Hello, Our UC-KLEE tool discovered a NULL pointer dereference in PKCS7_dataDecode (crypto/pkcs7/pk7_doit.c) that affects the latest OpenSSL release. This is a denial-of-service vulnerability against OpenSSL, but its impacts appear to be very limited since I could not find any open source projects that call this function directly (the calls from within OpenSSL are immune).
An attacker can force PKCS7_get_octet_string to return NULL by supplying a
carefully crafted PKCS7 message. This NULL is assigned to 'data_body' (line
442) and then dereferenced (line 645).
>From crypto/pkcs7/pk7_doit.c:
436 i=OBJ_obj2nid(p7->type);
...
439 switch (i)
440 {
441 case NID_pkcs7_signed:
442 data_body=PKCS7_get_octet_string(p7->d.sign->contents);
...
645 if (data_body->length > 0)
This exploit only works with non-enveloped data (i.e., signed but not
encrypted), but most uses of PKCS7_dataDecode seem to be guarded with a check
that rejects non-enveloped data (e.g., PKCS7_decrypt).
Attached is a working exploit in the form of a carefully-crafted PKCS7 message
and its signing certificate and private key (not used for anything else).
The exploit can be be demonstrated by building the OpenSSL testapps and running:
$ crypto/pkcs7/dec -p -k dummy-cert.pem < openssl-PKCS7_dataDecode-death.msg
-David
openssl-PKCS7_dataDecode-death.pem
Description: application/x509-ca-cert
dummy-cert.pem
Description: application/x509-ca-cert
