[openssl-dev] [openssl.org #3708] segfault while generating a certificate signing request based on a malformed certificate

Kurt Cancemi kurt at x64architecture.com
Thu Feb 19 04:16:42 UTC 2015


The problem appears to be a NULL pointer dereference in X509_PUBKEY_set() when pkey is NULL, I attached a patch that fixes the issue.

After patch output (openssl x509 -x509toreq -in test76crash -out /dev/null -signkey test.key):

Getting request Private Key
Generating certificate request
140735115264848:error:0D078095:asn1 encoding routines:ASN1_ITEM_EX_D2I:sequence not constructed:tasn_dec.c:376:Type=RSA
140735115264848:error:0408B004:rsa routines:RSA_PUB_DECODE:RSA lib:rsa_ameth.c:99:
140735115264848:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public key decode error:x_pubkey.c:154:

Kurt Cancemi
https://www.x64architecture.com <https://www.x64architecture.com/>


> On Feb 17, 2015, at 4:49 PM, Brian Carpenter via RT <rt at openssl.org> wrote:
> 
> Good morning. I'm reporting a segfault in openssl via the command line
> "openssl x509 -x509toreq -in testcase -out /dev/null -signkey test.key"
> using a malformed certificate. I'm using american fuzzy lop (
> http://lcamtuf.coredump.cx/afl/) to fuzz openssl.
> 
> The testcase, which I've attached to this email, is a mutation of a valid
> ssl certificate. Doesn't appear to be exploitable according to CERTs
> exploitable plugin (https://github.com/jfoote/exploitable) for GDB, but
> there are smarter people than I out there in the world.
> 
> I compiled openssl with the afl-gcc included with american fuzzy lop for
> instrumenting binaries:
> CC=/path/to/afl-gcc ./config
> AFL_HARDEN=1 make -j8
> 
> OpenSSL 1.1.0-dev xx XXX xxxx
> 
> Here is the output from GDB:
> Getting request Private Key
> Generating certificate request
> 
> Program received signal SIGSEGV, Segmentation fault.
> [----------------------------------registers-----------------------------------]
> RAX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RBX: 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RCX: 0x0
> RDX: 0x0
> RSI: 0x7fffffffd7a0 --> 0x10165f0 --> 0x1019110 --> 0xd230c0 --> 0xd1c02a
> --> 0x7372004645444e55 ('UNDEF')
> RDI: 0x1
> RBP: 0x1016bf8 --> 0x10165b0 --> 0x1016f00 --> 0xd230c0 --> 0xd1c02a -->
> 0x7372004645444e55 ('UNDEF')
> RSP: 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
> 0x200000001
> RIP: 0x93bbd0 (<X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10])
> R8 : 0x1019170 --> 0x6e4135700000000d ('\r')
> R9 : 0x0
> R10: 0xa ('\n')
> R11: 0x7ffff78d0556 (<__memset_sse2+230>: mov    QWORD PTR [rdi-0x10],rdx)
> R12: 0x0
> R13: 0x0
> R14: 0x1016f60 --> 0x600000006
> R15: 0x0
> EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction
> overflow)
> [-------------------------------------code-------------------------------------]
>   0x93bbbe <X509_PUBKEY_set+222>: mov    rcx,QWORD PTR [rsp+0x8]
>   0x93bbc3 <X509_PUBKEY_set+227>: mov    rax,QWORD PTR [rsp+0x10]
>   0x93bbc8 <X509_PUBKEY_set+232>: lea    rsp,[rsp+0x98]
> => 0x93bbd0 <X509_PUBKEY_set+240>: mov    rax,QWORD PTR [r12+0x10]
>   0x93bbd5 <X509_PUBKEY_set+245>: test   rax,rax
>   0x93bbd8 <X509_PUBKEY_set+248>: je     0x93beb8 <X509_PUBKEY_set+984>
>   0x93bbde <X509_PUBKEY_set+254>: xchg   ax,ax
>   0x93bbe0 <X509_PUBKEY_set+256>: lea    rsp,[rsp-0x98]
> [------------------------------------stack-------------------------------------]
> 0000| 0x7fffffffd7f0 --> 0x10170e0 --> 0x1016410 --> 0x1017380 -->
> 0x200000001
> 0008| 0x7fffffffd7f8 --> 0x7bd4d239a33a7400
> 0016| 0x7fffffffd800 --> 0x1016580 --> 0x1016bd0 --> 0x0
> 0024| 0x7fffffffd808 --> 0x1016bd0 --> 0x0
> 0032| 0x7fffffffd810 --> 0x1018b10 --> 0x200000001
> 0040| 0x7fffffffd818 --> 0x9e9cee (<X509_to_X509_REQ+398>: mov    rdi,r13)
> 0048| 0x7fffffffd820 --> 0x7fffffffd840 --> 0x10170e0 --> 0x1016410 -->
> 0x1017380 --> 0x200000001
> 0056| 0x7fffffffd828 --> 0x7bd4d239a33a7400
> [------------------------------------------------------------------------------]
> Legend: code, data, rodata, value
> Stopped reason: SIGSEGV
> 0x000000000093bbd0 in X509_PUBKEY_set ()
> gdb-peda$ exploit
> Description: Access violation near NULL on source operand
> Short description: SourceAvNearNull (16/22)
> Hash: edf4ff3908740b6c9ac6ab3fe1b764d4.edf4ff3908740b6c9ac6ab3fe1b764d4
> Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
> Explanation: The target crashed on an access violation at an address
> matching the source operand of the current instruction. This likely
> indicates a read access violation, which may mean the application crashed
> on a simple NULL dereference to data structure that has no immediate effect
> on control of the processor.
> Other tags: AccessViolation (21/22)
> 
> and Valgrind:
> Getting request Private Key
> Generating certificate request
> ==59041== Invalid read of size 8
> ==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
> ==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
> ==59041==    by 0x46F925: x509_main (x509.c:941)
> ==59041==    by 0x40C377: do_cmd (openssl.c:472)
> ==59041==    by 0x40B78D: main (openssl.c:366)
> ==59041==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
> ==59041==
> ==59041==
> ==59041== Process terminating with default action of signal 11 (SIGSEGV)
> ==59041==  Access not within mapped region at address 0x10
> ==59041==    at 0x93BBD0: X509_PUBKEY_set (x_pubkey.c:99)
> ==59041==    by 0x9E9CED: X509_to_X509_REQ (x509_req.c:95)
> ==59041==    by 0x46F925: x509_main (x509.c:941)
> ==59041==    by 0x40C377: do_cmd (openssl.c:472)
> ==59041==    by 0x40B78D: main (openssl.c:366)
> ==59041==  If you believe this happened as a result of a stack
> ==59041==  overflow in your program's main thread (unlikely but
> ==59041==  possible), you can try to increase the size of the
> ==59041==  main thread stack using the --main-stacksize= flag.
> ==59041==  The main thread stack size used in this run was 8388608.
> Segmentation fault
> 
> <test76crash.gz>_______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/66ff3c68/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-NULL-pointer-dereference-in-X509_PUBKEY_set.patch
Type: application/octet-stream
Size: 708 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/66ff3c68/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150218/66ff3c68/attachment-0003.html>


More information about the openssl-dev mailing list