lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 Jan 2004 23:50:18 +0100 From: "Bram Matthys (Syzop)" <syzop@...nscan.org> To: "Lachniet, Mark" <mlachniet@...uoianet.com> Cc: bugtraq@...urityfocus.com, pen-test@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: Openssl proof of concept code? Hi, Lachniet, Mark wrote: > A few months ago, there were issues with the openssl code base, as noted > on bugtraq and in the following URLs: > http://www.openssl.org/news/secadv_20031104.txt and > http://www.openssl.org/news/secadv_20030930.txt. [..] > Is anyone aware of a reasonable way for an analyst to definitively > demonstrate if the vulnerabilities exist in a particular product? Since > some of the bugs deal with bad client certificates, some might be as > easy as getting a copy of a "bad" client certificate and connecting to > the server using a program such as stunnel, but I have yet to see > anything about this. I'm an ircd coder and we have (optional) support for SSL connections so at that time I was interrested in this issue and was surprised nobody released a proof of concept code too. A week or so after the announcement I started looking at it myself. I won't release my PoC since it's way too ugly, but what I did was look how a valid SSL handshake took place (with a client certificate) [I just sniffed a stunnel session w/client certificate] Then I wrote a C program which does exactly that EXCEPT modifying some random bytes to random values.. Quite quickly I managed to crash the ircd server (after 5-15 attempts). I was able to crash it at (at least) 2 different locations. I also tested it against apache w/SSL but that mainly generated lots of warning messages, like: [error] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [error] error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error [error] error:1408900D:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:ASN1 lib [error] SSL_accept failed etc... Besides that it didn't seem to have much effect (no signal 11's..). After running the program for several hours however I somehow managed to put some apache childs into a loop, eating 100% cpu and my load avg. went up to 4 / 5. Unfortunately I didn't have much time to investigate it. Hope this helps, Bram Matthys (Syzop). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists