lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAO5O-E+Mnk6DkT8_yHhnczS77gHVKzYiw_AKjTyG9OFi211_aw@mail.gmail.com>
Date: Thu, 13 Oct 2016 18:06:48 +0200
From: Guido Vranken <guidovranken@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] OpenSSL 1.1.0 remote client memory corruption

Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past OpenSSL's heap buffer.

openssl s_client -reconnect -status -alpn `python -c "import sys;
sys.stdout.write('x,'*4000+'x')"`

If the server sends a session ticket with a special length (16022 bytes),
the client will crash.

More technical details here:

https://guidovranken.wordpress.com/2016/10/13/openssl-1-1-0-remote-client-memory-corruption-in-ssl_add_clienthello_tlsext/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ