MobSF Security scan issues
573 views
Skip to first unread message
P Naandi
Apr 2, 2024, 8:57:50 AM4/2/24
to discuss-webrtc
Hi everyone,
Thanks in advance!
We are using WebRTC binary (https://github.com/stasel/WebRTC) in our project and recently conducted a security scan using MobSF security framework and identified a few security vulnerabilities mentioned below.
- Binary makes use of insecure API(s) - The binary may contain the following insecure API(s) _fopen , _memcpy , _printf , _sscanf , _strcpy , _strlen , _strncpy
- Binary makes use of malloc function
- Application binary has rpath set - The binary has Runpath Search Path (@ rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable forWar code execution and privilege escalation. Remove the compiler option -rpath to remove @ rpath.
Thanks in advance!
Harald Alvestrand
Apr 3, 2024, 6:21:44 AM4/3/24
to discuss...@googlegroups.com
That's an interesting set of "I don't like this function" callouts!
Yes, the webrtc library (the C++ part) is old. Many of these functions are safe to use if used correctly, with checked arguments; the arguments against them are that it's easy to miss a check, and that may open a vulnerability. There are better ways to do this; we're likely to open bugs on some of these in the webrtc bugtracker (bugs.webrtc.org) - but don't expect speedy fixes. (Patches are welcome!)
The rpath thing, however, seems to be an android thing - I'm not sure where that plays out in practice.
--
This list falls under the WebRTC Code of Conduct - https://webrtc.org/support/code-of-conduct.
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/e6442fb7-0dcb-4528-bd67-13f83fc79670n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages