GnuTLS libgnutls Double-free Certificate List Parsing Remote DoS
- Дата публикации:
- Тип воздействия:
Отказ в обслуживании
Sorry I forgot to write headers in previous mail.
# Exploit Title: [possible ways to exploit CVE-2012-1663( GNUTLS-3.0.13)]
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Date: [Mar 20, 2013]
# Exploit Author: [Shawn the R0ck]
# Vendor Homepage: [http://www.gnutls.org/]
# Software Link: [download link if available]
# Version: [<= 3.0.13]
# Tested on: [GNU/Linux]
# CVE : [CVE-2012-1663]
I'm glad to share this to you guys. The test code was attached. You
also could find them here:
CVE-2013-1663 is a possible remote DOS attack issue. This issue has
been fixed in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:
- prior to GNUTLS 3.0.14
- crafted certificate
- a client import a crafted cert file for sending req to server( CA?)
- a "server" import a crafted cert file for sending req to other
---> With high frequency uses above manipulations
Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:
ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
if (ret < 0)
/* pcert->pubkey should be NULL now */
ret = gnutls_assert_val(ret);
I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.
Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow.
processing server set to null?
Server ready. Listening to port '5556'.
Another terminal: killall client
Test platform: Slackware 13.37 + GNUTLS-3.0.13
 Upstream fix
GNU powered it...
GPL protect it...
God blessing it...