lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPWzz4zbMm0j1O6EBDnQb1UpHza80=NND0dWeSaySf_s83ucQQ@mail.gmail.com>
Date: Wed, 29 Apr 2020 19:39:31 +0200
From: Imre Rad <radimre83@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2020-1967: proving sigalg != NULL

I created a proof of concept exploit about the recent OpenSSL
signature_algorithms_cert DoS flaw (CVE-2020-1967). Credit for the
original finding goes to Bernd Edlinger.

This is a null pointer dereference while processing a crafted
signature_algorithms_cert TLS extension via the SSL_check_chain() API
method. Applications do need to call this method explicitly, it is not
invoked by default during the handshake. The segmentation fault of a
TLS service could look like this:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
(gdb) bt
#0  0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
#1  0x00007f09bd03f309 in tls1_check_chain () from
/data/openssl-1.1.1d/libssl.so
#2  0x00007f09bd403fc8 in set_cert_cb ()
#3  0x00007f09bd037f75 in tls_post_process_client_hello () from
/data/openssl-1.1.1d/libssl.so
#4  0x00007f09bd02703f in state_machine.part () from
/data/openssl-1.1.1d/libssl.so
#5  0x00007f09bcffa3f8 in ssl3_write_bytes () from
/data/openssl-1.1.1d/libssl.so
#6  0x00007f09bd00fbb9 in ssl_write_internal () from
/data/openssl-1.1.1d/libssl.so
#7  0x00007f09bd00fd07 in SSL_write () from /data/openssl-1.1.1d/libssl.so
#8  0x00007f09bd3e337d in sv_body ()
#9  0x00007f09bd40757a in do_server ()
#10 0x00007f09bd3e7c27 in s_server_main ()
#11 0x00007f09bd3cea46 in do_cmd ()
#12 0x00007f09bd3b89fd in main ()

This exploit relies on a patched version of openssl's s_client and can
be found here:

https://github.com/irsl/CVE-2020-1967

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ