header-logo
Suggest Exploit
vendor:
SymCrypt
by:
Exploit Database
7.5
CVSS
HIGH
Infinite Loop Vulnerability
835
CWE
Product Name: SymCrypt
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows
2020

SymCrypt Multi-Precision Arithmetic Routines Infinite Loop Vulnerability

There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric. It can be triggered by constructing an X.509 certificate and embedding it in an S/MIME message, authenticode signature, schannel connection, etc. This will effectively DoS any Windows server and may require the machine to be rebooted.

Mitigation:

Upgrade to the latest version of SymCrypt to fix the vulnerability.
Source

Exploit-DB raw data:

There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.

I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.

You can verify it like so, and notice the command never completes:

C:\> certutil.exe testcase.crt


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47414.zip

Navigation

Suggest Exploit

Services By CQR