Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-overread bug in checking cert signature #2459

Closed
flyroom opened this issue Sep 10, 2019 · 2 comments
Closed

Heap-overread bug in checking cert signature #2459

flyroom opened this issue Sep 10, 2019 · 2 comments
Assignees

Comments

@flyroom
Copy link

flyroom commented Sep 10, 2019

Hi, another heap-overread bug which could be triggerd remotely
tested on wolfSSL 4.1.0 / ubuntu 14.04/ clang /gcc / asan / generate Makefile with ./configure --enable-lowresource
Missing sanity checks before CheckCertSignature_ex wolfcrypt/src/asn.c:8041

if (ret == 0) {
                    if (cert[extIdx] == ASN_BOOLEAN) {
                        if (GetBoolean(cert, &extIdx, certSz) < 0)
                            ret = ASN_PARSE_E;
                    }
}

You could trigger it through following steps:

  1. start wolfss example server program under directory "examples/server" by invoking: ./server -b -p 4433
  2. start py script client_raw.py which sends crafted messages to local port 4433 client_raw.zip

ASAN report ( if examples/server is compiled with asan ):

=================================================================
==12298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e94 at pc 0x7f483b36f170 bp 0x7ffc7d33a9a0 sp 0x7ffc7d33a998
READ of size 1 at 0x619000000e94 thread T0
    #0 0x7f483b36f16f in CheckCertSignature_ex wolfcrypt/src/asn.c:8041
    #1 0x7f483b36fabb in CheckCertSignature wolfcrypt/src/asn.c:8158
    #2 0x7f483b3a80f7 in ProcessPeerCertParse src/internal.c:9506
    #3 0x7f483b3a9c0b in ProcessPeerCerts src/internal.c:10111
    #4 0x7f483b3ab4d7 in DoCertificate src/internal.c:10704
    #5 0x7f483b3adec5 in DoHandShakeMsgType src/internal.c:11542
    #6 0x7f483b3aed7b in DoHandShakeMsg src/internal.c:11733
    #7 0x7f483b3b6534 in ProcessReply src/internal.c:14189
    #8 0x7f483b330784 in wolfSSL_accept src/ssl.c:11083
    #9 0x7f483b321f65 in server_test examples/server/server.c:2113
    #10 0x7f483b3226e1 in main examples/server/server.c:2413
    #11 0x7f4839e53f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #12 0x7f483b31d748  (/opt/disk/binary_analysis/fuzz/wolfssl/wolfssl_github/examples/server/server+0x13748)

0x619000000e94 is located 0 bytes to the right of 1044-byte region [0x619000000a80,0x619000000e94)
allocated by thread T0 here:
    #0 0x7f483a7d9479 in __interceptor_malloc /home/nwani/m3/conda-bld/compilers_linux-64_1560109574129/work/.build/x86_64-conda_cos6-linux-gnu/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f483b3558fd in wolfSSL_Malloc wolfcrypt/src/memory.c:140

SUMMARY: AddressSanitizer: heap-buffer-overflow wolfcrypt/src/asn.c:8041 in CheckCertSignature_ex
Shadow bytes around the buggy address:
  0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12298==ABORTING
@JacobBarthelmeh
Copy link
Contributor

Hi @flyroom, Thank you for the report!

@JacobBarthelmeh
Copy link
Contributor

@flyroom PR#2465 was merged in to fix the reported issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants