Headline

CVE-2019-14431: Heap based buffer overflow while parsing DTLS messages (parseSSLHandshake) · Issue #30 · matrixssl/matrixssl

In MatrixSSL 3.8.3 Open through 4.2.1 Open, the DTLS server mishandles incoming network messages leading to a heap-based buffer overflow of up to 256 bytes and possible Remote Code Execution in parseSSLHandshake in sslDecode.c. During processing of a crafted packet, the server mishandles the fragment length value provided in the DTLS message.

5 years ago

CVE

Open in Source

#xss #linux #c++#rce #buffer_overflow #ssl

MatrixSSL DTLS server (in all publicly released versions including 4.2.1 OPEN) incorrectly handles incoming network messages leading to heap-buffer overwrite up to 256 bytes and possible Remote Code Execution.
During processing of a crafted packet, server incorrectly handles fragment length value provided in the DTLS message.

Proposed CVSS 3.0 score:

9.8 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Error message WITHOUT Address Sanitizer:

matrixssl-4-2-1-open$ apps/dtls/dtlsServer -p 44444
DTLS server running on port 44444
Select woke 1
Got REQUEST_RECV from ReceivedData
*** Error in `apps/dtls/dtlsServer': malloc(): memory corruption: 0x000000000142cde0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fcaee6a17e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fcaee6ac13e]
/lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0xba)[0x7fcaee6aedca]
apps/dtls/dtlsServer[0x411405]
apps/dtls/dtlsServer[0x41631d]
apps/dtls/dtlsServer[0x403e84]
apps/dtls/dtlsServer[0x4020c6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fcaee64a830]
apps/dtls/dtlsServer[0x402969]
======= Memory map: ========
00400000-004a3000 r-xp 00000000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a2000-006a3000 r--p 000a2000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a3000-006a4000 rw-p 000a3000 fd:01 273412                             matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a4000-006a5000 rw-p 00000000 00:00 0 
0142b000-0144c000 rw-p 00000000 00:00 0                                  [heap]
7fcae8000000-7fcae8021000 rw-p 00000000 00:00 0 
7fcae8021000-7fcaec000000 ---p 00000000 00:00 0 
7fcaee414000-7fcaee42a000 r-xp 00000000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee42a000-7fcaee629000 ---p 00016000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee629000-7fcaee62a000 rw-p 00015000 fd:01 2039                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7fcaee62a000-7fcaee7ea000 r-xp 00000000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee7ea000-7fcaee9ea000 ---p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ea000-7fcaee9ee000 r--p 001c0000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9ee000-7fcaee9f0000 rw-p 001c4000 fd:01 28237                      /lib/x86_64-linux-gnu/libc-2.23.so
7fcaee9f0000-7fcaee9f4000 rw-p 00000000 00:00 0 
7fcaee9f4000-7fcaeea0c000 r-xp 00000000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeea0c000-7fcaeec0b000 ---p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0b000-7fcaeec0c000 r--p 00017000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0c000-7fcaeec0d000 rw-p 00018000 fd:01 28170                      /lib/x86_64-linux-gnu/libpthread-2.23.so
7fcaeec0d000-7fcaeec11000 rw-p 00000000 00:00 0 
7fcaeec11000-7fcaeec37000 r-xp 00000000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee22000-7fcaeee26000 rw-p 00000000 00:00 0 
7fcaeee35000-7fcaeee36000 rw-p 00000000 00:00 0 
7fcaeee36000-7fcaeee37000 r--p 00025000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee37000-7fcaeee38000 rw-p 00026000 fd:01 28169                      /lib/x86_64-linux-gnu/ld-2.23.so
7fcaeee38000-7fcaeee39000 rw-p 00000000 00:00 0 
7ffc6024d000-7ffc6026e000 rw-p 00000000 00:00 0                          [stack]
7ffc60394000-7ffc60397000 r--p 00000000 00:00 0                          [vvar]
7ffc60397000-7ffc60399000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Error message WITH Address Sanitizer:

==17575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dc11 at pc 0x7f28a22d7904 bp 0x7ffd81495f60 sp 0x7ffd81495708
WRITE of size 256 at 0x60200000dc11 thread T0
    #0 0x7f28a22d7903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x44109b in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x44109b in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2400
    #3 0x44109b in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433
    #4 0x42da07 in matrixSslReceivedData matrixssl-4-2-1-open/matrixssl/matrixsslApi.c:1381
    #5 0x406f67 in main matrixssl-4-2-1-open/apps/dtls/dtlsServer.c:899
    #6 0x7f28a1a6082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x40af98 in _start (matrixssl-4-2-1-open/test_matrixssl_asan.exe+0x40af98)

0x60200000dc11 is located 0 bytes to the right of 1-byte region [0x60200000dc10,0x60200000dc11)
allocated by thread T0 here:
    #0 0x7f28a22e3602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x440b01 in parseSSLHandshake matrixssl-4-2-1-open/matrixssl/sslDecode.c:2344
    #2 0x440b01 in matrixSslDecodeTls12AndBelow matrixssl-4-2-1-open/matrixssl/sslDecode.c:1433

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 04
=>0x0c047fff9b80: fa fa[01]fa fa fa 00 fa fa fa 00 fa fa fa 00 00
  0x0c047fff9b90: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9ba0: fa fa 00 00 fa fa 00 07 fa fa 00 00 fa fa 00 00
  0x0c047fff9bb0: fa fa 00 00 fa fa 05 fa fa fa 00 02 fa fa 00 00
  0x0c047fff9bc0: fa fa 06 fa fa fa fd fd fa fa 00 01 fa fa 04 fa
  0x0c047fff9bd0: fa fa 00 06 fa fa 00 06 fa fa 06 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17575==ABORTING

Reproduction:

Download and compile MatrixSSL 4.2.1 OPEN (or earlier).
Run DTLS server:
cd matrixssl-4-2-1-open
apps/dtls/dtlsServer -p 44444
Unzip and send attached crafted message e.g. using netcat:
netcat -u $IP 44444 < crash_001_parseSSLHandshake_WRITE_256.raw
where $IP is IP of test server

crash_001_parseSSLHandshake_WRITE_256.raw.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago