September 18-20, 2024 | DoubleTree by Hilton, San Jose, California

CVE-2022-37454: A Buffer Overflow Vulnerability Affecting Implementations of SHA-3 (G22a)

21 Sep 2023
1:30

CVE-2022-37454: A Buffer Overflow Vulnerability Affecting Implementations of SHA-3 (G22a)

This talk describes a buffer overflow vulnerability in the SHA-3 implementation submitted to NIST, which remained undetected for well over a decade. The vulnerability affects several widely-used software projects that have integrated variants of this code, including the Python and PHP scripting languages. It allows attacker-controlled values to be XORed into memory, thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective. A proof-of-concept that allows arbitrary code execution is provided.