NSS Netscape Certificate Sequences CERT_DecodeCertPackage() Crash Vulnerability

2019-03-21T00:00:00
ID 1337DAY-ID-32400
Type zdt
Reporter Tavis Ormandy
Modified 2019-03-21T00:00:00

Description

NSS suffers from a NULL dereference issue when parsing Netscape Certificate Sequences in CERT_DecodeCertPackage().

                                        
                                            nss: CERT_DecodeCertPackage() crash with Netscape Certificate Sequences 



I noticed that the main entrypoint for decoding DER blobs in NSS, CERT_DecodeCertPackage(), actually handles multiple formats including PEM, PKCS7, and old Netscape Certificate Sequences.

You can generate a Netscape Certificate Sequence with the OpenSSL nseq tool, I just did this:

$ openssl nseq -in mail.google.com.pem -toseq -out nseq.pem
I guessed that this format might not have been as well audited as others, so fuzzed it and it crashed with a NULL deref quickly.

Test case attached, I'm guessing this means any client or server that handles untrusted certificates can be crashed, I didn't try it against Firefox.

You can verify it like this:

$ certutil -d \".\" -A -n test -t \"p,p,p\" -i nss-nseq-crash.der
Segmentation fault

I reported this upstream as a denial of service issue, some network daemons use NSS (like slapd, iirc)

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

#  0day.today [2019-03-23]  #