A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where startSessionHandler() reads the entire request body without limits, allowing attacker-driven memory exhaustion and process crash.
Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: Leaked/recovered keypair (from a beacon) being used to attack operators. Port forwardings usable from other implants.
The reverse port forwarding in sliver teamserver allows the implant to open a reverse tunnel on the sliver teamserver without verifying if the operator instructed the implant to do so
Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user.
This advisory duplicates another.
The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758)