YAASN.1B (Yet-Another-ASN.1-Bug)
Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1.
By my count, 18 or so security updates have been issued in the last two years relating to ASN.1 parsing:
Squid Web Proxy Cache Remote Denial of Service Vulnerability
https://www.idefense.com/application/poi/display?id=152Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products
https://icat.nist.gov/icat.cfm?cvename=CAN-2004-0699MIT krb5: Multiple vulnerabilities (heap overrun)
https://icat.nist.gov/icat.cfm?cvename=CAN-2004-0644MIT krb5: Multiple vulnerabilities (Double-free)
https://icat.nist.gov/icat.cfm?cvename=CAN-2004-0642Vulnerability in libtasn1 related to DER parsing
https://icat.nist.gov/icat.cfm?cvename=CAN-2004-0401Double-free vulnerability in the ASN.1 library in Windows
https://icat.nist.gov/icat.cfm?cvename=CAN-2004-0123Multiple integer overflows in Microsoft ASN.1 library
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0818OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0851Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0565Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0564Double-free vulnerability in OpenSSL 0.9.7
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0545OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0544Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0543The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.
https://icat.nist.gov/icat.cfm?cvename=CAN-2003-0430Integer signedness error in MIT Kerberos V5 ASN.1 decoder
https://icat.nist.gov/icat.cfm?cvename=CAN-2002-0036The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service
https://icat.nist.gov/icat.cfm?cvename=CAN-2002-0659The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers to cause a denial of service
https://icat.nist.gov/icat.cfm?cvename=CAN-2002-0353Vulnerabilities in the SNMPv1 request handling
https://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013
So what the heck is ASN.1? It's a standard way, defined in X.680, to describe complex binary data. I know purists will hate me for saying this, but think of binary XML. You describe the data format in ASN format, and then an ASN compiler creates .C[PP] and .H[PP] files that you compile and link into your code. Voila!
For example, the following ASN snippet:
Stuff DEFINITIONS ::=
BEGIN
PersonnelRecord ::= SEQUENCE {
nameName,
titleOCTET STRING,
numberEmployeeNumber,
dateOfHireDate,
nameOfSpouseName}
Name ::= SEQUENCE {
givenNameOCTET STRING,
initialOCTET STRING,
familyNameOCTET STRING}
EmployeeNumber ::= INTEGER
Date ::= OCTET STRING -- YYYYMMDD
END
May create the following header file:
#include "asn_obj.h“
#include “stuff.h“
class Name : public AsnSequence {
public:
AsnOctetString givenName;
AsnOctetString initial;
AsnOctetString familyName;
Name();
};
typedef AsnInteger EmployeeNumber;
typedef AsnOctetString Date;
class PersonnelRecord : public AsnSequence {
public:
Name name;
AsnOctetString title;
AsnInteger number;
AsnOctetString dateOfHire;
Name nameOfSpouse;
PersonnelRecord();
};
PersonnelRecord::PersonnelRecord() {...}
Name::Name() {...}
Problem is, if there are parsing errors in the ASN data format cracking library, then you may have security issues. The real worry is many network and security protocols use ASN.1, such as X.509 certificates (therefore SSL/TLS), Kerberos, SNMP, S/MIME, IPSec and so on.
The real lesson is this, code review your ASN.1 parsing code, or library, for integer overflow and buffer overrun issues. Or you may be next!