bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/dos/46626.txt
Offensive Security e4e3f1c741 DB: 2019-03-29 
15 changes to exploits/shellcodes

Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service
gnutls 3.6.6 - 'verify_crt()' Use-After-Free

Microsoft Windows Task Scheduler (Windows XP/2000) - '.job' (MS04-022)
Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (2)

NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses
NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities

Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalations
Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations

EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses
EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation
PonyOS 3.0 - VFS Permissions
PonyOS 3.0 - ELF Loader Privilege Escalation
PonyOS 3.0 - TTY 'ioctl()' Kernel Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - VFS Permissions Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - ELF Loader Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - TTY 'ioctl()' Local Privilege Escalation

PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation
Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation
Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
Microsoft Windows Manager (7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)

Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution

Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)

Linux Kernel 2.2 - TCP/IP Weakness Spoof IP
Linux Kernel 2.2 - TCP/IP Spoof IP

Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (2)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)
PHP 5.2.6 - 'create_function()' Code Injection (2)
PHP 5.2.6 - 'create_function()' Code Injection (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
WebKit - Insufficient Entropy Random Number Generator Weakness (1)
WebKit - Insufficient Entropy Random Number Generator Weakness (2)
WebKit - Insufficient Entropy Random Number Generator (1)
WebKit - Insufficient Entropy Random Number Generator (2)

SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking
SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking

Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)
Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)
Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (2)

LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting
LemonLDAP:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting

Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities
Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities

MotoCMS - admin/data/users.xml Access Restriction Weakness Information Disclosure
MotoCMS - 'admin/data/users.xml' Access Restriction / Information Disclosure

Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses
Coppermine Gallery < 1.5.44 - Directory Traversal

Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change
Tenda W308R v2 Wireless Router 5.07.48 - (Cookie Session) Remote DNS Change

Cobub Razor 0.8.0 - Physical path Leakage
Cobub Razor 0.8.0 - Physical Path Leakage
Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion
Airbnb Clone Script - Multiple SQL Injection
Fat Free CRM 0.19.0 - HTML Injection
WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion
WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion
i-doit 1.12 - 'qr.php' Cross-Site Scripting
Job Portal 3.1 - 'job_submit' SQL Injection
BigTree 4.3.4 CMS - Multiple SQL Injection
Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
2019-03-29 05:01:59 +00:00

158 lines
No EOL
8.3 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Description of problem:
This is a critical memory corruption vulnerability in any API backed by `verify_crt()`, including `gnutls_x509_trust_list_verify_crt()` and related routines. I suspect any client or server that verifies X.509 certificates with GnuTLS is likely affected and can be compromised by a malicious server or active network attacker.
In multi-threaded-clients this is a use-after-free vulnerability, and a double-free vulnerability in single-threaded clients.
The core bug is that `_gnutls_x509_get_signature` does not clear `signature->data` in the cleanup path:
[lib/x509/common.c](https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/common.c#L1367)
```c
cleanup:
gnutls_free(signature->data); // <- pointer in datum parameter freed, but not cleared
return result;
}
```
Callers like `check_if_ca` assume that if `_gnutls_x509_get_signature` ever sets that parameter, then it can be safely freed, but that is not true:
[lib/x509/verify.c](https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/verify.c#L180)
```c
ret =
_gnutls_x509_get_signature(cert->cert, "signature",
&cert_signature);
if (ret < 0) {
gnutls_assert();
goto fail;
}
// ...
fail:
result = 0;
cleanup:
_gnutls_free_datum(&cert_signed_data);
_gnutls_free_datum(&issuer_signed_data);
_gnutls_free_datum(&cert_signature); // <--- freed again
_gnutls_free_datum(&issuer_signature);
return result;
}
```
## Version of gnutls used:
gnutls-3.6.6.tar.xz
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Built from source.
## How reproducible: 100%
Steps to Reproduce:
* Download the attached PEM bundle and save it as `_gnutls_x509_get_signature.pem`
* Run `certtool --verify-chain --infile _gnutls_x509_get_signature.pem`
## Actual results:
``` certtool --verify-chain --infile [_gnutls_x509_get_signature.pem](/uploads/904ec642a8943ce4571b19cc66f10986/_gnutls_x509_get_signature.pem)
Subject: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Signature algorithm: RSA-SHA1
Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm.
Subject: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Checked against: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Signature algorithm: RSA-SHA1
Output: Verified. The certificate is trusted.
*** Error in `certtool': double free or corruption (!prev): 0x000056069d657ef0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7fc502b8ebcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7fc502b94f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x777de)[0x7fc502b957de]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(+0xcfe50)[0x7fc50437ee50]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(+0xd0f76)[0x7fc50437ff76]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(gnutls_x509_trust_list_verify_crt2+0x44c)[0x7fc50438fe8c]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(gnutls_x509_trust_list_verify_crt+0x15)[0x7fc504390385]
certtool(+0xdff0)[0x56069cda2ff0]
certtool(+0x13570)[0x56069cda8570]
certtool(+0xc5c9)[0x56069cda15c9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fc502b3e2b1]
certtool(+0xc60a)[0x56069cda160a]
```
## Expected results:
No memory corruption.
```
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff65a83fa in __GI_abort () at abort.c:89
#2 0x00007ffff65e4bd0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff66d9d58 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff65eaf96 in malloc_printerr (action=3, str=0x7ffff66d9dd0 "double free or corruption (!prev)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007ffff65eb7de in _int_free (av=0x7ffff690db00 <main_arena>, p=0x5555557ddf00, have_lock=0) at malloc.c:3905
#5 0x00007ffff7aa14e4 in _gnutls_free_datum (dat=0x7fffffffcf70) at ./../datum.h:47
#6 0x00007ffff7aa1dab in check_if_ca (cert=0x5555557ce9d0, issuer=0x5555557c7d50, max_path=0x7fffffffd0a8, flags=4) at verify.c:244
#7 0x00007ffff7aa56c4 in verify_crt (cert=0x5555557ce9d0, trusted_cas=0x555555797880, tcas_size=1, flags=4, output=0x7fffffffd0d0, vparams=0x7fffffffd0a0, end_cert=1) at verify.c:732
#8 0x00007ffff7aa604c in _gnutls_verify_crt_status (certificate_list=0x7fffffffd160, clist_size=1, trusted_cas=0x555555797880, tcas_size=1, flags=4, purpose=0x0, func=0x55555556536a <detailed_verification>) at verify.c:975
#9 0x00007ffff7abcd97 in gnutls_x509_trust_list_verify_crt2 (list=0x5555557c2ab0, cert_list=0x7fffffffd160, cert_list_size=2, data=0x0, elements=0, flags=4, voutput=0x7fffffffd350, func=0x55555556536a <detailed_verification>) at verify-high.c:1366
#10 0x00007ffff7abc44b in gnutls_x509_trust_list_verify_crt (list=0x5555557c2ab0, cert_list=0x5555557c42e0, cert_list_size=2, flags=4, voutput=0x7fffffffd350, func=0x55555556536a <detailed_verification>) at verify-high.c:1197
#11 0x0000555555565f91 in _verify_x509_mem (cert=0x5555557bfeb0, cert_size=7141, cinfo=0x7fffffffd400, use_system_trust=0, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2396
#12 0x0000555555566245 in verify_chain (cinfo=0x7fffffffd400) at certtool.c:2466
#13 0x0000555555563867 in cmd_parser (argc=4, argv=0x7fffffffd5e8) at certtool.c:1406
#14 0x00005555555605ff in main (argc=4, argv=0x7fffffffd5e8) at certtool.c:126
(gdb) frame 6
#6 0x00007ffff7aa1dab in check_if_ca (cert=0x5555557ce9d0, issuer=0x5555557c7d50, max_path=0x7fffffffd0a8, flags=4) at verify.c:244
244 _gnutls_free_datum(&cert_signature);
(gdb) p cert_signature
$1 = {data = 0x5555557ddf10 "Xې\366\377\177", size = 0}
(gdb)
```
I have verified this patch against HEAD fixes the issue:
```diff
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 9ce427522..3f9e04202 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1366,6 +1366,8 @@ _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
cleanup:
gnutls_free(signature->data);
+ signature->data = NULL;
+ signature->size = 0;
return result;
}
```
This update should fix another issue I noticed, the outer signatureAlgorithm parameters were not being compared to the tbsCertificate signatureAlgorithm parameters. It is required that these two fields match, otherwise an attacker can change the parameters without breaking the signature. Thanks to agl@ for helping me understand how it works.
It turns out only one algorithm actually used the parameters, RSA-PSS, and the parameters included a hash algorithm. I suppose this may have let you downgrade hash algorithm, but only from SHA-512 to SHA-256 or something similar, and some other less interesting parameters. I'm not a cryptographer, it feels like this may have further consequences but I don't know, so I filed it as a non-security bug:
https://gitlab.com/gnutls/gnutls/issues/698
It turns out that GnuTLS thought they were checking the parameters, but due to a typo they were checking them against themselves:
https://gitlab.com/gnutls/gnutls/commit/93e1ace816955da65dec5342494d4188514731be
The patch was easy:
- ret = _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.parameters", &sp2);
+ ret = _gnutls_x509_read_value(cert->cert, "tbsCertificate.signature.parameters", &sp2);
And they added a testcase I made to their testsuite.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46626.zip
Reference in a new issue View git blame Copy permalink