Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deny of service caused in function BerDecoder_decodeUint32 in src/mms/asn1/ber_decode.c #196

Closed
sleicasper opened this issue Dec 23, 2019 · 2 comments

Comments

@sleicasper
Copy link

BerDecoder_decodeUint32 in src/mms/asn1/ber_decode.c doesn't check passed arguments.
intLen and bufPos can be large number, so following memory access buffer[bufPos+i] would segment fault.

Screen Shot 2019-12-23 at 3 11 34 PM

poc:
poc.zip

gdb stack backtrace:

gdb-peda$ r < poc
Starting program: /home/casper/targets/struct/libiec61850/dbg/fuzzrun/fuzzmmsdata < crashes/id:000010,sig:06,src:000030,op:int32,pos:16,val:-129
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfa9000
RBX: 0x7fffffffdfc0 --> 0x7ffff7ffe170 --> 0x0
RCX: 0xfa9000
RDX: 0x1f5200
RSI: 0x7fffff00 --> 0x0
RDI: 0xf988c0 --> 0x9292929292929280
RBP: 0x7fffffffdf70 --> 0x7fffffffe2f0 --> 0x7fffffffe320 --> 0x4c2210 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffdf40 --> 0x1200000001 --> 0x0
RIP: 0x7ffff7a269a7 (<BerDecoder_decodeUint32+135>:	movzx  ecx,BYTE PTR [rax])
R8 : 0x7fffffffdf00 --> 0x400000000000000
R9 : 0x1
R10: 0x4
R11: 0x0
R12: 0x1f3118
R13: 0x7fffffffe400 --> 0x1
R14: 0xf988c0 --> 0x9292929292929280
R15: 0x1
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a2699a <BerDecoder_decodeUint32+122>:	mov    rdi,QWORD PTR [rbp-0x20]
   0x7ffff7a2699e <BerDecoder_decodeUint32+126>:	call   0x7ffff79643c0 <__asan_report_load1@plt>
   0x7ffff7a269a3 <BerDecoder_decodeUint32+131>:	mov    rax,QWORD PTR [rbp-0x20]
=> 0x7ffff7a269a7 <BerDecoder_decodeUint32+135>:	movzx  ecx,BYTE PTR [rax]
   0x7ffff7a269aa <BerDecoder_decodeUint32+138>:	add    ecx,DWORD PTR [rbp-0x14]
   0x7ffff7a269ad <BerDecoder_decodeUint32+141>:	mov    DWORD PTR [rbp-0x14],ecx
   0x7ffff7a269b0 <BerDecoder_decodeUint32+144>:	mov    eax,DWORD PTR [rbp-0x18]
   0x7ffff7a269b3 <BerDecoder_decodeUint32+147>:	add    eax,0x1
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf40 --> 0x1200000001 --> 0x0
0008| 0x7fffffffdf48 --> 0x12
0016| 0x7fffffffdf50 --> 0xfa9000
0024| 0x7fffffffdf58 --> 0x1072c
0032| 0x7fffffffdf60 --> 0x7fffffff00000014
0040| 0x7fffffffdf68 --> 0xf988c0 --> 0x9292929292929280
0048| 0x7fffffffdf70 --> 0x7fffffffe2f0 --> 0x7fffffffe320 --> 0x4c2210 (<__libc_csu_init>:	push   r15)
0056| 0x7fffffffdf78 --> 0x7ffff7a01b72 (<MmsValue_decodeMmsData+1634>:	mov    edi,eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a269a7 in BerDecoder_decodeUint32 () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0
gdb-peda$ bt
#0  0x00007ffff7a269a7 in BerDecoder_decodeUint32 () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0
#1  0x00007ffff7a01b72 in MmsValue_decodeMmsData () from /home/casper/targets/struct/libiec61850/dbg/INSTALL/lib/libiec61850.so.1.4.0
#2  0x00000000004c21e0 in main ()
#3  0x00007ffff696bb97 in __libc_start_main (main=0x4c2180 <main>, argc=0x1, argv=0x7fffffffe408, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3f8) at ../csu/libc-start.c:310
#4  0x000000000041ab9a in _start ()
mzillgith added a commit that referenced this issue Jan 4, 2020
@mzillgith
Copy link
Contributor

Thanks for the bug report! Problem is caused by missing check in BerDecoder_decodeLength. Should be fixed now.

@jonm01
Copy link

jonm01 commented Mar 3, 2020

CVE-2019-19944

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants