Skip to content
Demonstration of Go's dsa.Verify bug (CVE-2019-17596)
Go Dockerfile Shell
Branch: master
Clone or download
Latest commit 3b6fcf7 Oct 24, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.dockerignore Make a Dockerfile so you can run this after upgrading Go locally Oct 20, 2019
NOTICE Add License Oct 20, 2019 Cleanup and update README Oct 24, 2019
dsa_test.go Cleanup and update README Oct 24, 2019
go.sum initial research Oct 19, 2019
shared_test.go Cleanup and update README Oct 24, 2019
ssh_test.go Just run tests inside the docker build Oct 20, 2019

Exploiting dsa.Verify in Go (CVE-2019-17596)

Please see the associated blog post for details.


Since versions of Go newer than 1.13.1 are patched, I;ve included a Dockerfile, that makes it easier to pin your Go version. Simply run Docker build:

docker build .

There are two files of interest:

  • dsa_test.go: Contains a test case for causing dsa.Verify to panic/
  • ssh_test.go: Contains a test case for making an crypto/ssh.Client to panic via an evil SSH Host Key.

Improvements, bugs, adding feature, etc:

Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)


poc-dsa-verify-CVE-2019-17596 is licensed under the Apache License, Version 2.0

You can’t perform that action at this time.