GNU ZRTPCPP Multiple issues

2013.06.30
Credit: Dan Rosenberg
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

I'd like to request CVEs for multiple security vulnerabilities discovered, reported, and published by Mark Dowd of Azimuth Security in GNU ZRTPCPP, an open-source ZRTP implementation used in a number of "secure phone" solutions: http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html 1. Remote heap overflow A remote attacker can cause a heap-based buffer overflow by sending an overly-large ZRTP packet of several possible types, including a "Hello" packet. Successful exploitation would allow an attacker to execute arbitrary code in the context of a vulnerable application. 2. Multiple remote stack overflows A remote attacker can cause multiple stack-based buffer overflows by sending a malformed ZRTP Hello packet with an overly-large value in certain fields, including the count of public keys. Exploitation may be difficult due to the details of the layout of stack variables in memory, but successful exploitation would allow an attacker to execute arbitrary code in the context of a vulnerable application. 3. Multiple remote heap memory disclosures By sending a truncated ZRTP Ping packet, the response packet will include several bytes of the affected application's heap memory due to a lack of validation on the incoming packet. This flaw could be exploited to gain knowledge about the heap state of an affected application to enable further attacks, or potentially reveal sensitive information stored on the heap. The fixes for all of these flaws were included in the following commit: https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e Regards, Dan

References:

http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html
https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e
http://seclists.org/oss-sec/2013/q2/636


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top