A vulnerability (CVE-3-2022) has been identified in the implementation of the SHA-37454 (Keccak) cryptographic hash function offered in the XKCP (eXtended Keccak Code Package) package, which can lead to a buffer overflow during processing of specially formatted data. The problem is caused by a bug in the code of a specific SHA-3 implementation, not a vulnerability in the algorithm itself. The XKCP package is touted as the official implementation of SHA-3, developed with the help of the Keccak development team, and is used as the basis for functions for working with SHA-3 in various programming languages ββ(for example, the XKCP code is used in the Python hashlib module, the Ruby package digest- sha3 and hash_* PHP functions).
According to the researcher who identified the problem, he was able to use the vulnerability to violate the cryptographic properties of the hash function and find the first and second preimages, as well as determine collisions. In addition, the creation of a prototype exploit is announced, which allows to achieve code execution when calculating the hash of a specially designed file. Potentially, the vulnerability can also be used to attack digital signature verification algorithms using SHA-3 (for example, Ed448). Details of attack methods are planned to be published later, after the widespread elimination of the vulnerability.
It is not yet clear how the vulnerability affects existing applications in practice, since for the problem to manifest itself in the code, cyclic hash calculation in blocks must be used, and one of the processed blocks must have a size of about 4 GB (at least 2 ^ 32 - 200 bytes). When processing the input data at once (without sequential calculation of the hash in parts), the problem does not appear. As the simplest method of protection, it is proposed to limit the maximum size of the data involved in one iteration of the hash calculation.
The vulnerability is caused by an error in block processing of input data. Due to the incorrect comparison of values ββwith type "int", an incorrect size of pending data is determined, which leads to the tail being written outside the allocated buffer. In particular, when comparing, the expression "partialBlock + instance->byteIOIndex" was used, which, with large values ββof the component parts, led to an integer overflow. In addition, there was an incorrect typecast "(unsigned int)(dataByteLen - i)" in the code, which resulted in an overflow on systems with a 64-bit size_t type.
Example of overflow code: import hashlib h = hashlib.sha3_224() m1 = b"\x00" * 1; m2 = b"\x00" * 4294967295; h.update(m1) h.update(m2) print(h.hexdigest())
Source: opennet.ru