GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS

2014-07-0100:00:00

Root

www.seebug.org

0.022 Low

EPSS

Percentile

88.2%

JSON

No description provided by source.


                                                Sorry I forgot to write headers in previous mail.

# Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)]
# Google Dork: [if relevant]  (we will automatically add these to the GHDB)
# Date: [Mar 20, 2013]
# Exploit Author: [Shawn the R0ck]
# Vendor Homepage: [http://www.gnutls.org/]
# Software Link: [download link if available]
# Version: [&#60;= 3.0.13]
# Tested on: [GNU/Linux]
# CVE : [CVE-2012-1663]

PoC: http://www.exploit-db.com/sploits/24865.tar.bz2

I&#39;m glad to share this to you guys. The test code was attached. You
also could find them here:
https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663

CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has
been fixed[2] in &#62;=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:

=============================
REQUIRED:

 - prior to GNUTLS 3.0.14
 - crafted certificate

=============================
Attacking SCENES

 - a client import a crafted cert file for sending req to server( CA?)

 - a &#34;server&#34; import a crafted cert file for sending req to other
   server( CA?)

---&#62; With high frequency uses above manipulations

Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:

ret = gnutls_pubkey_import_x509(pcert-&#62;pubkey, crt, 0);
  if (ret &#60; 0)
    {
      gnutls_pubkey_deinit(pcert-&#62;pubkey);
      /* pcert-&#62;pubkey should be NULL now */
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client&#39;s side.

Warning: Don&#39;t try it on your host machine because it would cost too
much memory then makes your machine very slow.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port &#39;5556&#39;.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................

Another terminal: killall client

Test platform: Slackware 13.37 + GNUTLS-3.0.13

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663

[2] Upstream fix
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8


-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

0.022 Low

EPSS

Percentile

88.2%

JSON

Related for SSV:78552