SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Network Security Services (NSS) Vendors:   Mozilla.org
Network Security Services (NSS) 'certutil' File Processing Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1039153
SecurityTracker URL:  http://securitytracker.com/id/1039153
CVE Reference:   CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698   (Links to External Site)
Date:  Aug 15 2017
Impact:   User access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): changeset 13315:769f9ae07b10; possibly others
Description:   Several vulnerabilities were reported in Network Security Services (NSS). A local user can obtain elevated privileges on the target system.

A local user can create a specially crafted 'cert8.db' file that, when processed by the NSS 'certutil' application will execute arbitrary code on the target system.

A heap overflow may occur in alloc_segs() in 'lib/dbm/src/hash.c' [CVE-2017-11695].

A heap overflow may occur in __hash_open() in 'lib/dbm/src/hash.c' [CVE-2017-11696].

A floating point exception may occur in __hash_open() in 'hash.c' [CVE-2017-11697].

A heap overflow may occur in __get_page() in 'lib/dbm/src/h_page.c' [CVE-2017-11698].

The original advisory is available at:

http://www.geeknik.net/9brdqk6xu

The vendor was notified in April 2017.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [FD] Multiple unpatched flaws exist in NSS (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698)

Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository (https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

These flaws were discovered by Brian Carpenter of Geeknik Labs (http://www.geeknik.net) using the American Fuzzy Lop tool.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC