ASA-2019-00463 – libssh2: Out-of-bounds read leading to information disclosure

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00463

Identifier(s)

ASA-2019-00463, CVE-2019-13115

Title

Out-of-bounds read leading to information disclosure

Vendor(s)

The libssh2 project

Product(s)

libssh2

Affected version(s)

libssh2 version 1.8.2 and earlier

Fixed version(s)

libssh2 version 1.9.0

Proof of concept

Yes

Description

In libssh2 before 1.9.0, the function kex_method_diffie_hellman_group_exchange_sha256_key_exchange() in the file kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Technical details

The vulnerable function is _libssh2_check_length() as found in misc.c:

int _libssh2_check_length(struct string_buf *buf, size_t len)
{
return ((int)(buf->dataptr - buf->data) <= (int)(buf->len - len)) ? 1 : 0;
}

The problem with this function is that the casts to int could overflow. The left-hand cast is safe because the fields of buf are trusted values, but the right-hand cast is not safe because the value of len is untrusted. By making len greater than buf->len + 0x80000000 so that the calculation of (int)(buf->len – len) overflows and becomes a very large positive number, thereby bypassing the bounds check and causing libssh2 to crash with a segmentation fault.

Credits

Kevin Backhouse (Semmle Security Research Team)

Reference(s)

libssh2 integer overflows and an out-of-bounds read (CVE-2019-13115)
https://blog.semmle.com/libssh2-integer-overflow/

Out-of-bounds read in libssh2 (CVE-2019-13115)
https://github.com/Semmle/SecurityExploits/tree/446048470633bf0f8da9570d008d056dbaa28ea9/libssh2/out_of_bounds_read_kex_CVE-2019-13115

_libssh2_check_length() : additional bounds check #348
https://github.com/libssh2/libssh2/pull/348/commits/08ef9b76dbeb3b71cc5739d5518159651d180520

Simplified _libssh2_check_length #350
https://github.com/libssh2/libssh2/pull/350/commits/5929e269990fcf923fc5371b78a63b39c9fa7048

Simplified _libssh2_check_length #350
https://github.com/libssh2/libssh2/pull/350/commits/b4289eeb84057d3d5e041af72af000a80b4f40d6

CVE-2019-13115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115

CVE-2019-13115
https://nvd.nist.gov/vuln/detail/CVE-2019-13115

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.