[CVE-2020-8623] A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
Came from ...@yandex.ru:
BIND should be compiled with --enable-native-pkcs11 and --with-pkcs11 options.
The exploit triggers abort() in pk11_numbits function.
Bug details: from lib/isc/pk11.c
unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { unsigned int bitcnt, i; CK_BYTE top; if (bytecnt == 0) { return (0); } bitcnt = bytecnt * 8; for (i = 0; i < bytecnt; i++) { top = data[i]; if (top == 0) { bitcnt -= 8; continue; } ... } INSIST(0); ISC_UNREACHABLE(); }Which means that if all bytes are 0, abort will be triggered.
How to reproduce:
- configure and build softhsm 2.6.1:
$ ./configure --prefix=/var/softhsm --with-openssl=/var/openssl --with-crypto-backend=openssl $ make && sudo make install
- compile BIND with PKCS11 support
$ ./configure --prefix=/opt/bind --disable-chroot --enable-native-pkcs11 --with-pkcs11=/var/softhsm/lib/softhsm/libsofthsm2.so $ make && sudo make install
- Configure BIND
# init softhsm (PIN 1234) # /var/softhsm/bin//softhsm2-util --init-token --free --label softhsm Slot 1 has a free/uninitialized token. === SO PIN (4-255 characters) === Please enter SO PIN: **** Please reenter SO PIN: **** === User PIN (4-255 characters) === Please enter user PIN: **** Please reenter user PIN: **** The token has been initialized and is reassigned to slot 1294545520 # export SLOT=1294545520 # cd bin/tests/system/pkcs11Edit ns1/example.db.in and ns1/named.conf.in, change IP from 10.53.0.1 to your server IP After that run included setports.sh:
# bash setports.shNow you can generate the keys:
# bash setup.sh# cp ns1/* /opt/bind/etcFix permissions:
# chown -R bind:bind /opt/bind/var/runEdit
/opt/bind/etc/named.confand change all paths to*.example.db.signedto full path, should be like this:zone "ecdsap384sha384.example." { type master; file "/opt/bind/etc/ecdsap384sha384.example.db.signed"; allow-update { any; }; };
- Run BIND
# cd /opt/bind/var/run # /opt/bind/sbin/named -g -d0 -u bind -c /opt/bind/etc/named.conf
- run t1.py
$ ./t1.py <your_server_ip> 53Example bind log:
25-Jun-2020 01:23:14.297 pk11.c:698: INSIST(0) failed, back trace 25-Jun-2020 01:23:14.297 #0 0x5583e7797e9b in __do_global_dtors_aux_fini_array_entry()+0x5583e6971623 25-Jun-2020 01:23:14.297 #1 0x5583e705686d in __do_global_dtors_aux_fini_array_entry()+0x5583e622fff5 25-Jun-2020 01:23:14.301 #2 0x5583e779783d in __do_global_dtors_aux_fini_array_entry()+0x5583e6970fc5 25-Jun-2020 01:23:14.301 #3 0x5583e77909d1 in __do_global_dtors_aux_fini_array_entry()+0x5583e696a159 25-Jun-2020 01:23:14.301 #4 0x5583e76de425 in __do_global_dtors_aux_fini_array_entry()+0x5583e68b7bad 25-Jun-2020 01:23:14.301 #5 0x5583e76c2080 in __do_global_dtors_aux_fini_array_entry()+0x5583e689b808 25-Jun-2020 01:23:14.301 #6 0x5583e76b4686 in __do_global_dtors_aux_fini_array_entry()+0x5583e688de0e 25-Jun-2020 01:23:14.305 #7 0x5583e734667e in __do_global_dtors_aux_fini_array_entry()+0x5583e651fe06 25-Jun-2020 01:23:14.305 #8 0x5583e7193db9 in __do_global_dtors_aux_fini_array_entry()+0x5583e636d541 25-Jun-2020 01:23:14.305 #9 0x5583e71a2181 in __do_global_dtors_aux_fini_array_entry()+0x5583e637b909 25-Jun-2020 01:23:14.305 #10 0x5583e7826f71 in __do_global_dtors_aux_fini_array_entry()+0x5583e6a006f9 25-Jun-2020 01:23:14.305 #11 0x5583e782800c in __do_global_dtors_aux_fini_array_entry()+0x5583e6a01794 25-Jun-2020 01:23:14.305 #12 0x7fd791aba6db in __do_global_dtors_aux_fini_array_entry()+0x7fd790c93e63 25-Jun-2020 01:23:14.305 #13 0x7fd7913d988f in __do_global_dtors_aux_fini_array_entry()+0x7fd7905b3017 25-Jun-2020 01:23:14.309 exiting (due to assertion failure) Aborted (core dumped)
Edited by Michal Nowak