Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Aug 2018 15:45:23 +0200
From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org,
 oss-security@...ts.openwall.com
Subject: X41 D-Sec GmbH Security Advisory X41-2018-004: Multiple
 Vulnerabilities in Yubico libykneomgr

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr
==============================================


Overview
- --------
Confirmed Affected Versions: 0.1.9
Confirmed Patched Versions: -
Vendor: Yubico / Depreciated
Vendor URL: https://www.yubico.com/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/


Summary and Impact
- ------------------
An out of bounds write and read was discovered when malicious
responses from a smartcard are received. These might lead to memory
corruptions. We assume that these are not easily exploitable.
X41 did not perform a full test or audit on the software.
Please note that the library is deprecated for more than a year and no
update
will be published by the vendor.


Product Description
- -------------------
This is a C library to interact with the CCID-part of the YubiKey NEO.
There is a command line tool "ykneomgr" for interactive use.  It
supports querying the YubiKey NEO for firmware version, operation mode
(OTP/CCID) and serial number.  You may also mode switch the device and
manage applets (list, delete and install).

Out of Bounds Read/Writes
=========================
Severity Rating: Medium
Vector: APDU Response
CVE:
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- ------------------
File lib/backendpcsc.c contains the following code in function
`backendappletlist()`

{% highlight c %}
     {
       sizet i;
       sizet thislen = recv[length++];
       for (i = 0; i < thislen; i++)
        {
          if (appletstr)
            {
             if (reallen + 2 > *len)
                {
                  return YKNEOMGRBACKENDERROR;
                }
              sprintf (p, "%02x", recv[length]);
              p += 2;
            }
          reallen += 2;
          length++;
        }
      if (appletstr)
        {
          if (reallen + 1 > *len)
            {
              return YKNEOMGRBACKENDERROR;
            }
          *p = '\0';
          p++;
        }
      reallen++;
      length += 2;
    }
{% endhighlight %}

There is an off-by-one write of a '\x00' when the sprintf() is called,
since it terminates the string with a trailing null-byte. Additionally
reads are performed based on thislen, which is retrieved from the data
without further safety checks.


Workarounds
- -----------
It is advised to migrate to YubiKey Manager since the vendor does not
support the library anymore and will not issue a patch.

Timeline
========
2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Vendor reply
2018-06-05 Requesting technical feedback from the vendor
2018-06-06 Vendor confirms bug, but states that library is
depreciated, will not be fixed
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50
CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i
TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM
EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna
Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr
eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi
MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft
JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9
qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q
R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y
2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC
Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A=
=dyfA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.