CVE-2016-3959

HIGH

Go <1.5.4, 1.6.x <1.6.1 - DoS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3959. PoCs published by alexmullins.

AI-analyzed exploit summary This repository contains a detailed technical analysis of CVE-2016-3959, a denial-of-service vulnerability in Go's crypto/dsa library caused by an infinite loop in the Verify function when the public key parameter P is set to 0. The writeup includes root cause analysis, patch details, and code samples.

Description

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.

Exploits (1)

nomisec WRITEUP 1 stars

by alexmullins · poc

https://github.com/alexmullins/dsa

View Code ZIP pw:eip

This repository contains a detailed technical analysis of CVE-2016-3959, a denial-of-service vulnerability in Go's crypto/dsa library caused by an infinite loop in the Verify function when the public key parameter P is set to 0. The writeup includes root cause analysis, patch details, and code samples.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Go crypto/dsa library (versions prior to 1.5.4 and 1.6.1)

No auth needed

Prerequisites: Ability to send crafted DSA signatures to a Go application using the crypto/dsa library

MITRE ATT&CK