Skip to content
cyberexploits
doslinuxtext

GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service

GnuTLS libgnutls - Double-Free Certificate List Parsing Remote Denial of Service

Published on 2013-03-22

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/linux/dos/24865.txt7eac4c3a
raw
Sorry I forgot to write headers in previous mail.



# Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)]

# Google Dork: [if relevant]  (we will automatically add these to the GHDB)

# Date: [Mar 20, 2013]

# Exploit Author: [Shawn the R0ck]

# Vendor Homepage: [http://www.gnutls.org/]

# Software Link: [download link if available]

# Version: [<= 3.0.13]

# Tested on: [GNU/Linux]

# CVE : [CVE-2012-1663]



PoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/24865.tar.bz2



I'm glad to share this to you guys. The test code was attached. You

also could find them here:

https://github.com/citypw/arsenal-4-sec-testing/tree/master/libgnutls/CVE-2012-1663



CVE-2013-1663[1] is a possible remote DOS attack issue. This issue has

been fixed[2] in >=GNUTLS-3.0.14. I hacked on it for hours and figure out

a few prerequisites could make it vulnerable:



=============================

REQUIRED:



 - prior to GNUTLS 3.0.14

 - crafted certificate



=============================

Attacking SCENES



 - a client import a crafted cert file for sending req to server( CA?)



 - a "server" import a crafted cert file for sending req to other

   server( CA?)



---> With high frequency uses above manipulations



Stand on the client side, the attacker should try to construct a

crafted certificate for triggering the below function fails:



ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);

  if (ret < 0)

    {

      gnutls_pubkey_deinit(pcert->pubkey);

      /* pcert->pubkey should be NULL now */

      ret = gnutls_assert_val(ret);

      goto cleanup;

    }



I made up two crafted cert files( client.pem, client2.pem) seems would

trigger the double free issue in client's side.



Warning: Don't try it on your host machine because it would cost too

much memory then makes your machine very slow.



shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509

processing server set to null?

Server ready. Listening to port '5556'.



shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh

................

.................

...................



Another terminal: killall client



Test platform: Slackware 13.37 + GNUTLS-3.0.13



[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1663



[2] Upstream fix

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8





-- 

GNU powered it...

GPL protect it...

God blessing it...



regards

Shawn
View on GitHub