Qualisys C++ SDK Stack Buffer Overflow Vulnerability in Data Retrieval Functions

A vulnerability exists in the Qualisys C++ SDK, specifically in commit a32a21a, where multiple stack buffer overflows have been introduced. This issue arises in the GetCurrentFrame, SaveCapture, and LoadProject functions, all of which utilize fixed-size stack buffers ranging from 100 to 256 bytes. The vulnerability is exploited through unsafe string operations that allow for the overflow of these buffers, potentially leading to stack corruption, code execution, information disclosure, and crashes causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes stack corruption, which can lead to code execution, unauthorized information disclosure, and application crashes, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by crafting options that generate large component strings, which are then passed to the vulnerable functions. This can be done using a fuzzing tool, such as AFL++, to automate the process of sending oversized strings that exceed the buffer limits and trigger the stack overflow.

Remediation

It is recommended to replace fixed-size buffers with dynamically allocated ones. For example, using std::string for C++ strings or std::vector<char> for C-style strings can effectively mitigate the risk of buffer overflows.