libtasn1 Stack Write Overflow

2015-03-31 / 2015-04-12
Credit: Hanno B
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

From https://blog.fuzzing-project.org/6-Stack-overflow-in-libtasn1-TFPA-0022015.html libtasn1 is a library to parse ASN.1 data structures. Its most prominent user is GnuTLS. Fuzzing libtasn1 led to the discovery of a stack write overflow in the function _asn1_ltostr (file parser_aux.c). It overflows a temporary buffer variable on certain inputs. This issue has been reported to the developers on 2015-03-26. A fix was released on 2015-03-29. The issue can be exposed with Valgrind or Address Sanitizer. The Address Sanitizer output with detailed info is given below. Git commit / fix http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blobdiff;f=lib/parser_aux.c;h=da9a388fe3204d22f56a138af319ee8a9b77d7f0;hp=d3e9009d77317b0671e89ed6e680b83b58e1d213;hb=4d4f992826a4962790ecd0cce6fbba4a415ce149;hpb=77068c35a32cc31ba6b3af257921ca90696c7945 Release notes libtasn1 4.4 https://lists.gnu.org/archive/html/help-libtasn1/2015-03/msg00002.html Sample input for stack overflow (to be used with examples/pkix.asn from libtasn1 source, e.g. src/asn1Decoding examples/pkix.asn TFPA-2015-002-libtasn1-4.3-stack-overflow.crt PKIX1Implicit88.Certificate) https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.3-stack-overflow.crt An earlier fuzzing effort led to the discovery of a null pointer derefenence error in the ASN.1 definition parser. This is unlikely to have any security impact. Null pointer errors are usually not exploitable and there are probably no scenarios where ASN.1 definitions are attacker controlled. This issue has been reported to the libtasn1 developers on 2015-01-25 and was fixed on 2015-02-05. The fix was delivered with the 4.3 release of libtasn1. Report on mailing list https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html Git commit / fix http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=edaff43f27c3e1bcf8317ecee9f733a995602b72 Sample input for null ptr (can be tested with asn1Decoding TFPA-2015-002-libtasn1-4.2-null-ptr.asn x x) https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.2-null-ptr.asn I want to thank libtasn1 developer Nikos Mavrogiannopoulos for the quick fixes. Both issues were found with american fuzzy lop. ==4372==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff85a08084 at pc 0x43c180 bp 0x7fff85a07d10 sp 0x7fff85a07d00 WRITE of size 1 at 0x7fff85a08084 thread T0 #0 0x43c17f in _asn1_ltostr /data/libtasn1/libtasn1-4.3/lib/parser_aux.c:574 #1 0x41ee31 in _asn1_get_objectid_der /data/libtasn1/libtasn1-4.3/lib/decoding.c:397 #2 0x41ee31 in asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:1225 #3 0x423b0e in asn1_der_decoding /data/libtasn1/libtasn1-4.3/lib/decoding.c:1602 #4 0x403692 in simple_decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:251 #5 0x403692 in decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:280 #6 0x403692 in main /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:205 #7 0x7f94cb39af9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #8 0x4046a1 (/data/libtasn1/libtasn1-4.3/src/asn1Decoding+0x4046a1) Address 0x7fff85a08084 is located in stack of thread T0 at offset 564 in frame #0 0x419bdf in asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:980 This frame has 10 object(s): [32, 36) 'len2' [96, 100) 'tag_len' [160, 164) 'len2' [224, 232) 'p' [288, 296) 'p2' [352, 360) 'ptail' [416, 424) 'p' [480, 489) 'temp' [544, 564) 'temp' <== Memory access at offset 564 overflows this variable [608, 736) 'temp' -- Hanno Bck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42

References:

http://hboeck.de/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top