CryptoLib Heap Buffer Overflow Vulnerability in KMC Base64 Decoding

A heap buffer overflow vulnerability has been identified in CryptoLib's integration with the KMC crypto service, prior to version 1.4.3. This vulnerability arises when the library decodes Base64-encoded ciphertext and cleartext fields from the KMC service. The issue occurs because the decoder does not enforce destination buffer size limits, allowing oversized Base64 strings in the KMC JSON response to cause out-of-bounds writes on the heap. This heap corruption can lead to a process crash and potentially allow for code execution under certain conditions.

Impact

Exploitation of this vulnerability causes a heap corruption, leading to a process crash. However, it also creates a potential for remote code execution, depending on factors such as allocator behavior, platform hardening, and specific exploit conditions.

Reproduction

The vulnerability can be reproduced by sending a KMC JSON response that includes an oversized Base64-encoded string in the 'base64ciphertext' or 'base64cleartext' fields. The KMC response handlers will allocate a buffer based on the expected length of the data, but the Base64 decoder will write the full decoded output without checking the buffer's maximum size. This mismatch allows for heap-buffer-overflow, which can be observed using AddressSanitizer.

Remediation

Users can upgrade to CryptoLib version 1.4.3, where this vulnerability has been patched.