lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed,  2 Mar 2005 05:58:34 -0800
From: <cyber_tal0n@...hmail.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: OpenSSL <=3D 0.9.6m vulnerability


IMPORTANT:

THIS IS NOT A FAKE ADVISORY, NOR IS IT A SPOOF. WE ARE NOT ROCKY 
TRYING TO BE COOL BY POSTING AS STEFAN 'LORIAN' ESSER (WHEN WILL 
THIS KID GROW UP?!?!) AND WHEN WILL ISEC.PL STOP BEING OWNED?


OpenSSL <= 0.9.6m GetHostByName vulnerability

tal0n Security Advisory 02.03.05
cyber_talon@...hmail.com

March 2, 2005

I. BACKGROUND

OpenSSL is an open-source implementation of the Secure Sockets 
Layer (SSL) protocol. A remotely exploitable vulnerability exists 
in OpenSSL servers that could lead to the execution of arbitrary 
code on the server.
OpenSSL has been penetrated more times than theo de raadt's ass.

II. DESCRIPTION

I would like to retract the statement from my "Code Auditing in C" 
article, that strncpy is safe, I now believe this to be false. 
Remote exploitation of a stack-based buffer overflow vulnerability 
in the GetHostByName function of OpenSSL could allow remote 
attackers to execute arbitrary code.

The vulnerability specifically exists due inproper use of then 
strncpy function.
The vulnerable code is shown below:

-- snip --
char name[128];
-- snip --
if (ghbn_cache[i].order > 0)
{
	if (strncmp(name,ghbn_cache[i].name,128) == 0)
        break;
}

Due to a routine security audit of the strncpy man file, we at 
tal0n security now know that the result of strncpy will not be null 
terminated !!!!!!

This leads to exploitation of adjacent memory spaces, uH oH!

III. DETECTION

tal0n Security discovered this problem 01.05.04 and has been owning 
kernel.org ever since.

We at tal0n Security do not believe in notifying vendors, therefore 
this vulnerability still exists in the wild.


IV. WORKAROUND

There are no known workarounds for this vulnerability. You MUST rm 
your system

V. VENDOR RESPONSE

A vendor advisory for this issue is available at:

http://www.fuckthevendor.com

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the
names CAN-2005-0444 to these issues. This is a candidate for 
inclusion
in the CVE list (http://cve.mitre.org), which standardizes names 
for
security problems.

VII. DISCLOSURE TIMELINE

01/14/2005  Initial vendor notification
01/19/2005  Initial vendor response
03/01/2005  Coordinated public disclosure

VIII. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

tal0n Security is actively recruiting members so if you want to get 
LAID for vulnerability research

E-mail: cyber_tal0n@...hmail.com



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ