Lucene search
K

GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS

🗓️ 22 Mar 2013 00:00:00Reported by Shawn the R0ckType 
zdt
 zdt
🔗 0day.today👁 32 Views

GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS CVE-2013-1663 is a possible remote DOS attack issue prior to GNUTLS 3.0.14. Attack occurs when a client or server imports a crafted certificate for sending requests to a server or other server. Crafting specific certificate files would trigger a double free issue in the client's side

Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2012-1663
13 Mar 201222:00
cve
Cvelist
CVE-2012-1663
13 Mar 201222:00
cvelist
Debian CVE
CVE-2012-1663
13 Mar 201222:00
debiancve
Exploit DB
GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service
22 Mar 201300:00
exploitdb
EUVD
EUVD-2012-1673
7 Oct 202500:30
euvd
exploitpack
GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service
22 Mar 201300:00
exploitpack
NVD
CVE-2012-1663
13 Mar 201222:55
nvd
Tenable Nessus
openSUSE Security Update : gnutls (openSUSE-SU-2012:0620-1)
13 Jun 201400:00
nessus
Tenable Nessus
openSUSE Security Update : gnutls (openSUSE-SU-2013:0283-1)
13 Jun 201400:00
nessus
OSV
DEBIAN-CVE-2012-1663
13 Mar 201222:55
osv
Rows per page
CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has
been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
 
=============================
REQUIRED:
 
 - prior to GNUTLS 3.0.14
 - crafted certificate
 
=============================
Attacking SCENES
 
 - a client import a crafted cert file for sending req to server( CA?)
 
 - a "server" import a crafted cert file for sending req to other
   server( CA?)
 
---> With high frequency uses above manipulations
 
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
 
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
  if (ret < 0)
    {
      gnutls_pubkey_deinit(pcert->pubkey);
      /* pcert->pubkey should be NULL now */
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }
 
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
 
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow.
 
[email protected]:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.
 
[email protected]:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................
 
Another terminal: killall client
 
Test platform: Slackware 13.37 + GNUTLS-3.0.13
 
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663
 
[2] Upstream fix
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8
 
 
--
GNU powered it...
GPL protect it...
God blessing it...

#  0day.today [2018-04-11]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation