7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.899 High
EPSS
Percentile
98.5%
A few days ago, Fortinet has published a entitled“OpenSSL ChaCha20-Poly1305 heap overflow(CVE-2016-7054)analysis”article. The OpenSSL library in a high risk heap overflow vulnerability was discovered, affecting 1. 1. 0a and 1. 1. 0 b version. Vulnerability code is in openssl-OpenSSL_1_1_0a\crypto\evp\e_chacha20_poly1305. c file.
Let’s look at this loopholes in the code:
//Line No. 196
static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char in, size_t len)
{
…
//Line No. 241
} else { / ciphertext: Decrypt the ciphertext /
Poly1305_Update(POLY1305_ctx(actx), in, plen);
chacha_cipher(ctx, out, in, plen);
in += plen;
out += plen; //out points to the end of the buffer where the decrypted ciphertext is stored.
actx->len. text += plen;
}
…
//Line No. 293
Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
: temp); //Generate the MAC from the ciphertext
actx->mac_inited = 0;if (in != NULL && len != plen) { / tls mode /
if (ctx->encrypt) {
memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
} else {
if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
/ If the generated MAC doesn’t match the one sent along with ciphertext…
Clear the buffer where the ciphertext was stored, but notice that ‘out’ points
to the end of the buffer So extra space from the heap will be cleared
*/
memset(out, 0, plen);
return -1;
}
}
}
else if (! ctx->encrypt) {
if (CRYPTO_memcmp(temp, actx->tag, actx->tag_len))
return -1;
}
}
return len;
}
CHaCHa20 stream cipher and Poly1305 message authentication code
ChaCha20
ChaCha20 is the Salsa20 algorithm is the improved version, using a 256 bit key. ChaCha20 continuous use of the same key and the random number calls the ChaCha20 block function, and successively increasing block counter parameters. Then, the ChaCha20 to little-endian little-endian order for the results of the processing sequence to obtain the key stream block of data. This key stream data block with the plaintext XORed to get the ciphertext.
ChaCha20 input:
1. 256-bit key
2. 32-bit initial counter
3. 96-bit random number IV
4. Arbitrary-length plaintext
Its output is the plaintext of the same length as the ciphertext.
Poly1305
Poly1305 is a one-time verification, the input is:
1. 32-bit one-time key
2. A message
The output is 16 bytes of the tag Tag for the validation message. Poly1305 uses AES to encrypt the random number, but AES can be arbitrary with a key function instead, like this paper describes.
Therefore the use of the ChaCha20-Poly1305 we get:
! [](/Article/UploadPic/2016-12/2016122120230455. png? www. myhack58. com)
At this point, we already know enough of the basics, now we can conduct in-depth analysis. Next, we try to pass generated with the error flag of the TLS message to trigger the vulnerable code.
! [](/Article/UploadPic/2016-12/2016122120230325. png? www. myhack58. com)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.899 High
EPSS
Percentile
98.5%