Yubico 0.1.9 libykneomgr Out Of Bounds Read Write

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr
=====& -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr
==============================================


Overview
- --------
Confirmed Affected Versions: 0.1.9
Confirmed Patched Versions: -
Vendor: Yubico / Depreciated
Vendor URL: https://www.yubico.com/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/


Summary and Impact
- ------------------
An out of bounds write and read was discovered when malicious
responses from a smartcard are received. These might lead to memory
corruptions. We assume that these are not easily exploitable.
X41 did not perform a full test or audit on the software.
Please note that the library is deprecated for more than a year and no
update
will be published by the vendor.


Product Description
- -------------------
This is a C library to interact with the CCID-part of the YubiKey NEO.
There is a command line tool "ykneomgr" for interactive use. It
supports querying the YubiKey NEO for firmware version, operation mode
(OTP/CCID) and serial number. You may also mode switch the device and
manage applets (list, delete and install).

Out of Bounds Read/Writes
=========================
Severity Rating: Medium
Vector: APDU Response
CVE:
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- ------------------
File lib/backendpcsc.c contains the following code in function
`backendappletlist()`

{% highlight c %}
{
sizet i;
sizet thislen = recv[length++];
for (i = 0; i < thislen; i++)
{
if (appletstr)
{
if (reallen + 2 > *len)
{
return YKNEOMGRBACKENDERROR;
}
sprintf (p, "%02x", recv[length]);
p += 2;
}
reallen += 2;
length++;
}
if (appletstr)
{
if (reallen + 1 > *len)
{
return YKNEOMGRBACKENDERROR;
}
*p = '';
p++;
}
reallen++;
length += 2;
}
{% endhighlight %}

There is an off-by-one write of a 'x00' when the sprintf() is called,
since it terminates the string with a trailing null-byte. Additionally
reads are performed based on thislen, which is retrieved from the data
without further safety checks.


Workarounds
- -----------
It is advised to migrate to YubiKey Manager since the vendor does not
support the library anymore and will not issue a patch.

Timeline
========
2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Vendor reply
2018-06-05 Requesting technical feedback from the vendor
2018-06-06 Vendor confirms bug, but states that library is
depreciated, will not be fixed
2018-08-11 Advisory released
- --
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschA$?ftsfA1/4hrer: Markus Vervier
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50
CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i
TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM
EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna
Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr
eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi
MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft
JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9
qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q
R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y
2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC
Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A=
=dyfA
-----END PGP SIGNATURE-----