Skip to content

pquerna/poc-dsa-verify-CVE-2019-17596

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.dockerignore
.dockerignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
dsa_test.go
dsa_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
shared_test.go
shared_test.go
 
 
ssh_test.go
ssh_test.go
 
 
test.sh
test.sh
 
 

Repository files navigation

Exploiting dsa.Verify in Go (CVE-2019-17596)

Please see the associated blog post for details.

Running

Since versions of Go newer than 1.13.1 are patched, I;ve included a Dockerfile, that makes it easier to pin your Go version. Simply run Docker build:

docker build .

There are two files of interest:

  • dsa_test.go: Contains a test case for causing dsa.Verify to panic/
  • ssh_test.go: Contains a test case for making an crypto/ssh.Client to panic via an evil SSH Host Key.

Improvements, bugs, adding feature, etc:

Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)

License

poc-dsa-verify-CVE-2019-17596 is licensed under the Apache License, Version 2.0

About

Demonstration of Go's dsa.Verify bug (CVE-2019-17596)

paul.querna.org/articles/2019/10/24/dsa-verify-poc/

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages