MatrixSSL DTLS server (in all publicly released versions including 4.2.1 OPEN) incorrectly handles incoming network messages leading to heap-buffer overwrite up to 256 bytes and possible Remote Code Execution.
During processing of a crafted packet, server incorrectly handles fragment length value provided in the DTLS message.
==17575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc11 at pc 0x7f28a22d7904 bp 0x7ffd81495f60 sp 0x7ffd81495708
WRITE of size 256 at 0x60200000dc11 thread T0
#0 0x7f28a22d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x44109b in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x44109b in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2400
#3 0x44109b in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
#4 0x42da07 in matrixSslReceivedData matrixssl-4-2-1-open/matrixssl/matrixsslApi.c:1381
#5 0x406f67 in main matrixssl-4-2-1-open/apps/dtls/dtlsServer.c:899
#6 0x7f28a1a6082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x40af98 in _start (matrixssl-4-2-1-open/test_matrixssl_asan.exe+0x40af98)
0x60200000dc11 is located 0 bytes to the right of 1-byte region [0x60200000dc10,0x60200000dc11)
allocated by thread T0 here:
#0 0x7f28a22e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x440b01 in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2344
#2 0x440b01 in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x0c047fff9b80: fa fa[01]fa fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff9b90: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9ba0: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 00
0x0c047fff9bb0: fa fa 00 00 fa fa 05 fa fa fa 00 02 fa fa 00 00
0x0c047fff9bc0: fa fa 06 fa fa fa fd fd fa fa 00 01 fa fa 04 fa
0x0c047fff9bd0: fa fa 00 06 fa fa 00 06 fa fa 06 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17575==ABORTING
Reproduction:
Download and compile MatrixSSL 4.2.1 OPEN (or earlier).
Run DTLS server:
cd matrixssl-4-2-1-open
apps/dtls/dtlsServer -p 44444
Unzip and send attached crafted message e.g. using netcat:
netcat -u $IP 44444 < crash_001_parseSSLHandshake_WRITE_256.raw
where $IP is IP of test server
So a month goes by and this is not addressed. Seems matrixssl is no longer maintained. I too have tried to contact them twice and got no response whatsoever. I have discovered several issues with the code myself (that I fixed in my own repository) but see no motivation to even make a pull request... @cve-reporting Are you aware of a matrixssl user forum somewhere?
MatrixSSL DTLS server (in all publicly released versions including 4.2.1 OPEN) incorrectly handles incoming network messages leading to heap-buffer overwrite up to 256 bytes and possible Remote Code Execution.
During processing of a crafted packet, server incorrectly handles fragment length value provided in the DTLS message.
Proposed CVSS 3.0 score:
9.8 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Error message WITHOUT Address Sanitizer:
Error message WITH Address Sanitizer:
Reproduction:
Download and compile MatrixSSL 4.2.1 OPEN (or earlier).
Run DTLS server:
cd matrixssl-4-2-1-open
apps/dtls/dtlsServer -p 44444
Unzip and send attached crafted message e.g. using netcat:
netcat -u $IP 44444 < crash_001_parseSSLHandshake_WRITE_256.raw
where $IP is IP of test server
crash_001_parseSSLHandshake_WRITE_256.raw.zip
The text was updated successfully, but these errors were encountered: