Headline
CVE-2019-14431: Heap based buffer overflow while parsing DTLS messages (parseSSLHandshake) · Issue #30 · matrixssl/matrixssl
In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles incoming network messages leading to a heap-based buffer overflow of up to 256 bytes and possible Remote Code Execution in parseSSLHandshake in sslDecode.c. During processing of a crafted packet, the server mishandles the fragment length value provided in the DTLS message.
MatrixSSL DTLS server (in all publicly released versions including 4.2.1 OPEN) incorrectly handles incoming network messages leading to heap-buffer overwrite up to 256 bytes and possible Remote Code Execution.
During processing of a crafted packet, server incorrectly handles fragment length value provided in the DTLS message.
Proposed CVSS 3.0 score:
9.8 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Error message WITHOUT Address Sanitizer:
matrixssl-4-2-1-open$ apps/dtls/dtlsServer -p 44444
DTLS server running on port 44444
Select woke 1
Got REQUEST_RECV from ReceivedData
*** Error in `apps/dtls/dtlsServer': malloc(): memory corruption: 0x000000000142cde0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fcaee6a17e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fcaee6ac13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0xba)[0x7fcaee6aedca]
apps/dtls/dtlsServer[0x411405]
apps/dtls/dtlsServer[0x41631d]
apps/dtls/dtlsServer[0x403e84]
apps/dtls/dtlsServer[0x4020c6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fcaee64a830]
apps/dtls/dtlsServer[0x402969]
======= Memory map: ========
00400000-004a3000 r-xp 00000000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a2000-006a3000 r--p 000a2000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a3000-006a4000 rw-p 000a3000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a4000-006a5000 rw-p 00000000 00:00 0
0142b000-0144c000 rw-p 00000000 00:00 0 [heap]
7fcae8000000-7fcae8021000 rw-p 00000000 00:00 0
7fcae8021000-7fcaec000000 ---p 00000000 00:00 0
7fcaee414000-7fcaee42a000 r-xp 00000000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee42a000-7fcaee629000 ---p 00016000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee629000-7fcaee62a000 rw-p 00015000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee62a000-7fcaee7ea000 r-xp 00000000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee7ea000-7fcaee9ea000 ---p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ea000-7fcaee9ee000 r--p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ee000-7fcaee9f0000 rw-p 001c4000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9f0000-7fcaee9f4000 rw-p 00000000 00:00 0
7fcaee9f4000-7fcaeea0c000 r-xp 00000000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeea0c000-7fcaeec0b000 ---p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0b000-7fcaeec0c000 r--p 00017000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0c000-7fcaeec0d000 rw-p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0d000-7fcaeec11000 rw-p 00000000 00:00 0
7fcaeec11000-7fcaeec37000 r-xp 00000000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee22000-7fcaeee26000 rw-p 00000000 00:00 0
7fcaeee35000-7fcaeee36000 rw-p 00000000 00:00 0
7fcaeee36000-7fcaeee37000 r--p 00025000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee37000-7fcaeee38000 rw-p 00026000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee38000-7fcaeee39000 rw-p 00000000 00:00 0
7ffc6024d000-7ffc6026e000 rw-p 00000000 00:00 0 [stack]
7ffc60394000-7ffc60397000 r--p 00000000 00:00 0 [vvar]
7ffc60397000-7ffc60399000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Error message WITH Address Sanitizer:
==17575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc11 at pc 0x7f28a22d7904 bp 0x7ffd81495f60 sp 0x7ffd81495708
WRITE of size 256 at 0x60200000dc11 thread T0
#0 0x7f28a22d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x44109b in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 0x44109b in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2400
#3 0x44109b in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
#4 0x42da07 in matrixSslReceivedData matrixssl-4-2-1-open/matrixssl/matrixsslApi.c:1381
#5 0x406f67 in main matrixssl-4-2-1-open/apps/dtls/dtlsServer.c:899
#6 0x7f28a1a6082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x40af98 in _start (matrixssl-4-2-1-open/test_matrixssl_asan.exe+0x40af98)
0x60200000dc11 is located 0 bytes to the right of 1-byte region [0x60200000dc10,0x60200000dc11)
allocated by thread T0 here:
#0 0x7f28a22e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x440b01 in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2344
#2 0x440b01 in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x0c047fff9b80: fa fa[01]fa fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff9b90: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9ba0: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 00
0x0c047fff9bb0: fa fa 00 00 fa fa 05 fa fa fa 00 02 fa fa 00 00
0x0c047fff9bc0: fa fa 06 fa fa fa fd fd fa fa 00 01 fa fa 04 fa
0x0c047fff9bd0: fa fa 00 06 fa fa 00 06 fa fa 06 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==17575==ABORTING
Reproduction:
Download and compile MatrixSSL 4.2.1 OPEN (or earlier).
Run DTLS server:
cd matrixssl-4-2-1-open
apps/dtls/dtlsServer -p 44444Unzip and send attached crafted message e.g. using netcat:
netcat -u $IP 44444 < crash_001_parseSSLHandshake_WRITE_256.raw
where $IP is IP of test server
crash_001_parseSSLHandshake_WRITE_256.raw.zip