Bug 1464141
| Summary: | The _asn1_check_identifier function in GNU Libtasn1 before 4.12(including 4.12) causes a NULL pointer dereference and crash when a NULL value assigned to value member in asn1_node. It will lead to a remote denial of service attack. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | libtasn1 | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.5-Alt | CC: | carnil, meissner, szidek | ||||
| Target Milestone: | rc | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-07-20 08:20:41 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hi, Thank you for reporting that. I'd recommend to provide more information when reporting vulnerabilities. What you provide above is insufficient, e.g., how can you exploit the issue you report? To the specifics, there are two calls to _asn1_check_identifier(), one from ASN1.y which is used for the parsing of developer-provided file and structure.c in asn1_array2tree() where the developer-provided file is converted to an array. Neither of these uses can lead to a vulnerability. (In reply to Nikos Mavrogiannopoulos from comment #2) > Hi, > Thank you for reporting that. I'd recommend to provide more information > when reporting vulnerabilities. What you provide above is insufficient, > e.g., how can you exploit the issue you report? > > To the specifics, there are two calls to _asn1_check_identifier(), one from > ASN1.y which is used for the parsing of developer-provided file and > structure.c in asn1_array2tree() where the developer-provided file is > converted to an array. Neither of these uses can lead to a vulnerability. Thanks for your reminding. There were many other applications on parsing asn1 syntax used asn1_array2tree or asn1_parser2array function. For example, https://github.com/FrUh/BitPunch/blob/master/lib/src/bitpunch/asn1/asn1.c . In addtion, there should be lots of serialization-based applications need asn1 synax self-definetion that exist the risk for suffering the dos attack. I still do not see how can this be exploited. Hi owl337, Please report these issues to upstream libtasn1 project, if you haven't already done so. Thanks. |
Created attachment 1290728 [details] the vulnerability is triggered by ./asn1Parser $FILE Description of problem: The _asn1_check_identifier function in GNU Libtasn1 before 4.12(including 4.12) cause a NULL pointer dereference and crash when a NULL value assigned to value member in asn1_node. It will lead to a remote denial of service attack. Version-Release number of selected component (if applicable): from 2.0 to 4.12, 37 versions in total How reproducible: ./asn1Parser POC Steps to Reproduce: $ gdb ./install/bin/asn1Parser (gdb) set args POC (gdb) r … Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00007ffff7bd0b9b in _asn1_str_cat (dest=0x7fffffffe250 "PKIX1Implicit88.", dest_tot_size=130, src=0x0) at gstr.c:34 #2 0x00007ffff7bd1c2d in _asn1_check_identifier (node=0x628c50) at parser_aux.c:972 #3 0x00007ffff7bcb3e7 in asn1_parser2array ( inputFileName=inputFileName@entry=0x604010 "/home/company/real/POC", outputFileName=outputFileName@entry=0x0, vectorName=vectorName@entry=0x0, error_desc=error_desc@entry=0x7fffffffe380 "o\a@") at ASN1.y:780 #4 0x0000000000400fbb in main (argc=<optimized out>, argv=0x7fffffffe528) at asn1Parser.c:166 Actual results: denial of service Expected results: denial of service Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability