A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well.

ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users.

The first vulnerability is a heap buffer overflow in a function used to temporarily store a packet.

“The ZRtp::storeMsgTemp() function is used to temporarily hold a packet in memory so that it may later be hashed/verified. A buffer overflow exists in this function due to a lack of bounds checking of the size of the source buffer,” Dowd said. “If an attacker sends a packet larger than 1024 bytes that gets stored temporarily (which occurs many times – such as when sending a ZRTP Hello packet), a heap overflow will occur, leading to potential arbitrary code execution on the vulnerable host.”

Dowd also found a number of stack overflows in ZRTPCPP that could enable an attacker to crash a vulnerable app, but probably can’t be exploited beyond that.

“The flaw here is that ZrtpConfigure::maxNoOfAlgos is defined as 7 (as per the ZRTP specification dictates), meaning that algosOffered has 8 array slots in total. However, the count of public keys specified in the Hello packet is 4 bits, allowing the client to specify a maximum of 15 keys rather than 7. By taking advantage of this, a stack overflow may be triggered. Due to the technical constraints of this vulnerability, it is unlikely that these are exploitable beyond a crash, but further investigation would be required to confirm this,” Dowd said.

The third bug is an information-leakage vulnerability that Dowd said may be a vector for getting access to sensitive data about the cryptographic functions of the protocol.

“Using this vulnerability allows the attacker to discover useful pointers and heap state, and could be used in conjunction with the aforementioned heap overflow to gain reliable code execution. In addition, it could possibly be used to leak sensitive crypto-related data, although the extent of how useful this is has not been investigated,” he said.

Silent Circle has fixed the vulnerabilities in its product, Dowd said, and the GNU ZRTPCPP library also has been updated to fix the problems.

Image from Flickr photos of Ralph Aichinger.

Categories: Cryptography, Vulnerabilities

Comments (2)

  1. Adam Morgan

    These are easily corrected. At first, I thought the vulnerabilities were going to be statistical, regarding collisions or a lowering of bounds using a new form of attack. At best, these “vulnerabilities” are simply oversights.

    • RR

      They are not flaws in the algorithm but flaws in the implementation. Nevertheless, arbitrary code execution is a pretty serious vulnerability — especially in a security library.

Comments are closed.