Security Bulletin: ASN. 1 coding in the presence of a heap memory corruption vulnerability-vulnerability warning-the black bar safety net

2016-07-21T00:00:00
ID MYHACK58:62201677114
Type myhack58
Reporter 佚名
Modified 2016-07-21T00:00:00

Description

! ! 1. Security Bulletin information Title: Objective system integrated Co., Ltd. The design of the ASN. 1 coding specification in the presence of one can lead to heap memory corruption vulnerabilities. Vulnerability CVE number: CVE-2 0 1 6-5 0 8 0 Announcement of the URL address: http://www.fundacionsadosky.org.ar/publicaciones-2 Vulnerability published date: 2016-07-18 Bulletin latest update: 2016-07-19 Related suppliers: The Objective of the system integration company Vulnerability disclosure mode: coordinated disclosure 2. Vulnerability information Vulnerability classification: heap-based memory buffer overflow[http://cwe.mitre.org/data/definitions/122.html] Vulnerability impact: code execution Whether the remote can be used: Whether local can be used: Vulnerability ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5080 3. Vulnerability description ASN. 1 abstract syntax notation is an ISO/ITU-T standard, which describes a kind of computer network data representation, coding, transmission and decoding of the data format specification. It provides a comprehensive set of used to describe the object structure of the standard format, the developer does not need to care about programming languages specifically how to execute these commands, but also do not understand what these data refer to at any need to digitally send information to the local, ASN. 1 can send various forms of information, audio, video, data, and so on. ASN. 1 and the particular ASN. 1 encoding rules advance structured data transmission, especially in the network between different applications of the structured data transfer, it to a is independent of the computer architecture and the language to describe the data structure. OSI protocols application layer protocols use the ASN. 1 to describe the transmission of the PDU, the Protocol comprising: means for transmitting the e-mail X. 4 0 0 for Directory Services X. 5 0 0, as well as for VoIP H. 3 2 3 and SNMP. Its application can also be extended to the Universal Mobile Telecommunications System UMTS in the access and non-access layer. ASN. 1 success one of the main reasons is that it with several standardized encoding rules such as basic encoding rules(BER) -X. 2 0 9, canonical encoding rules CER, the distinguished name encoding rules, DER, a compression encoding rules, PER, and XML encoding rules XER Airport. These encoding rules describe how the ASN. 1 in the defined values are encoded for transmission, without caring about the computer, programming language, or it is in the application of how to represent and other factors. ASN. 1 of encoding method than many of the competing tagging system is more advanced, it supports scalable information fast and reliable transmission — in wireless broadband, which is an advantage. 1 9 8 4 year ASN. 1 It has become an international standard, its encoding rules are already very Mature, and in the reliability and compatibility aspects have a more extensive processing experience. ASN. 1 is described in network transmission format information of the standard method. It mainly consists of two parts: a part for describing information inside the data, data type, and a sequence format; the other part is used to describe how each part of the data composed of the message. It turned out to be as X. 4 0 9 part of the development, and only later their independence as a standard. ASN. 1 the description can easily be mapped into C or C++ or Java data structure, it can be used by application code to use and get the run-time library support, and thus capable of encoding and decoding XML or a TLV format of the data. In addition, the ASN. 1 is also used to describe a structured object in the structure and content of the language. ASN. 1 C++compiler is ASN. 1 The C compiler the enhanced version, it uses the object-oriented programming techniques. ASN. 1 C++compiler can automatically ASN. 1 Specification compiled as C++class and used to encoding and decoding of metadata. In addition, the C++Runtime Library the ASN. 1 is ASN. 1 C++compiler package part. ASN. 1 C++run-time library is also oriented towards metadata, the metadata at runtime to load, and can use after release. Objective the integrated system Co., Ltd. is a United States private sector, the ASN1C compiler it is by this company to develop the design. Currently, in the telecommunications, data networking, Aerospace, defence sector, as well as government law enforcement and other area businesses or organizations are using this compiler. This exists in ASN1C compiler runtime support Library of the vulnerability will allow the attacker in the target software system to remote code execution, the affected system also includes the use of the ASN1C compiler of embedded software systems. According to a security research expert analysis, when the target system vulnerability in code from untrusted sources to receive and process the ASN. 1 encoded data, the attacker can not go through any authentication to remotely trigger this vulnerability. In the mobile and communication operators of the network infrastructure the communication between the nodes, as well as operator network node between the communication process, are likely to occur such security issues. It is understood that the Objective of the integrated system Co., Ltd. currently has successfully solved this problem, and in order to meet customer demand, the company also released a temporary version of the ASN1C C/C++compiler. According to the company revealed the information, they will be in the next version(v7. 0. 2)The ASN1C compiler is formally fix this vulnerability. If you want to learn more about affected vendors and vulnerability mitigation program information, please visit the CERT/CC issued a vulnerability announcement. 4. Affected by the vulnerabilities of the system Any use of the ASN. 1 coding specification of the software system will be affected by this vulnerability. In addition, the 7. 0 version and 7. 0 version following the ASN1C compiler will also be affected by the vulnerability. CERT/CC vulnerability Bulletin provides a affected by this vulnerability the vendor list, the interested reader can click on to view. 5. Vendor information and solution In order to meet customer requirements, manufacturers have released a temporary version of ASN1C(v7. 0. 1)In order for the user to use. The company will be in the ASN1C v7. 0. 2 official version repair this loophole. 6. Vulnerability discovery This vulnerability is by security research experts Lucas Molas found and reported. 7. Technical details In this part, we will describe in detail the Objective of the integrated system Co., Ltd. released the latest version of the ASN1C compiler(v7. 0. 0)in the presence of this security vulnerability. Security research experts found, the compiler of the rtxMemHeapAlloc function contains a pre-compiled asn1rt_a. lib the library, and in which the detected two integer overflow issues, this issue will likely allow the attacker on the target system throws heap memory crash. Security research experts use the IDA(v6. 9)to the program decompile, and extract the corresponding block of code for further analysis. In this pre-compiled code Library for the analysis, researchers from the\c\lib\path under which the extracted asn1rt_a. lib. In the rtxMemHeapAlloc function of the analysis process, the researchers first program of heap memory(pMemHeap)conducted a preliminary analysis, rtxMemHeapCreate function and rtxMemHeapCheck function in the heap memory space is called, nbytes parameter decompile the results of the arg_4 will be modified. The program will use the ecx register to the value of the parameter is filled to eight bytes in size, or eight-byte integer, and stores the result to the variable var_9C. In order to achieve this step, when the result value is shifted before the operation, the ecx value will be added to 7. In the 3 2-bit register, if no results of value were detected, then when the nbytes value of 0xFFFFFFF9 or greater, then it will be possible to cause an integer overflow problem. Specific code as follows:

[1] [2] next