Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap based buffer overflow while parsing DTLS messages (parseSSLHandshake) #30

Closed
cve-reporting opened this issue Jul 23, 2019 · 3 comments

Comments

@cve-reporting
Copy link

cve-reporting commented Jul 23, 2019

MatrixSSL DTLS server (in all publicly released versions including 4.2.1 OPEN) incorrectly handles incoming network messages leading to heap-buffer overwrite up to 256 bytes and possible Remote Code Execution.
During processing of a crafted packet, server incorrectly handles fragment length value provided in the DTLS message.

Proposed CVSS 3.0 score:

9.8 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Error message WITHOUT Address Sanitizer:

matrixssl-4-2-1-open$ apps/dtls/dtlsServer -p 44444
DTLS server running on port 44444
Select woke 1
Got REQUEST_RECV from ReceivedData
*** Error in `apps/dtls/dtlsServer': malloc(): memory corruption: 0x000000000142cde0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fcaee6a17e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fcaee6ac13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0xba)[0x7fcaee6aedca]
apps/dtls/dtlsServer[0x411405]
apps/dtls/dtlsServer[0x41631d]
apps/dtls/dtlsServer[0x403e84]
apps/dtls/dtlsServer[0x4020c6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fcaee64a830]
apps/dtls/dtlsServer[0x402969]
======= Memory map: ========
00400000-004a3000 r-xp 00000000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a2000-006a3000 r--p 000a2000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a3000-006a4000 rw-p 000a3000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a4000-006a5000 rw-p 00000000 00:00 0 
0142b000-0144c000 rw-p 00000000 00:00 0                                  [heap]
7fcae8000000-7fcae8021000 rw-p 00000000 00:00 0 
7fcae8021000-7fcaec000000 ---p 00000000 00:00 0 
7fcaee414000-7fcaee42a000 r-xp 00000000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee42a000-7fcaee629000 ---p 00016000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee629000-7fcaee62a000 rw-p 00015000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee62a000-7fcaee7ea000 r-xp 00000000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee7ea000-7fcaee9ea000 ---p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ea000-7fcaee9ee000 r--p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ee000-7fcaee9f0000 rw-p 001c4000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9f0000-7fcaee9f4000 rw-p 00000000 00:00 0 
7fcaee9f4000-7fcaeea0c000 r-xp 00000000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeea0c000-7fcaeec0b000 ---p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0b000-7fcaeec0c000 r--p 00017000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0c000-7fcaeec0d000 rw-p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0d000-7fcaeec11000 rw-p 00000000 00:00 0 
7fcaeec11000-7fcaeec37000 r-xp 00000000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee22000-7fcaeee26000 rw-p 00000000 00:00 0 
7fcaeee35000-7fcaeee36000 rw-p 00000000 00:00 0 
7fcaeee36000-7fcaeee37000 r--p 00025000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee37000-7fcaeee38000 rw-p 00026000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee38000-7fcaeee39000 rw-p 00000000 00:00 0 
7ffc6024d000-7ffc6026e000 rw-p 00000000 00:00 0                          [stack]
7ffc60394000-7ffc60397000 r--p 00000000 00:00 0                          [vvar]
7ffc60397000-7ffc60399000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Error message WITH Address Sanitizer:

==17575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc11 at pc 0x7f28a22d7904 bp 0x7ffd81495f60 sp 0x7ffd81495708
WRITE of size 256 at 0x60200000dc11 thread T0
    #0 0x7f28a22d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x44109b in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x44109b in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2400
    #3 0x44109b in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
    #4 0x42da07 in matrixSslReceivedData matrixssl-4-2-1-open/matrixssl/matrixsslApi.c:1381
    #5 0x406f67 in main matrixssl-4-2-1-open/apps/dtls/dtlsServer.c:899
    #6 0x7f28a1a6082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x40af98 in _start (matrixssl-4-2-1-open/test_matrixssl_asan.exe+0x40af98)

0x60200000dc11 is located 0 bytes to the right of 1-byte region [0x60200000dc10,0x60200000dc11)
allocated by thread T0 here:
    #0 0x7f28a22e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440b01 in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2344
    #2 0x440b01 in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x0c047fff9b80: fa fa[01]fa fa fa 00 fa fa fa 00 fa fa fa 00 00
  0x0c047fff9b90: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9ba0: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 00
  0x0c047fff9bb0: fa fa 00 00 fa fa 05 fa fa fa 00 02 fa fa 00 00
  0x0c047fff9bc0: fa fa 06 fa fa fa fd fd fa fa 00 01 fa fa 04 fa
  0x0c047fff9bd0: fa fa 00 06 fa fa 00 06 fa fa 06 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17575==ABORTING

Reproduction:

  1. Download and compile MatrixSSL 4.2.1 OPEN (or earlier).

  2. Run DTLS server:
    cd matrixssl-4-2-1-open
    apps/dtls/dtlsServer -p 44444

  3. Unzip and send attached crafted message e.g. using netcat:
    netcat -u $IP 44444 < crash_001_parseSSLHandshake_WRITE_256.raw
    where $IP is IP of test server

crash_001_parseSSLHandshake_WRITE_256.raw.zip

@CarloWood
Copy link

So a month goes by and this is not addressed. Seems matrixssl is no longer maintained. I too have tried to contact them twice and got no response whatsoever. I have discovered several issues with the code myself (that I fixed in my own repository) but see no motivation to even make a pull request... @cve-reporting Are you aware of a matrixssl user forum somewhere?

@jdelta-RBS
Copy link

This was assigned CVE-2019-14431

@matrixssl-admin
Copy link
Contributor

Should be fixed in 4.2.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants