From
https://blog.fuzzing-project.org/6-Stack-overflow-in-libtasn1-TFPA-0022015.html
libtasn1 is a library to parse ASN.1 data structures. Its most
prominent user is GnuTLS.
Fuzzing libtasn1 led to the discovery of a stack write overflow in the
function _asn1_ltostr (file parser_aux.c). It overflows a temporary
buffer variable on certain inputs. This issue has been reported to the
developers on 2015-03-26. A fix was released on 2015-03-29.
The issue can be exposed with Valgrind or Address Sanitizer. The
Address Sanitizer output with detailed info is given below.
Git commit / fix
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blobdiff;f=lib/parser_aux.c;h=da9a388fe3204d22f56a138af319ee8a9b77d7f0;hp=d3e9009d77317b0671e89ed6e680b83b58e1d213;hb=4d4f992826a4962790ecd0cce6fbba4a415ce149;hpb=77068c35a32cc31ba6b3af257921ca90696c7945
Release notes libtasn1 4.4
https://lists.gnu.org/archive/html/help-libtasn1/2015-03/msg00002.html
Sample input for stack overflow (to be used with examples/pkix.asn from
libtasn1 source, e.g. src/asn1Decoding examples/pkix.asn
TFPA-2015-002-libtasn1-4.3-stack-overflow.crt
PKIX1Implicit88.Certificate)
https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.3-stack-overflow.crt
An earlier fuzzing effort led to the discovery of a null pointer
derefenence error in the ASN.1 definition parser. This is unlikely to
have any security impact. Null pointer errors are usually not
exploitable and there are probably no scenarios where ASN.1 definitions
are attacker controlled. This issue has been reported to the libtasn1
developers on 2015-01-25 and was fixed on 2015-02-05. The fix was
delivered with the 4.3 release of libtasn1.
Report on mailing list
https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html
Git commit / fix
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=edaff43f27c3e1bcf8317ecee9f733a995602b72
Sample input for null ptr (can be tested with asn1Decoding
TFPA-2015-002-libtasn1-4.2-null-ptr.asn x x)
https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.2-null-ptr.asn
I want to thank libtasn1 developer Nikos Mavrogiannopoulos for the
quick fixes. Both issues were found with american fuzzy lop.
==4372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff85a08084 at pc 0x43c180 bp 0x7fff85a07d10 sp 0x7fff85a07d00 WRITE
of size 1 at 0x7fff85a08084 thread T0 #0 0x43c17f in
_asn1_ltostr /data/libtasn1/libtasn1-4.3/lib/parser_aux.c:574 #1
0x41ee31 in
_asn1_get_objectid_der /data/libtasn1/libtasn1-4.3/lib/decoding.c:397
#2 0x41ee31 in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:1225 #3
0x423b0e in
asn1_der_decoding /data/libtasn1/libtasn1-4.3/lib/decoding.c:1602 #4
0x403692 in
simple_decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:251 #5
0x403692 in decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:280
#6 0x403692 in main /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:205
#7 0x7f94cb39af9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #8
0x4046a1 (/data/libtasn1/libtasn1-4.3/src/asn1Decoding+0x4046a1)
Address 0x7fff85a08084 is located in stack of thread T0 at offset 564
in frame #0 0x419bdf in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:980
This frame has 10 object(s):
[32, 36) 'len2'
[96, 100) 'tag_len'
[160, 164) 'len2'
[224, 232) 'p'
[288, 296) 'p2'
[352, 360) 'ptail'
[416, 424) 'p'
[480, 489) 'temp'
[544, 564) 'temp' <== Memory access at offset 564 overflows this
variable [608, 736) 'temp'
--
Hanno Bck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42