OpenSSL 1.1.0: remote client memory corruption in ssl_add_clienthello_tlsext()

This requires tickets, requesting certificate status from server, and
a large ALPN list. The most unusual requirement is that the client sets a very large ALPN list. This is very unlikely in a real-world application, and therefore OpenSSL is treating this issue as a bug rather than a vulnerability, and I agree with this assessment. I’m publishing this because I think it’s nonetheless an interesting case.

Modify the server so that it will send a large ticket. What I did was
edit tls_construct_new_session_tickets so that the buffer is large

3051     if (!BUF_MEM_grow(s->init_buf,
3052                       SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) +
3053                       EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3054                       EVP_MAX_MD_SIZE + slen + 0xFFFF))
3055         goto err;

adjust ticket size:

3132     p += hlen;
3133     p += 16022;
3134     /* Now write out lengths: p points to end of data written */
3135     /* Total length */

(I added the line with 16022).

Run the server like this:

openssl s_server -alpn 'x'

Run the client like this:

openssl s_client -reconnect -status -alpn `python -c "import sys;

This should result in a crash.

This is due to an invalid size check in the TLSEXT_STATUSTYPE_ocsp
part of ssl_add_clienthello_tlsext:

1264         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1265             return NULL;
1266         s2n(TLSEXT_TYPE_status_request, ret);
1267         if (extlen + idlen > 0xFFF0)
1268             return NULL;
1269         s2n(extlen + idlen + 5, ret);
1270         *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1271         s2n(idlen, ret);
1272         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1273             /* save position of id len */
1274             unsigned char *q = ret;
1275             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1276             /* skip over id len */
1277             ret += 2;
1278             itmp = i2d_OCSP_RESPID(id, &ret);
1279             /* write id len */
1280             s2n(itmp, q);
1281         }
1282         s2n(extlen, ret);
1283         if (extlen > 0)
1284             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);

s2n (2 bytes), s2n (2 bytes), ret++ (1 byte), s2n (2 bytes) and then the s2n on line 1282 is 9 bytes, but the check on line 1264 checks only for 7 bytes. Using a specially crafted ticket (size) you can ensure that ‘ret’ is 2 bytes PAST ‘limit’ after this routine.

Then in the ALPN writing routine later this happens:

1324     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1325         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1326             return NULL;

limit – ret is cast to size_t, so instead of -2 it becomes a very large value, and the code execution passes this check.

Then the memcpy a few lines later causes the crash.

It doesn’t crash immediately after ‘ret’ crosses ‘limit’ because the
buffer is over-allocated by the code in crypto/buffer/buffer.c:

 87     /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
 88     if (len > LIMIT_BEFORE_EXPANSION) {
 90         return 0;
 91     }
 92     n = (len + 3) / 3 * 4;

which is why a relatively large ALPN size is required for the crash.

Note that nothing out of the ordinary will happen if the server sends normal-sized tickets.

And just to be clear, you don’t need to modify the source code of the client in order to make this work. You only need to modify the server code (a separate build if you want) so it sends large tickets.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.