Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51CEE994.4000208@gmail.com>
Date: Sat, 29 Jun 2013 10:05:08 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Multiple issues in GNU ZRTPCPP

I'd like to request CVEs for multiple security vulnerabilities
discovered, reported, and published by Mark Dowd of Azimuth Security in
GNU ZRTPCPP, an open-source ZRTP implementation used in a number of
"secure phone" solutions:

http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html


1. Remote heap overflow

A remote attacker can cause a heap-based buffer overflow by sending an
overly-large ZRTP packet of several possible types, including a "Hello"
packet. Successful exploitation would allow an attacker to execute
arbitrary code in the context of a vulnerable application.


2. Multiple remote stack overflows

A remote attacker can cause multiple stack-based buffer overflows by
sending a malformed ZRTP Hello packet with an overly-large value in
certain fields, including the count of public keys. Exploitation may be
difficult due to the details of the layout of stack variables in memory,
but successful exploitation would allow an attacker to execute arbitrary
code in the context of a vulnerable application.


3. Multiple remote heap memory disclosures

By sending a truncated ZRTP Ping packet, the response packet will
include several bytes of the affected application's heap memory due to a
lack of validation on the incoming packet. This flaw could be exploited
to gain knowledge about the heap state of an affected application to
enable further attacks, or potentially reveal sensitive information
stored on the heap.


The fixes for all of these flaws were included in the following commit:
https://github.com/wernerd/ZRTPCPP/commit/c8617100f359b217a974938c5539a1dd8a120b0e


Regards,
Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.