Re: [openssl-dev] [openssl.org #3708] segfault while generating a certificate signing request based on a malformed certificate

Wed, 18 Feb 2015 20:44:02 -0800 

The problem appears to be a NULL pointer dereference in X509_PUBKEY_set() when 
pkey is NULL, I attached a patch that fixes the issue.

After patch output (openssl x509 -x509toreq -in test76crash -out /dev/null 
-signkey test.key):

Getting request Private Key
Generating certificate request
140735115264848:error:0D078095:asn1 encoding routines:ASN1_ITEM_EX_D2I:sequence 
not constructed:tasn_dec.c:376:Type=RSA
140735115264848:error:0408B004:rsa routines:RSA_PUB_DECODE:RSA 
lib:rsa_ameth.c:99:
140735115264848:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public 
key decode error:x_pubkey.c:154:

Kurt Cancemi
https://www.x64architecture.com <https://www.x64architecture.com/>


> On Feb 17, 2015, at 4:49 PM, Brian Carpenter via RT <[email protected]> wrote:
> 
> Good morning. I'm reporting a segfault in openssl via the command line
> "openssl x509 -x509toreq -in testcase -out /dev/null -signkey test.key"
> using a malformed certificate. I'm using american fuzzy lop (
> http://lcamtuf.coredump.cx/afl/) to fuzz openssl.
> 
> The testcase, which I've attached to this email, is a mutation of a valid
> ssl certificate. Doesn't appear to be exploitable according to CERTs
> exploitable plugin (https://github.com/jfoote/exploitable) for GDB, but
> there are smarter people than I out there in the world.
> 
> I compiled openssl with the afl-gcc included with american fuzzy lop for
> instrumenting binaries:
> CC=/path/to/afl-gcc ./config
> AFL_HARDEN=1 make -j8
> 
> OpenSSL 1.1.0-dev xx XXX xxxx
> 
> Here is the output from GDB:
> Getting request Private Key
> Generating certificate request
> 
> Program received signal SIGSEGV, Segmentation fault.
> [----------------------------------registers-----------------------------------]
> RAX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RBX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RCX: 0x0
> RDX: 0x0
> RSI: 0x7fffffffd7a0 --> 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a
> --> 0x7372004645444e55 ('UNDEF')
> RDI: 0x1
> RBP: 0x1016bf8 --> 0x10165b0 --> 0x1016f00 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RSP: 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
> 0x200000001
> RIP: 0x93bbd0 (<X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10])
> R8 : 0x1019170 --> 0x6e4135700000000d ('\r')
> R9 : 0x0
> R10: 0xa ('\n')
> R11: 0x7ffff78d0556 (<__memset_sse2+230>: mov    QWORD PTR [rdi-0x10],rdx)
> R12: 0x0
> R13: 0x0
> R14: 0x1016f60 --> 0x600000006
> R15: 0x0
> EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
> overflow)
> [-------------------------------------code-------------------------------------]
>   0x93bbbe <X509_PUBKEY_set+222>: mov    rcx,QWORD PTR [rsp+0x8]
>   0x93bbc3 <X509_PUBKEY_set+227>: mov    rax,QWORD PTR [rsp+0x10]
>   0x93bbc8 <X509_PUBKEY_set+232>: lea    rsp,[rsp+0x98]
> => 0x93bbd0 <X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10]
>   0x93bbd5 <X509_PUBKEY_set+245>: test   rax,rax
>   0x93bbd8 <X509_PUBKEY_set+248>: je     0x93beb8 <X509_PUBKEY_set+984>
>   0x93bbde <X509_PUBKEY_set+254>: xchg   ax,ax
>   0x93bbe0 <X509_PUBKEY_set+256>: lea    rsp,[rsp-0x98]
> [------------------------------------stack-------------------------------------]
> 0000| 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
> 0x200000001
> 0008| 0x7fffffffd7f8 --> 0x7bd4d239a33a7400
> 0016| 0x7fffffffd800 --> 0x1016580 --> 0x1016bd0 --> 0x0
> 0024| 0x7fffffffd808 --> 0x1016bd0 --> 0x0
> 0032| 0x7fffffffd810 --> 0x1018b10 --> 0x200000001
> 0040| 0x7fffffffd818 --> 0x9e9cee (<X509_to_X509_REQ+398>: mov    rdi,r13)
> 0048| 0x7fffffffd820 --> 0x7fffffffd840 --> 0x10170e0 --> 0x1016410 -->
> 0x1017380 --> 0x200000001
> 0056| 0x7fffffffd828 --> 0x7bd4d239a33a7400
> [------------------------------------------------------------------------------]
> Legend: code, data, rodata, value
> Stopped reason: SIGSEGV
> 0x000000000093bbd0 in X509_PUBKEY_set ()
> gdb-peda$ exploit
> Description: Access violation near NULL on source operand
> Short description: SourceAvNearNull (16/22)
> Hash: edf4ff3908740b6c9ac6ab3fe1b764d4.edf4ff3908740b6c9ac6ab3fe1b764d4
> Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
> Explanation: The target crashed on an access violation at an address
> matching the source operand of the current instruction. This likely
> indicates a read access violation, which may mean the application crashed
> on a simple NULL dereference to data structure that has no immediate effect
> on control of the processor.
> Other tags: AccessViolation (21/22)
> 
> and Valgrind:
> Getting request Private Key
> Generating certificate request
> ==59041== Invalid read of size 8
> ==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
> ==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
> ==59041==    by 0x46F925: x509_main (x509.c:941)
> ==59041==    by 0x40C377: do_cmd (openssl.c:472)
> ==59041==    by 0x40B78D: main (openssl.c:366)
> ==59041==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
> ==59041==
> ==59041==
> ==59041== Process terminating with default action of signal 11 (SIGSEGV)
> ==59041==  Access not within mapped region at address 0x10
> ==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
> ==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
> ==59041==    by 0x46F925: x509_main (x509.c:941)
> ==59041==    by 0x40C377: do_cmd (openssl.c:472)
> ==59041==    by 0x40B78D: main (openssl.c:366)
> ==59041==  If you believe this happened as a result of a stack
> ==59041==  overflow in your program's main thread (unlikely but
> ==59041==  possible), you can try to increase the size of the
> ==59041==  main thread stack using the --main-stacksize= flag.
> ==59041==  The main thread stack size used in this run was 8388608.
> Segmentation fault
> 
> <test76crash.gz>_______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
The problem appears to be a NULL pointer dereference in X509_PUBKEY_set() when pkey is NULL, I attached a patch that fixes the issue.

After patch output (openssl x509 -x509toreq -in test76crash -out /dev/null -signkey test.key):

Getting request Private Key
Generating certificate request
140735115264848:error:0D078095:asn1 encoding routines:ASN1_ITEM_EX_D2I:sequence not constructed:tasn_dec.c:376:Type=RSA
140735115264848:error:0408B004:rsa routines:RSA_PUB_DECODE:RSA lib:rsa_ameth.c:99:
140735115264848:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public key decode error:x_pubkey.c:154:

Attachment: 0001-Fix-NULL-pointer-dereference-in-X509_PUBKEY_set.patch
Description: Binary data



On Feb 17, 2015, at 4:49 PM, Brian Carpenter via RT <[email protected]> wrote:

Good morning. I'm reporting a segfault in openssl via the command line
"openssl x509 -x509toreq -in testcase -out /dev/null -signkey test.key"
using a malformed certificate. I'm using american fuzzy lop (
http://lcamtuf.coredump.cx/afl/) to fuzz openssl.

The testcase, which I've attached to this email, is a mutation of a valid
ssl certificate. Doesn't appear to be exploitable according to CERTs
exploitable plugin (https://github.com/jfoote/exploitable) for GDB, but
there are smarter people than I out there in the world.

I compiled openssl with the afl-gcc included with american fuzzy lop for
instrumenting binaries:
CC=/path/to/afl-gcc ./config
AFL_HARDEN=1 make -j8

OpenSSL 1.1.0-dev xx XXX xxxx

Here is the output from GDB:
Getting request Private Key
Generating certificate request

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
0x7372004645444e55 ('UNDEF')
RBX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
0x7372004645444e55 ('UNDEF')
RCX: 0x0
RDX: 0x0
RSI: 0x7fffffffd7a0 --> 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a
--> 0x7372004645444e55 ('UNDEF')
RDI: 0x1
RBP: 0x1016bf8 --> 0x10165b0 --> 0x1016f00 --> 0xd230c0 --> 0xd1c02a -->
0x7372004645444e55 ('UNDEF')
RSP: 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
0x200000001
RIP: 0x93bbd0 (<X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10])
R8 : 0x1019170 --> 0x6e4135700000000d ('\r')
R9 : 0x0
R10: 0xa ('\n')
R11: 0x7ffff78d0556 (<__memset_sse2+230>: mov    QWORD PTR [rdi-0x10],rdx)
R12: 0x0
R13: 0x0
R14: 0x1016f60 --> 0x600000006
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
  0x93bbbe <X509_PUBKEY_set+222>: mov    rcx,QWORD PTR [rsp+0x8]
  0x93bbc3 <X509_PUBKEY_set+227>: mov    rax,QWORD PTR [rsp+0x10]
  0x93bbc8 <X509_PUBKEY_set+232>: lea    rsp,[rsp+0x98]
=> 0x93bbd0 <X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10]
  0x93bbd5 <X509_PUBKEY_set+245>: test   rax,rax
  0x93bbd8 <X509_PUBKEY_set+248>: je     0x93beb8 <X509_PUBKEY_set+984>
  0x93bbde <X509_PUBKEY_set+254>: xchg   ax,ax
  0x93bbe0 <X509_PUBKEY_set+256>: lea    rsp,[rsp-0x98]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
0x200000001
0008| 0x7fffffffd7f8 --> 0x7bd4d239a33a7400
0016| 0x7fffffffd800 --> 0x1016580 --> 0x1016bd0 --> 0x0
0024| 0x7fffffffd808 --> 0x1016bd0 --> 0x0
0032| 0x7fffffffd810 --> 0x1018b10 --> 0x200000001
0040| 0x7fffffffd818 --> 0x9e9cee (<X509_to_X509_REQ+398>: mov    rdi,r13)
0048| 0x7fffffffd820 --> 0x7fffffffd840 --> 0x10170e0 --> 0x1016410 -->
0x1017380 --> 0x200000001
0056| 0x7fffffffd828 --> 0x7bd4d239a33a7400
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000093bbd0 in X509_PUBKEY_set ()
gdb-peda$ exploit
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: edf4ff3908740b6c9ac6ab3fe1b764d4.edf4ff3908740b6c9ac6ab3fe1b764d4
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address
matching the source operand of the current instruction. This likely
indicates a read access violation, which may mean the application crashed
on a simple NULL dereference to data structure that has no immediate effect
on control of the processor.
Other tags: AccessViolation (21/22)

and Valgrind:
Getting request Private Key
Generating certificate request
==59041== Invalid read of size 8
==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
==59041==    by 0x46F925: x509_main (x509.c:941)
==59041==    by 0x40C377: do_cmd (openssl.c:472)
==59041==    by 0x40B78D: main (openssl.c:366)
==59041==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==59041==
==59041==
==59041== Process terminating with default action of signal 11 (SIGSEGV)
==59041==  Access not within mapped region at address 0x10
==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
==59041==    by 0x46F925: x509_main (x509.c:941)
==59041==    by 0x40C377: do_cmd (openssl.c:472)
==59041==    by 0x40B78D: main (openssl.c:366)
==59041==  If you believe this happened as a result of a stack
==59041==  overflow in your program's main thread (unlikely but
==59041==  possible), you can try to increase the size of the
==59041==  main thread stack using the --main-stacksize= flag.
==59041==  The main thread stack size used in this run was 8388608.
Segmentation fault

<test76crash.gz>_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to