Sliver Command and Control Framework Remote Out-of-Memory Vulnerability in mTLS and WireGuard Transports

A remote out-of-memory vulnerability has been identified in the Sliver command and control (C2) framework, specifically in versions through 1.7.3. The issue arises in the C2 server's mutual TLS (mTLS) and WireGuard transport layers, where the server's socketReadEnvelope and socketWGReadEnvelope functions improperly trust an attacker-controlled 4-byte length prefix for memory allocation. This flaw allows a compromised implant or an attacker with valid credentials to send fabricated length prefixes over concurrent yamux streams, leading the server to allocate excessive amounts of memory, crash the server, and disrupt active implant sessions. Additionally, this vulnerability can degrade or terminate other processes on the same host.

Impact

Exploitation of this vulnerability causes the Sliver server process to be killed, disrupting active implant sessions until the server is manually restarted. On hosts with swap enabled, the out-of-memory event may cause swap thrashing, degrading other services on the same host before the Sliver process is terminated.

Reproduction

To reproduce this vulnerability, establish a valid mTLS connection with the Sliver server, presenting a valid client certificate. After the TLS handshake, negotiate yamux multiplexing and open up to 128 concurrent streams. Then, send a 4-byte length prefix claiming approximately 2 GiB on each stream, without including any actual data. This will trigger the server to allocate a total of around 256 GiB of memory, causing the operating system's out-of-memory killer to terminate the Sliver server process.