Skip to content

Instantly share code, notes, and snippets.

@QUICTester
Last active May 26, 2024 03:28
Show Gist options
  • Save QUICTester/ea3eb2ac736bb63e47c654e14e3ec556 to your computer and use it in GitHub Desktop.
Save QUICTester/ea3eb2ac736bb63e47c654e14e3ec556 to your computer and use it in GitHub Desktop.
No state machine in Kwik TLS engine.
This vulnerability was found in Kwik (https://github.com/ptrd/kwik) which is using Agent15 (https://github.com/ptrd/agent15)
as the TLS engine.
For Kwik (QUIC implementation):
Found in 745fd4e2d8d104b9cf1e8342d150ff8967c65892
Fixed in 11862d54d72de63abd0b76ca6bb9df56e634212c
For Agent15 (TLS implementation):
Found in bcaf02e6f75cc14b1aff7cbaa8ea28188f1398b0
Fixed in d6b46538cbfd60a66ef58848212ec2204d00e535
Affected Component: Client-Server QUIC connections.
Attack Type: Remote
Impact: Denial of Service and potential connection hijack.
Vulnerability details:
The TLS engine (Agent 15) Kwik uses does not have a state machine. In other words, the TLS engine does not track the current
state of the connection. If a Client Hello TLS message is sent twice, the cryptographic parameter in the latter Client Hello
will overwrite the previously computed cryptographic parameter from the first Client Hello message. The overwrite behavior
can happen at any connection state, including after the connection is established. This also applies to the Finished TLS
message.
Combine with CVE-2024-22588 (https://nvd.nist.gov/vuln/detail/CVE-2024-22588), An attacker can use the unused Initial key to
send an Initial packet with a malicous Client Hello TLS message to overwrite victim-server connection parameters and state on
the server. Then, the attacker can potentially hijack the connection from the victim by completing the overwritten connection
with a Finished TLS message.
Exploitation steps:
1) The attacker must be able to sniff the network traffic.
2) Capture the first QUIC packets sent by a QUIC client (victim).
3) Compute the Initial encryption key as described in https://www.rfc-editor.org/rfc/rfc9001.html#name-keys.
4) Send an Initial packet with a Client Hello TLS message to the server to overwrite the victim's connection parameters
and state on the server.
5) Because the server does not discard the Initial keys, it will decrypt and process the Initial packet sent in (4) even
after the QUIC handshake is completed. This will overwrite the victim-server connection parameters and state on the
server. The victim is now desynchronised (not able to communicate) with the server.
6) The attacker may complete the overwritten connection with a Finished TLS message.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22588
https://github.com/ptrd/kwik/issues/32
https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment