X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr

Overview

Confirmed Affected Versions: 0.1.9

Confirmed Patched Versions: -

Vendor: Yubico / Depreciated

Vendor URL: https://www.yubico.com/

Credit: X41 D-Sec GmbH, Eric Sesterhenn

Status: Public

Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/

Summary and Impact

An out of bounds write and read was discovered when malicious responses from a smartcard are received. These might lead to memory corruptions. We assume that these are not easily exploitable. X41 did not perform a full test or audit on the software. Please note that the library is deprecated for more than a year and no update will be published by the vendor.

Product Description

This is a C library to interact with the CCID-part of the YubiKey NEO. There is a command line tool "ykneomgr" for interactive use. It supports querying the YubiKey NEO for firmware version, operation mode (OTP/CCID) and serial number. You may also mode switch the device and manage applets (list, delete and install).

Out of Bounds Read/Writes

Severity Rating: Medium

Vector: APDU Response

CVE:

CWE: 120

CVSS Score: 7.1 (High)

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary and Impact

File lib/backend_pcsc.c contains the following code in function backend_applet_list()

     {
       size_t i;
       size_t this_len = recv[length++];

       for (i = 0; i < this_len; i++)
        {
          if (appletstr)
            {
             if (real_len + 2 > *len)
                {
                  return YKNEOMGR_BACKEND_ERROR;
                }
              sprintf (p, "%02x", recv[length]);
              p += 2;
            }
          real_len += 2;
          length++;
        }
      if (appletstr)
        {
          if (real_len + 1 > *len)
            {
              return YKNEOMGR_BACKEND_ERROR;
            }
          *p = '\0';
          p++;
        }
      real_len++;
      length += 2;
    }

There is an off-by-one write of a '\x00' when the sprintf() is called, since it terminates the string with a trailing null-byte. Additionally reads are performed based on this_len, which is retrieved from the data without further safety checks.

Workarounds

It is advised to migrate to YubiKey Manager since the vendor does not support the library anymore and will not issue a patch.

Timeline

2018-02-03 Issues found

2018-05-22 Vendor contacted

2018-05-22 Vendor reply

2018-06-05 Requesting technical feedback from the vendor

2018-06-06 Vendor confirms bug, but states that library is depreciated, will not be fixed

Author: Eric Sesterhenn
Date: February 03, 2018