Multiple unpatched flaws exist in NSS

Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

So what is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository and can be triggered using the NSS tool certutil and malformed cert8.db files which I have uploaded to my GitHub.

CVE-2017-11695

heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)

==1001==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x7fc79b663536 bp 0x7ffff2dbb950 sp 0x7ffff2dbb948
WRITE of size 8 at 0x61d00001e880 thread T0
#0 0x7fc79b663535 in alloc_segs /root/nss/lib/dbm/src/hash.c:1105:9
#1 0x7fc79b663535 in __hash_open /root/nss/lib/dbm/src/hash.c:232
#2 0x7fc79b65f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25
#3 0x7fc79b5f398e in dbsopen /root/nss/lib/softoken/legacydb/dbmshim.c:515:10
#4 0x7fc79b64257f in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4086:30
#5 0x7fc79b64257f in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
#6 0x7fc79b629eb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
#7 0x7fc79b629eb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
#8 0x7fc79d1524c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
#9 0x7fc79d1eaa2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
#10 0x7fc79d168990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
#11 0x7fc79d16a14c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
#12 0x7fc79d16d737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
#13 0x7fc79d16e1c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
#14 0x7fc7a09a9c1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
#15 0x7fc7a09aba61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
#16 0x7fc7a09df9de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
#17 0x7fc7a09dfd47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
#18 0x7fc7a08fcf00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
#19 0x7fc7a08fcf00 in nss_Init /root/nss/lib/nss/nssinit.c:689
#20 0x7fc7a08fe0a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
#21 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
#22 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
#23 0x7fc7a00d5b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#24 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
#0 0x4a7ae0 in calloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a7ae0)
#1 0x7fc79b661c47 in alloc_segs /root/nss/lib/dbm/src/hash.c:1094:25
#2 0x7fc79b661c47 in __hash_open /root/nss/lib/dbm/src/hash.c:232
#3 0x7fc79b65f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/nss/lib/dbm/src/hash.c:1105 alloc_segs

CVE-2017-11696

heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)

==3003==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000fba8 at pc 0x000000490903 bp 0x7ffcbafd0450 sp 0x7ffcbafcfc10
WRITE of size 65544 at 0x61700000fba8 thread T0
#0 0x490902 in __asan_memset (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x490902)
#1 0x7f63c21331ae in __hash_open /root/nss/lib/dbm/src/hash.c:241:15
#2 0x7f63c212f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25
#3 0x7f63c20c398e in dbsopen /root/nss/lib/softoken/legacydb/dbmshim.c:515:10
#4 0x7f63c211257f in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4086:30
#5 0x7f63c211257f in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
#6 0x7f63c20f9eb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
#7 0x7f63c20f9eb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
#8 0x7f63c2af44c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
#9 0x7f63c2b8ca2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
#10 0x7f63c2b0a990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
#11 0x7f63c2b0c14c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
#12 0x7f63c2b0f737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
#13 0x7f63c2b101c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
#14 0x7f63c634bc1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
#15 0x7f63c634da61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
#16 0x7f63c63819de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
#17 0x7f63c6381d47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
#18 0x7f63c629ef00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
#19 0x7f63c629ef00 in nss_Init /root/nss/lib/nss/nssinit.c:689
#20 0x7f63c62a00a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
#21 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
#22 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
#23 0x7f63c5a77b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#24 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x61700000fba8 is located 0 bytes to the right of 680-byte region [0x61700000f900,0x61700000fba8)
allocated by thread T0 here:
#0 0x4a7ae0 in calloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a7ae0)
#1 0x7f63c212fcce in __hash_open /root/nss/lib/dbm/src/hash.c:155:27
#2 0x7f63c212f9fe in dbopen /root/nss/lib/dbm/src/db.c:103:25

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset

CVE-2017-11697

Floating Point Exception in __hash_open (hash.c:229)

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff1367bd7 in __hash_open (file=<optimized out>, flags=<optimized out>, mode=<optimized out>,   info=<optimized out>, dflags=<optimized out>) at hash.c:229
229             nsegs = (hashp->MAX_BUCKET + 1 + hashp->SGSIZE - 1) /
(gdb) bt
#0  0x00007ffff1367bd7 in __hash_open (file=<optimized out>, flags=<optimized out>, mode=<optimized out>, info=<optimized out>, dflags=<optimized out>) at hash.c:229
#1   0x00007ffff13659ff in dbopen (fname=0x60200000e890 "./cert8.db", flags=<optimized out>, mode=384, type=<optimized out>, openinfo=0x7ffff1380500 <dbs_hashInfo>) at db.c:103
#2  0x00007ffff12f998f in dbsopen (dbname=0x60200000e890 "./cert8.db", flags=-134322312, mode=0, type=DB_HASH, userData=<optimized out>) at dbmshim.c:515
#3  0x00007ffff1348580 in nsslowcert_OpenPermCertDB (handle=<optimized out>, readOnly=<optimized out>, appName=<optimized out>, prefix=<optimized out>, namecb=<optimized out>,
cbarg=<optimized out>) at pcertdb.c:4086
#4  nsslowcert_OpenCertDB (handle=<optimized out>, readOnly=<optimized out>, appName=<optimized out>, prefix=<optimized out>, namecb=<optimized out>, cbarg=<optimized out>,
openVolatile=<optimized out>) at pcertdb.c:4587
#5  0x00007ffff132feb7 in lg_OpenCertDB (configdir=<optimized out>, prefix=<optimized out>, readOnly=<optimized out>, certdbPtr=<optimized out>) at lginit.c:365
#6  legacy_Open (configdir=<optimized out>, certPrefix=<optimized out>, keyPrefix=<optimized out>, certVersion=<optimized out>, keyVersion=<optimized out>, flags=1, certDB=<optimized out>,
keyDB=<optimized out>) at lginit.c:609
#7  0x00007ffff1d2a4c4 in sftkdbCall_open (dir=<optimized out>, certPrefix=<optimized out>, keyPrefix=<optimized out>, certVersion=<optimized out>, keyVersion=<optimized out>,
flags=<optimized out>, certDB=<optimized out>, keyDB=<optimized out>) at lgglue.c:306
#8  0x00007ffff1dc2a2f in sftk_DBInit (configdir=<optimized out>, certPrefix=<optimized out>, keyPrefix=<optimized out>, updatedir=<optimized out>, updCertPrefix=<optimized out>,
updKeyPrefix=<optimized out>, updateID=<optimized out>, readOnly=<optimized out>, noCertDB=<optimized out>, noKeyDB=<optimized out>, forceOpen=<optimized out>, isFIPS=<optimized out>,
certDB=<optimized out>, keyDB=<optimized out>) at sftkdb.c:2584
#9  0x00007ffff1d40991 in SFTK_SlotReInit (slot=0x61200000b5c0, configdir=<optimized out>, updatedir=<optimized out>, updateID=<optimized out>, params=0x6110000097f8, moduleIndex=<optimized out>)
at pkcs11.c:2484
#10 0x00007ffff1d4214d in SFTK_SlotInit (configdir=<optimized out>, updatedir=<optimized out>, updateID=<optimized out>, params=0x6110000097f8, moduleIndex=<optimized out>) at pkcs11.c:2600
#11 0x00007ffff1d45738 in nsc_CommonInitialize (pReserved=<optimized out>, isFIPS=<optimized out>) at pkcs11.c:3052
#12 0x00007ffff1d461c9 in NSC_Initialize (pReserved=0x7fffffffdcf0) at pkcs11.c:3115
#13 0x00007ffff67bec1b in secmod_ModuleInit (mod=<optimized out>, reload=<optimized out>, alreadyLoaded=<optimized out>) at pk11load.c:245
#14 0x00007ffff67c0a62 in secmod_LoadPKCS11Module (mod=<optimized out>, oldModule=0x7fffffffe0e0) at pk11load.c:504
#15 0x00007ffff67f49df in SECMOD_LoadModule (
modulespec=0x61400000fe40 "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' upda"..., parent=<optimized out>, recurse=<optimized out>) at pk11pars.c:1672
#16 0x00007ffff67f4d48 in SECMOD_LoadModule (
modulespec=0x61200000bbc0 "name=\"NSS Internal Module\" parameters=\"configdir='.' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription"..., parent=<optimized out>, recurse=<optimized out>) at pk11pars.c:1707
#17 0x00007ffff6711f01 in nss_InitModules (configdir=0x13a6040 <SECU_ConfigDirectory.buf> ".", certPrefix=<optimized out>, keyPrefix=<optimized out>, secmodName=<optimized out>,
updateDir=<optimized out>, updCertPrefix=<optimized out>, updKeyPrefix=<optimized out>, updateID=<optimized out>, updateName=<optimized out>, configName=<optimized out>,
configStrings=<optimized out>, pwRequired=<optimized out>, readOnly=<optimized out>, noCertDB=<optimized out>, noModDB=<optimized out>, forceOpen=<optimized out>,
optimizeSpace=<optimized out>, isContextInit=<optimized out>) at nssinit.c:464
#18 nss_Init (configdir=<optimized out>, certPrefix=<optimized out>, keyPrefix=<optimized out>, secmodName=<optimized out>, updateDir=<optimized out>, updCertPrefix=<optimized out>,
updKeyPrefix=<optimized out>, updateID=<optimized out>, updateName=<optimized out>, initContextPtr=<optimized out>, initParams=<optimized out>, readOnly=<optimized out>,
noCertDB=<optimized out>, noModDB=<optimized out>, forceOpen=<optimized out>, noRootInit=<optimized out>, optimizeSpace=<optimized out>, noSingleThreadedModules=<optimized out>,
allowAlreadyInitializedModules=<optimized out>, dontFinalizeModules=<optimized out>) at nssinit.c:689
#19 0x00007ffff67130a2 in NSS_Initialize (configdir=0x61700000f914 "", certPrefix=0x7ffff7fe6778 "\313y", keyPrefix=0x0, secmodName=0x0, flags=<optimized out>) at nssinit.c:889
#20 0x00000000004ddd8e in certutil_main (argc=<optimized out>, argv=<optimized out>, initialize=<optimized out>) at certutil.c:2986
#21 0x00000000004db7b4 in main (argc=63764, argv=0x7ffff7fe6778) at certutil.c:3703

CVE-2017-11698

heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)

==15793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e830 at pc 0x7fd39453c482 bp 0x7ffe3eda87f0 sp 0x7ffe3eda87e8
WRITE of size 2 at 0x60200000e830 thread T0
#0 0x7fd39453c481 in __get_page /root/nss/lib/dbm/src/h_page.c:704:9
#1 0x7fd39452fdbc in __get_buf /root/nss/lib/dbm/src/hash_buf.c:143:13
#2 0x7fd39452b795 in hash_access /root/nss/lib/dbm/src/hash.c:781:13
#3 0x7fd394528cd8 in hash_get /root/nss/lib/dbm/src/hash.c:672:10
#4 0x7fd3944b8d8e in dbs_get /root/nss/lib/softoken/legacydb/dbmshim.c:331:11
#5 0x7fd3945001a7 in certdb_Get /root/nss/lib/softoken/legacydb/pcertdb.c:233:11
#6 0x7fd3945001a7 in ReadDBEntry /root/nss/lib/softoken/legacydb/pcertdb.c:467
#7 0x7fd3945195a8 in ReadDBVersionEntry /root/nss/lib/softoken/legacydb/pcertdb.c:2869:10
#8 0x7fd3945195a8 in nsslowcert_GetVersionNumber /root/nss/lib/softoken/legacydb/pcertdb.c:4050
#9 0x7fd394507612 in nsslowcert_OpenPermCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4091:19
#10 0x7fd394507612 in nsslowcert_OpenCertDB /root/nss/lib/softoken/legacydb/pcertdb.c:4587
#11 0x7fd3944eeeb6 in lg_OpenCertDB /root/nss/lib/softoken/legacydb/lginit.c:365:10
#12 0x7fd3944eeeb6 in legacy_Open /root/nss/lib/softoken/legacydb/lginit.c:609
#13 0x7fd3947704c3 in sftkdbCall_open /root/nss/lib/softoken/lgglue.c:306:12
#14 0x7fd394808a2e in sftk_DBInit /root/nss/lib/softoken/sftkdb.c:2584:19
#15 0x7fd394786990 in SFTK_SlotReInit /root/nss/lib/softoken/pkcs11.c:2484:15
#16 0x7fd39478814c in SFTK_SlotInit /root/nss/lib/softoken/pkcs11.c:2600:11
#17 0x7fd39478b737 in nsc_CommonInitialize /root/nss/lib/softoken/pkcs11.c:3052:19
#18 0x7fd39478c1c8 in NSC_Initialize /root/nss/lib/softoken/pkcs11.c:3115:11
#19 0x7fd397fc7c1a in secmod_ModuleInit /root/nss/lib/pk11wrap/pk11load.c:245:11
#20 0x7fd397fc9a61 in secmod_LoadPKCS11Module /root/nss/lib/pk11wrap/pk11load.c:504:10
#21 0x7fd397ffd9de in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1672:10
#22 0x7fd397ffdd47 in SECMOD_LoadModule /root/nss/lib/pk11wrap/pk11pars.c:1707:25
#23 0x7fd397f1af00 in nss_InitModules /root/nss/lib/nss/nssinit.c:464:18
#24 0x7fd397f1af00 in nss_Init /root/nss/lib/nss/nssinit.c:689
#25 0x7fd397f1c0a1 in NSS_Initialize /root/nss/lib/nss/nssinit.c:889:12
#26 0x4ddd8d in certutil_main /root/nss/cmd/certutil/certutil.c:2986:18
#27 0x4db7b3 in main /root/nss/cmd/certutil/certutil.c:3703:14
#28 0x7fd3976f3b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#29 0x4c500c in _start (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4c500c)

0x60200000e831 is located 0 bytes to the right of 1-byte region [0x60200000e830,0x60200000e831)
allocated by thread T0 here:
  #0 0x4a798b in malloc (/root/nss/cmd/certutil/Linux3.16_x86_64_clang_glibc_PTH_64_DBG.OBJ/certutil+0x4a798b)
  #1 0x7fd39452efae in newbuf /root/nss/lib/dbm/src/hash_buf.c:214:33
  #2 0x7fd39452efae in __get_buf /root/nss/lib/dbm/src/hash_buf.c:140

  SUMMARY: AddressSanitizer: heap-buffer-overflow /root/nss/lib/dbm/src/h_page.c:704 __get_page

These flaws were discovered by Brian Carpenter of Geeknik Labs using the American Fuzzy Lop tool. As always, you can support me on Patreon, via PayPal, Bitcoin 1HnyFwSJDjWFexD7oRr4HGTFwD8N6NsrfX or Ethereum 0xee9cBCB8DDC4f25832AD7FC02FADB981b1212D04.

Geeknik Labs

Also on this blog

SHARE:  Email · Facebook · Google · Twitter · Tumblr · Kindle
SUBSCRIBE:  Receive an email on new posts from Geeknik Labs

Comments


  • Notify me upon new comments

☺ Got it