From a Silent Math Error to Certificate Bypass: Uncovering an Integer Overflow in a TLS Parser Bug hunting isn’t always about popping XSS alerts or finding chained SSRFs. Sometimes, the most …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A security researcher discovered a CWE-190 integer overflow vulnerability in the ASN.1 DER parser of a popular open-source Java/Kotlin TLS library. The parser's VLQ decoding function used a 64-bit Long with no overflow protection, allowing an attacker to feed 11 crafted bytes causing 70 bits of left shifts, silently truncating a massive number to a small value. This enables OID spoofing: a rogue certificate with a crafted oversized OID gets truncated to match a trusted standard OID, bypassing certificate validation and enabling MitM attacks. The fix involves a pre-shift boundary check. The writeup also shares practical bug hunting tips: follow TODO comments, build local test harnesses, and always translate math errors into concrete security impact.

From a Silent Math Error to Certificate Bypass: Uncovering an Integer Overflow in a TLS Parser

1. The Background: Understanding VLQs and ASN.1 DER

2. The Vulnerability: The Silent Overflow

3. The Exploitation: Crafting the Payload