How OAuth Token Overflow Enables Remote Code Execution

A hidden flaw in decode_oauth_token_gcm() lets attackers send oversized nonce data - up to 735 bytes - past safe bounds, corrupting the stack before authentication even begins. This pre-authentication vulnerability, rooted in a missing length check for the nonce field, surfaces through network requests using valid OAuth keys but no real credentials. The memcpy into a fixed 256-byte buffer fails to validate nonce_len, inviting stack corruption that can trigger remote code execution. Tools like AddressSanitizer confirm overflow crashes at precise offsets, exposing how a single misplaced byte can compromise server integrity. Though OAuth tokens require user authority, the overflow requires no decryption key - just a guessed kid and network access. Mitigation demands a simple bounds check before copying. Here is the deal: even trusted tokens can become weapons when size validation fails. Does your server guard against silent overflows in OAuth flows?

• Pre-authentication overflow triggers before cryptographic checks, bypassing standard authentication controls.
• Nonce length accepted from untrusted tokens exceeds 256 bytes, enabling stack overwrite with up to 735 bytes of attacker data.
• This flaw affects all coturn versions up to 4.9.0 using OAuth support; the vulnerability lies in unbounded memcpy into a fixed buffer.

ASAN reports stack-buffer-overflow precisely at the memory write point, exposing how a flawed nonce_len value corrupts adjacent stack variables.

To defend: enforce nonce_len ≤ 256 before memcpy, blocking overflow before it starts. Never trust untrusted input - even from valid OAuth keys.

Will your infrastructure catch this silent exploit before attackers do?