exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

libtasn1 Stack Write Overflow

libtasn1 Stack Write Overflow
Posted Mar 30, 2015
Authored by Hanno Boeck | Site hboeck.de

Fuzzing libtasn1 led to the discovery of a stack write overflow in the function _asn1_ltostr (file parser_aux.c). It overflows a temporary buffer variable on certain inputs.

tags | advisory, overflow
SHA-256 | 6564e0941811d6f26c35eb0f2deeda26a4f79f67cc76157b329dea8a102e4fd7

libtasn1 Stack Write Overflow

Change Mirror Download
From
https://blog.fuzzing-project.org/6-Stack-overflow-in-libtasn1-TFPA-0022015.html

libtasn1 is a library to parse ASN.1 data structures. Its most
prominent user is GnuTLS.

Fuzzing libtasn1 led to the discovery of a stack write overflow in the
function _asn1_ltostr (file parser_aux.c). It overflows a temporary
buffer variable on certain inputs. This issue has been reported to the
developers on 2015-03-26. A fix was released on 2015-03-29.

The issue can be exposed with Valgrind or Address Sanitizer. The
Address Sanitizer output with detailed info is given below.

Git commit / fix
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=blobdiff;f=lib/parser_aux.c;h=da9a388fe3204d22f56a138af319ee8a9b77d7f0;hp=d3e9009d77317b0671e89ed6e680b83b58e1d213;hb=4d4f992826a4962790ecd0cce6fbba4a415ce149;hpb=77068c35a32cc31ba6b3af257921ca90696c7945
Release notes libtasn1 4.4
https://lists.gnu.org/archive/html/help-libtasn1/2015-03/msg00002.html
Sample input for stack overflow (to be used with examples/pkix.asn from
libtasn1 source, e.g. src/asn1Decoding examples/pkix.asn
TFPA-2015-002-libtasn1-4.3-stack-overflow.crt
PKIX1Implicit88.Certificate)
https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.3-stack-overflow.crt

An earlier fuzzing effort led to the discovery of a null pointer
derefenence error in the ASN.1 definition parser. This is unlikely to
have any security impact. Null pointer errors are usually not
exploitable and there are probably no scenarios where ASN.1 definitions
are attacker controlled. This issue has been reported to the libtasn1
developers on 2015-01-25 and was fixed on 2015-02-05. The fix was
delivered with the 4.3 release of libtasn1.

Report on mailing list
https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html
Git commit / fix
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=edaff43f27c3e1bcf8317ecee9f733a995602b72
Sample input for null ptr (can be tested with asn1Decoding
TFPA-2015-002-libtasn1-4.2-null-ptr.asn x x)
https://crashes.fuzzing-project.org/TFPA-2015-002-libtasn1-4.2-null-ptr.asn

I want to thank libtasn1 developer Nikos Mavrogiannopoulos for the
quick fixes. Both issues were found with american fuzzy lop.

==4372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff85a08084 at pc 0x43c180 bp 0x7fff85a07d10 sp 0x7fff85a07d00 WRITE
of size 1 at 0x7fff85a08084 thread T0 #0 0x43c17f in
_asn1_ltostr /data/libtasn1/libtasn1-4.3/lib/parser_aux.c:574 #1
0x41ee31 in
_asn1_get_objectid_der /data/libtasn1/libtasn1-4.3/lib/decoding.c:397
#2 0x41ee31 in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:1225 #3
0x423b0e in
asn1_der_decoding /data/libtasn1/libtasn1-4.3/lib/decoding.c:1602 #4
0x403692 in
simple_decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:251 #5
0x403692 in decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:280
#6 0x403692 in main /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:205
#7 0x7f94cb39af9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #8
0x4046a1 (/data/libtasn1/libtasn1-4.3/src/asn1Decoding+0x4046a1)

Address 0x7fff85a08084 is located in stack of thread T0 at offset 564
in frame #0 0x419bdf in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:980

This frame has 10 object(s):
[32, 36) 'len2'
[96, 100) 'tag_len'
[160, 164) 'len2'
[224, 232) 'p'
[288, 296) 'p2'
[352, 360) 'ptail'
[416, 424) 'p'
[480, 489) 'temp'
[544, 564) 'temp' <== Memory access at offset 564 overflows this
variable [608, 736) 'temp'


--
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close