Heap based buffer overflow while parsing crafted X.509 certificates

[cve-reporting]

WolfSSL in versions 4.1.0 and 4.2.0 incorrectly handles X.509 certificates leading to a heap-buffer overflow inside the DecodedCert structure, overwriting a NULL pointer and as a result crash during memory deallocation.
This vulnerability affects both client and server in two supported protocols: TLS and DTLS.

During processing of a crafted certificate, WolfSSL incorrectly handles the loc buffer in the DecodedName structure.
In the following line the count variable reaches value 21, while the loc table has fixed size 19:
wolfcrypt/src/asn.c:5121:

dName->loc[count++] = id;

Declarations:
wolfssl/wolfcrypt/asn.h:

#define DOMAIN_COMPONENT_MAX 10
#define DN_NAMES_MAX 9

struct DecodedName {
char* fullName;
...
int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
int locSz;
};

struct DecodedCert {
...
DecodedName issuerName;
DecodedName subjectName;

Overflow of the loc table in the issuerName leads to overwritting of the fullName pointer in the subjectName.
During deallocation in the FreeDecodedCert check for cert->subjectName.fullName is ineffective, leading to execution of the free() function on the overwritten pointer.

Crashing function:
wolfcrypt/src/asn.c:4505:

void FreeDecodedCert(DecodedCert* cert)
{
...
if (cert->subjectName.fullName != NULL)
XFREE(cert->subjectName.fullName, cert->heap, DYNAMIC_TYPE_X509);

---

Proposed CVSS 3.0 score:

7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

---

Crash on DTLS client connection (parsing cert from incoming network packets):

./examples/client/client -u -h 1xx.1xx.1xx.1xx -p 4433 -g
ASAN:SIGSEGV

==21175==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7fe754d335fc bp 0xfffffffffffffffa sp 0x7ffc731221f0 T0)
#0 0x7fe754d335fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7fe754daa29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7fe75455ea98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7fe7547a50ec in FreeProcPeerCertArgs src/internal.c:9548
#4 0x7fe7547a50ec in ProcessPeerCerts src/internal.c:10807
#5 0x7fe75480d92c in DoCertificate src/internal.c:10843
#6 0x7fe75480d92c in DoHandShakeMsgType src/internal.c:11681
#7 0x7fe754825b6c in DoDtlsHandShakeMsg src/internal.c:12305
#8 0x7fe754825b6c in ProcessReply src/internal.c:14334
#9 0x7fe754888c07 in wolfSSL_connect src/ssl.c:11172
#10 0x413527 in client_test examples/client/client.c:2805
#11 0x40659b in main examples/client/client.c:3387
#12 0x7fe753e6b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x406708 in _start (wolfssl-4.2.0c_ASAN/examples/client/.libs/lt-client+0x406708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21175==ABORTING

---

Crash on DTLS server startup (loading cert from local drive):

./examples/server/server -u -c crash_000_FreeDecodedCert.pem
ASAN:SIGSEGV
==21128==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7f715c0555fc bp 0xfffffffffffffffa sp 0x7ffe3bd38ed0 T0)
#0 0x7f715c0555fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7f715c0cc29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7f715b880a98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7f715bb90d2d in ProcessBuffer src/ssl.c:5398
#4 0x7f715bb96ad3 in ProcessFile src/ssl.c:6339
#5 0x7f715bb9cf4e in wolfSSL_CTX_use_certificate_chain_file src/ssl.c:6912
#6 0x40dc34 in server_test examples/server/server.c:1610
#7 0x40585e in main examples/server/server.c:2434
#8 0x7f715b18d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x405a38 in _start (wolfssl-4.2.0c_ASAN/examples/server/.libs/lt-server+0x405a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21128==ABORTING

---

Crash on DTLS client startup (loading cert from local drive):

./examples/client/client -u -b -i -c crash_000_FreeDecodedCert.pem
ASAN:SIGSEGV
==21338==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7fc36c0f65fc bp 0xfffffffffffffffa sp 0x7ffd695c4810 T0)
#0 0x7fc36c0f65fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7fc36c16d29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7fc36b921a98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7fc36bc31d2d in ProcessBuffer src/ssl.c:5398
#4 0x7fc36bc37ad3 in ProcessFile src/ssl.c:6339
#5 0x7fc36bc3df4e in wolfSSL_CTX_use_certificate_chain_file src/ssl.c:6912
#6 0x413404 in client_test examples/client/client.c:2320
#7 0x40659b in main examples/client/client.c:3387
#8 0x7fc36b22e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x406708 in _start (wolfssl-4.2.0c_ASAN/examples/client/.libs/lt-client+0x406708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21338==ABORTING

---

Crash on TLS client connection (parsing cert from incoming network packets):

./examples/client/client -h 1xx.1xx.1xx.1xx -p 4433 -g
ASAN:SIGSEGV
==21482==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7fd9dd1965fc bp 0xfffffffffffffffa sp 0x7ffd173cbf70 T0)
#0 0x7fd9dd1965fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7fd9dd20d29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7fd9dc9c1a98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7fd9dcc080ec in FreeProcPeerCertArgs src/internal.c:9548
#4 0x7fd9dcc080ec in ProcessPeerCerts src/internal.c:10807
#5 0x7fd9dcc7092c in DoCertificate src/internal.c:10843
#6 0x7fd9dcc7092c in DoHandShakeMsgType src/internal.c:11681
#7 0x7fd9dcc86169 in DoHandShakeMsg src/internal.c:11872
#8 0x7fd9dcc86169 in ProcessReply src/internal.c:14342
#9 0x7fd9dcceb734 in wolfSSL_connect src/ssl.c:11119
#10 0x413527 in client_test examples/client/client.c:2805
#11 0x40659b in main examples/client/client.c:3387
#12 0x7fd9dc2ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x406708 in _start (wolfssl-4.2.0c_ASAN/examples/client/.libs/lt-client+0x406708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==21482==ABORTING

---

Crash on TLS client startup (loading cert from local drive):

./examples/client/client -c crash_000_FreeDecodedCert.pem
ASAN:SIGSEGV
==14540==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7fe6467dc5fc bp 0xfffffffffffffffa sp 0x7fff9dd2b980 T0)
#0 0x7fe6467dc5fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7fe64685329d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7fe646007a98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7fe646317d2d in ProcessBuffer src/ssl.c:5398
#4 0x7fe64631dad3 in ProcessFile src/ssl.c:6339
#5 0x7fe646323f4e in wolfSSL_CTX_use_certificate_chain_file src/ssl.c:6912
#6 0x413404 in client_test examples/client/client.c:2320
#7 0x40659b in main examples/client/client.c:3387
#8 0x7fe64591482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x406708 in _start (wolfssl-4.2.0c_ASAN/examples/client/.libs/lt-client+0x406708)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14540==ABORTING

---

Crash on TLS server startup (loading cert from local drive):

./examples/server/server -c crash_000_FreeDecodedCert.pem
ASAN:SIGSEGV
==14502==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffffa (pc 0x7fb7139575fc bp 0xfffffffffffffffa sp 0x7ffe8c8d8180 T0)
#0 0x7fb7139575fb (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x215fb)
#1 0x7fb7139ce29d in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9829d)
#2 0x7fb713182a98 in FreeDecodedCert wolfcrypt/src/asn.c:4532
#3 0x7fb713492d2d in ProcessBuffer src/ssl.c:5398
#4 0x7fb713498ad3 in ProcessFile src/ssl.c:6339
#5 0x7fb71349ef4e in wolfSSL_CTX_use_certificate_chain_file src/ssl.c:6912
#6 0x40dc34 in server_test examples/server/server.c:1610
#7 0x40585e in main examples/server/server.c:2434
#8 0x7fb712a8f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x405a38 in _start (wolfssl-4.2.0c_ASAN/examples/server/.libs/lt-server+0x405a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14502==ABORTING

---

Reproduction:

Download and compile WolfSSL 4.2.0 or 4.1.0.
Unzip and use attached crafted certificate with above commands (./example/server/server -c ... or ./example/client/client -c ...).

crash_000_FreeDecodedCert.zip

---

Credit:

Jakub Botwicz (Samsung R&D Poland)

[kaleb-himes]

@cve-reporting,

Thank you so much for the report. We will work on reproducing the reported issue and update accordingly.

• The wolfSSL team

[kaleb-himes]

@cve-reporting,

Just so you are aware you are most welcome to report these via support@wolfssl.com so we have time to address the issue before it is public. It is most responsible to coordinate with an effected vendor before making details public to avoid 0-day exploits.

We appreciate all your hard work please keep the reports coming but please send them to support@wolfssl.com first if it is not too much to ask.

Thanks and Regards,

the wolfSSL team

[kaleb-himes]

@cve-reporting,

A fix has been opened here: #2563

Can you shoot us an email at support@wolfssl.com once you have had a chance to review the fix please?

Warm Regards,

K

[cve-reporting]

@kaleb-himes

Thank you for a quick confirmation of this issue and I really appreciate you efforts to quickly fix it.
Next time I will first sent you information via an email, as you have proposed.

In past we (our team that shares this account for reporting) used to try disclose issues more responsibly, however recently our notifications were sometimes ignored, so we switched to direct reporting in an issue tracker.

[kaleb-himes]

@cve-reporting,

In past we (our team that shares this account for reporting) used to try disclose issues more responsibly, however recently our notifications were sometimes ignored, so we switched to direct reporting in an issue tracker.

Totally understandable! I can confidently say that with wolfSSL you will never experience this! Here is a blog post on how our team responds to any vulnerability report: https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/

Thanks again for your teams efforts and hard work and willingness to coordinate with us on all future reports.

Sincerest Regards,

• Kaleb and the wolfSSL Team

[cve-reporting]

Registered as: CVE-2019-18840