RNCryptor-go icon indicating copy to clipboard operation
RNCryptor-go copied to clipboard

Published 20 hours ago verified publisher icon RNCryptor

fails with malformed data

Open michele-fadda opened this issue 9 years ago • 2 comments

if trying to decrypt short byte array with malformed data fails catastrophically with memory access error "accessing slice out of bounds". I fear this might be exploited with some injection attack on the server side, maybe causing attacker determined code to be executed in some circumstances).

Should instead report test array length before use, and refuse clearly malformed data by giving proper error.

michele-fadda avatar Jul 09 '15 14:07 michele-fadda

Good find! Can you share an example of what kind of data causes the error?

stevenschobert avatar Jul 09 '15 14:07 stevenschobert

Hello. I found the error by by chance, by passing a test password which was intended to be

  1. Base 64 encoded
  2. encrypted

If you decode the pattern '12345678' as if it was B64 encoded, and then assign it to a byte array, decrypting that byte array will cause rncryptor.Decrypt to fail. NB: "12345678" was obviously a test case, not an actual password.

example of the failing code

func login(c *ace.C) { c.Request.ParseForm(); b64str:="12345678" //c.Request.Form.Get("password") ciphertext, err := base64.StdEncoding.DecodeString( b64str ) if err != nil { c.JSON(ErrorNotAuthorized, map[string]string{"status":"unauthorized","error":"wrong data format"})

  return

}

// commented out workaround inserted in order to prevent rncryptor crash with short data //if (ciphertext == nil || len(ciphertext)<16 ) { // c.JSON(ErrorNotAuthorized, map[string]string{"status":"unauthorized","error":"wrong data format"}) // return // //} plaintext, error := rncryptor.Decrypt(password_key,ciphertext) // crashes here due to out of bound array access if (error != nil) { c.JSON(ErrorNotAuthorized, map[string]string{"status":"unauthorized","error":error.Error()}) return

} password := string(plaintext[:])

....

}

best, Michele

On Thu, Jul 9, 2015 at 4:24 PM, Steven Schobert [email protected] wrote:

Good find! Can you share an example of what kind of data causes the error?

— Reply to this email directly or view it on GitHub https://github.com/RNCryptor/RNCryptor-go/issues/1#issuecomment-120000199 .

Michele Giuseppe Fadda

*FW LAB ac * Via Tartini, 13 a - Via Pinturicchio 33 20158 MILANO - 20133 MILANO

tel. +39 348 5913280

fax 02-36215754

Web http://fwlab.com http://michele-fadda.com

Facebook http://facebook.com/FWLAB

Twitter http://twitter.com/MFadda

Youtube http://www.youtube.com/channel/UCEeuLRl-NR9VNr43vRpcp_A - Videos: Il colpo del mattone http://www.youtube.com/watch?v=NmHrKhDLH4A

michele-fadda avatar Jul 10 '15 08:07 michele-fadda