Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-1266 PoC — Apple iOS ‘SSLVerifySignedServerKeyExchange’函数输入验证漏洞

Source
https://github.com/landonf/Testability-CVE-2014-1266
Associated Vulnerability
Title:Apple iOS ‘SSLVerifySignedServerKeyExchange’函数输入验证漏洞 (CVE-2014-1266)
Description:The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.
Description
Demonstrating that SSLVerifySignedServerKeyExchange() is trivially testable.
Readme
# TestableSecurity
This is a small proof-of-concept that lifts out the [vulnerable SSLVerifySignedServerKeyExchange()](http://support.apple.com/kb/HT6147) from Apple's libsecurity_ssl to demonstrate that the signing code is readily unit testable in isolation.

While there's been some talk that this bug wasn't easily tested, the code in question verifies signatures based on straight-forward preconditions, and is readily testable for both positive and negative validation cases; there's no reason or excuse for it not being fully tested for:

* Incorrect clientRandom.
* Incorrect serverRandom.
* Incorrect signedParams
* Incorrect signature (which is essentially equivalent to any of the above)

Try running the unit tests yourself, and then simply comment out the errant 'goto' to see the tests pass:

    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
    // goto fail;
File Snapshot

 [4.0K]  /data/pocs/c13d180fb0ee7ed44262b591d40b82573a4e832d
├── [ 909]  README.md
├── [4.0K]  TestableSecurity
│   ├── [4.0K]  en.lproj
│   │   └── [  45]  InfoPlist.strings
│   ├── [3.0K]  libsecurity_ssl_bits.h
│   ├── [ 15K]  libsecurity_ssl_bits.m
│   ├── [ 440]  TestableSecurity.h
│   ├── [ 981]  TestableSecurity-Info.plist
│   ├── [2.6K]  TestableSecurity.m
│   └── [ 172]  TestableSecurity-Prefix.pch
├── [4.0K]  TestableSecurityTests
│   ├── [4.0K]  en.lproj
│   │   └── [  45]  InfoPlist.strings
│   ├── [ 694]  TestableSecurityTests-Info.plist
│   └── [1.2K]  TestableSecurityTests.m
└── [4.0K]  TestableSecurity.xcodeproj
    └── [ 19K]  project.pbxproj

5 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →