Vulners
Lucene search
GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS | 22 Mar 201300:00 | – | zdt |
 | CVE-2012-1663 | 13 Mar 201222:00 | – | cve |
 | CVE-2012-1663 | 13 Mar 201222:00 | – | cvelist |
 | CVE-2012-1663 | 13 Mar 201222:00 | – | debiancve |
 | EUVD-2012-1673 | 7 Oct 202500:30 | – | euvd |
 | GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service | 22 Mar 201300:00 | – | exploitpack |
 | CVE-2012-1663 | 13 Mar 201222:55 | – | nvd |
 | openSUSE Security Update : gnutls (openSUSE-SU-2012:0620-1) | 13 Jun 201400:00 | – | nessus |
| openSUSE Security Update : gnutls (openSUSE-SU-2013:0283-1) | 13 Jun 201400:00 | – | nessus |
 | DEBIAN-CVE-2012-1663 | 13 Mar 201222:55 | – | osv |
10
Sorry I forgot to write headers in previous mail.
# Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)]
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Date: [Mar 20, 2013]
# Exploit Author: [Shawn the R0ck]
# Vendor Homepage: [http://www.gnutls.org/]
# Software Link: [download link if available]
# Version: [<= 3.0.13]
# Tested on: [GNU/Linux]
# CVE : [CVE-2012-1663]
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24865.tar.bz2
I'm glad to share this to you guys. The test code was attached. You
also could find them here:
https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663
CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has
been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
=============================
REQUIRED:
- prior to GNUTLS 3.0.14
- crafted certificate
=============================
Attacking SCENES
- a client import a crafted cert file for sending req to server( CA?)
- a "server" import a crafted cert file for sending req to other
server( CA?)
---> With high frequency uses above manipulations
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0)
{
gnutls_pubkey_deinit(pcert->pubkey);
/* pcert->pubkey should be NULL now */
ret = gnutls_assert_val(ret);
goto cleanup;
}
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.
shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................
Another terminal: killall client
Test platform: Slackware 13.37 + GNUTLS-3.0.13
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663
[2] Upstream fix
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8
--
GNU powered it...
GPL protect it...
God blessing it...
regards
ShawnData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Mar 2013 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 27.5
EPSS0.01063