| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Oct 2016 18:06:48 +0200
From: Guido Vranken <guidovranken@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] OpenSSL 1.1.0 remote client memory corruption
Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past OpenSSL's heap buffer.
openssl s_client -reconnect -status -alpn `python -c "import sys;
sys.stdout.write('x,'*4000+'x')"`
If the server sends a session ticket with a special length (16022 bytes),
the client will crash.
More technical details here:
https://guidovranken.wordpress.com/2016/10/13/openssl-1-1-0-remote-client-memory-corruption-in-ssl_add_clienthello_tlsext/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists