Sliver C2, Nil Pointer Dereference, CVE-2024-XXXX (Medium)

Listen to this Post

The vulnerability resides in the `tunnelCloseHandler` function within server/handlers/sessions.go. When a reverse tunnel (rportfwd) close is requested, the function attempts to retrieve the tunnel using core.Tunnels.Get(). Because the tunnel ID corresponds to a reverse tunnel (not a standard one), this call returns nil. The code then enters an `else` block intended for reverse tunnel handling. Inside this block, it correctly retrieves the reverse tunnel using rtunnels.GetRTunnel(), but the subsequent conditional checks erroneously dereference the `tunnel` variable (which is nil) instead of the `rtunnel` variable. Specifically, lines 172 and 175 attempt to access tunnel.SessionID. This results in a nil pointer dereference, causing the handler goroutine to panic. While a `recoverAndLogPanic()` function prevents a full server crash, it silently drops the close operation and leaves the reverse tunnel entry in the map, causing a memory leak. An authenticated implant can exploit this by repeatedly sending close requests for non-existent or reverse tunnels, triggering repeated goroutine panics and denial of service. The identical bug was previously fixed in `tunnelDataHandler` but was overlooked in the tunnelCloseHandler.

dailycve form is:

Platform: Sliver C2
Version: master commit 7ac4db3fa
Vulnerability : Nil pointer dereference
Severity: Medium
date: 2026-03-30

Prediction: 2026-04-13

Analytics under heading What Undercode Say:

Locate the vulnerable lines in sessions.go
grep -n "tunnel.SessionID" server/handlers/sessions.go | grep -E "172|175"
Expected output: lines showing the erroneous dereference
Extract the commit where the fix was partially applied
git show 7ac4db3fa -- server/handlers/sessions.go | grep -A5 -B5 "rtunnel.SessionID"
// Vulnerable code block in tunnelCloseHandler (lines 170-178)
} else {
rtunnel := rtunnels.GetRTunnel(tunnelData.TunnelID)
if rtunnel != nil && session.ID == tunnel.SessionID { // PANIC: tunnel is nil
rtunnel.Close()
rtunnels.RemoveRTunnel(rtunnel.ID)
} else if rtunnel != nil && session.ID != tunnel.SessionID { // PANIC: tunnel is nil
sessionHandlerLog.Warnf("Session %s attempted to close tunnel %d belonging to session %s", session.ID, tunnelData.TunnelID, tunnel.SessionID)
}
}

Exploit:

// Authenticated implant sends close request for a valid rtunnel ID
tunnelClose := &TunnelClose{
TunnelID: 999, // ID of an existing reverse tunnel
}
// This triggers the nil dereference in tunnelCloseHandler

Protection from this CVE

  • Upgrade to a patched version containing the fix.
  • Apply the fix by replacing `tunnel.SessionID` with `rtunnel.SessionID` in lines 172 and 175 of server/handlers/sessions.go.
  • Implement a WAF rule to filter anomalous tunnel close requests if upgrading is not immediately possible.

Impact:

  • Denial of service via repeated handler goroutine panics.
  • Inability to properly close reverse tunnels (rportfwd), leading to functional regression.
  • Memory leak due to unreleased reverse tunnel map entries.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top