fails with malformed data

[michele-fadda]

if trying to decrypt short byte array with malformed data fails catastrophically with memory access error "accessing slice out of bounds".
I fear this might be exploited with some injection attack on the server side, maybe causing attacker determined code to be executed in some circumstances).

Should instead report test array length before use, and refuse clearly malformed data by giving proper error.

[stevenschobert]

Good find! Can you share an example of what kind of data causes the error?

[michele-fadda]

Hello.
I found the error by by chance, by passing a test password which was
intended to be

1. Base 64 encoded
2. encrypted

If you decode the pattern '12345678' as if it was B64 encoded, and then
assign it to a byte array, decrypting that byte array will cause
rncryptor.Decrypt to fail.
NB: "12345678" was obviously a test case, not an actual password.

example of the failing code

func login(c *ace.C) {
c.Request.ParseForm();
b64str:="12345678" //c.Request.Form.Get("password")
ciphertext, err := base64.StdEncoding.DecodeString( b64str )
if err != nil {
c.JSON(ErrorNotAuthorized,
map[string]string{"status":"unauthorized","error":"wrong data
format"})

  return

}

// commented out workaround inserted in order to prevent rncryptor
crash with short data
//if (ciphertext == nil || len(ciphertext)<16 ) {
// c.JSON(ErrorNotAuthorized,
map[string]string{"status":"unauthorized","error":"wrong data
format"})
// return
//
//}
plaintext, error := rncryptor.Decrypt(password_key,ciphertext) //
crashes here due to out of bound array access
if (error != nil) {
c.JSON(ErrorNotAuthorized,
map[string]string{"status":"unauthorized","error":error.Error()})
return

}
password := string(plaintext[:])

....

}

best,
Michele

On Thu, Jul 9, 2015 at 4:24 PM, Steven Schobert notifications@github.com
wrote:

Good find! Can you share an example of what kind of data causes the error?

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

Michele Giuseppe Fadda

*FW LAB ac *
Via Tartini, 13 a - Via Pinturicchio 33
20158 MILANO - 20133 MILANO

tel. +39 348 5913280

fax 02-36215754

Web http://fwlab.com http://michele-fadda.com

Facebook http://facebook.com/FWLAB

Twitter http://twitter.com/MFadda

Youtube http://www.youtube.com/channel/UCEeuLRl-NR9VNr43vRpcp_A - Videos: Il
colpo del mattone http://www.youtube.com/watch?v=NmHrKhDLH4A