Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL 1.0.2 no-asm RC4_40 OOB read #8972

Closed
guidovranken opened this issue May 21, 2019 · 4 comments
Closed

OpenSSL 1.0.2 no-asm RC4_40 OOB read #8972

guidovranken opened this issue May 21, 2019 · 4 comments
Labels
resolved: wont fix The issue has been confirmed but won't be fixed triaged: bug The issue/pr is/fixes a bug

Comments

@guidovranken
Copy link
Contributor

Compile OpenSSL 1.0.2 without assembly

CC=clang ./config no-asm -fsanitize=address && make -j12

Then compile and run this file

#define CF_CHECK_EQ(expr, res) if ( (expr) != (res) ) { goto end; }
#define CF_CHECK_NE(expr, res) if ( (expr) == (res) ) { goto end; }

#include <openssl/cmac.h>

int main(void)
{
    const unsigned char input[6] = { 0 };
    const unsigned char key[1] = { 0 };
    CMAC_CTX* ctx = CMAC_CTX_new();
    const EVP_CIPHER* cipher = NULL;

    /* Initialize */
    {
        CF_CHECK_NE(cipher = EVP_rc4_40(), NULL);
        CF_CHECK_EQ(CMAC_Init(ctx, key, sizeof(key), cipher, NULL), 1);
    }

    CF_CHECK_EQ(CMAC_Update(ctx, input, sizeof(input)), 1);

end:
    return 0;
}
$ clang -fsanitize=address -I openssl-1.0.2r/include/ cmac-poc.c openssl-1.0.2r/libcrypto.a 
$ ./a.out 
=================================================================
==30930==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006f24e0 at pc 0x000000525504 bp 0x7ffde649f590 sp 0x7ffde649f588
READ of size 8 at 0x0000006f24e0 thread T0
    #0 0x525503 in RC4 (/home/jhg/ossl-102-cmac-poc/a.out+0x525503)
    #1 0x5128f5 in rc4_cipher (/home/jhg/ossl-102-cmac-poc/a.out+0x5128f5)
    #2 0x51b28d in CMAC_Update (/home/jhg/ossl-102-cmac-poc/a.out+0x51b28d)
    #3 0x5127f2 in main (/home/jhg/ossl-102-cmac-poc/a.out+0x5127f2)
    #4 0x7efc41786b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #5 0x41a3a9 in _start (/home/jhg/ossl-102-cmac-poc/a.out+0x41a3a9)

0x0000006f24e6 is located 0 bytes to the right of global variable 'input' defined in 'cmac-poc.c:8:25' (0x6f24e0) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/jhg/ossl-102-cmac-poc/a.out+0x525503) in RC4
Shadow bytes around the buggy address:
  0x0000800d6440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800d6450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800d6460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800d6470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800d6480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800d6490: 00 00 00 00 00 00 00 00 00 00 00 00[06]f9 f9 f9
  0x0000800d64a0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800d64b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800d64c0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800d64d0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800d64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30930==ABORTING
@guidovranken guidovranken mentioned this issue May 22, 2019
Merged
@guidovranken guidovranken changed the title OpenSSL 1.0.2 no-asm RC4_40 CMAC OOB read OpenSSL 1.0.2 no-asm RC4_40 OOB read May 31, 2019
@davidben
Copy link
Contributor

Does CMAC with RC4 even make sense? It needs a block cipher. Moreover, the subkeys are computed with operations over GF(2^(block_size)), which means the scheme is parametrized by a suitable irreducible polynomial. SP 800-38B, section 5.3, defines polynomials for 64-bit (DES or 3DES) and 128-bit (AES) block ciphers.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf

That corresponds to the bl == 16 check here, but that uses DES's polynomial for all other block size. OpenSSL should probably be making CMAC_Init fail here.
https://github.com/openssl/openssl/blob/master/crypto/cmac/cmac.c#L43

(To that end, there's no need to use EVP_MAX_BLOCK_LENGTH because the largest block size for which CMAC is currently defined is 16 bytes.)

@guidovranken
Copy link
Contributor Author

@mattcaswell I suppose this won't be fixed because it's 1.0.2? Would you suggest I prevent performing CMAC RC4 in my fuzzer?

@mattcaswell
Copy link
Member

Yes, assuming this only impacts 1.0.2 i don't think this will get fixed, so I suggest you prevent CMAC with RC4 for 1.0.2.

@mattcaswell mattcaswell added resolved: wont fix The issue has been confirmed but won't be fixed triaged: bug The issue/pr is/fixes a bug labels Nov 19, 2019
@levitte
Copy link
Member

levitte commented Nov 19, 2019

Please check if this still applicable on newer versions, such as 1.1.1 or master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolved: wont fix The issue has been confirmed but won't be fixed triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@davidben @levitte @guidovranken @mattcaswell @paulidale