search

bl4ck5un / mbedtls-SGX

mbedtls-SGX: a SGX-friendly TLS stack (ported from mbedtls)
Apache License 2.0
91 stars 32 forks source link

Several Bugs #24

Open LeoneChen opened 1 year ago

LeoneChen commented 1 year ago

UAF 1

If ssl_conn_handle called after ssl_conn_teardown by untrusted host https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ecalls.cpp#L44-L50 this is dangling, and this->conf at line 159 will cause UAF https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ssl_conn_hdlr.cpp#L151-L159

UAF 2

If ssl_conn_teardown called after ssl_conn_teardown by untrusted host, second will call delete connectionHandler;, srvcert is freed member varibale In TLSConnectionHandler::~TLSConnectionHandler, https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ssl_conn_hdlr.cpp#L129-L131

In mbedtls_x509_crt_free. https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/trusted/mbedtls-2.6.0/library/x509_crt.c#L2346-L2360

In mbedtls_pk_free, and finally ctx->pk_info will access already free-ed ctx, cause UAF. https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/trusted/mbedtls-2.6.0/library/pk.c#L66-L74

LeoneChen commented 1 year ago

Null Pointer Dereference

Since zero address is under the control of untrusted host, NPD is dangerous for Enclave

If ssl_conn_handle called before ssl_conn_init, connectionHandler can be NULL, since address of TLSConnectionHandler::handle is from vTable, it is called. https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ecalls.cpp#L44-L46

In TLSConnectionHandler::handle, this is NULL, &this->conf used in memcpy will cause copy from untrusted 0 address https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ssl_conn_hdlr.cpp#L151-L159

LeoneChen commented 1 year ago

Null Pointer Dereference

Although thread_info is in,out, SGX TBridge just pass null to real ECALL https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/Enclave.edl#L12

thread_info is null https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ecalls.cpp#L44-L46

Even if this is not NULL, thread_info can be NULL due to lack of check, at line 160 cause NPD https://github.com/bl4ck5un/mbedtls-SGX/blob/eab8e36a1e670a2fa66105735143eafa51931bff/example/enclave/ssl_conn_hdlr.cpp#L151-L160