list of hardcoded options”<br /> The communication with this server is done using protobuf, and the data is comprised of 2<br /> parts:<br /> <br /> 1. Header<br /> <br /> 2. Data<br /> <br /> When a connection is made, the server is waiting for 4 bytes of data, which will be the header,<br /> and these 4 bytes would be parsed as uint32 size of the actual data to come.<br /> <br /> Then, in the function “handleRequest” this size is then used in order to allocate a payload on<br /> the stack for the incoming data.<br /> <br /> As this payload is allocated on the stack, this will allow overflowing the stack size allocated for<br /> the relevant process with freely controlled data.<br /> <br /> * An attacker can crash the system. <br /> * An attacker can gain control over the system, specifically on the “vtpm_server” process<br /> which has very high privileges.<br /> <br /> <br />