|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3179 CVE : CVE-2007-5135 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Given : No Credit : Moritz Jodeit Published : 30.09.2007
Advisory Text : ----------------------------------------------------------------- OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow Copyright (c) 2007 Moritz Jodeit <moritz (at) jodeit (dot) org [email concealed]> (2007/09/27) ----------------------------------------------------------------- Application details: OpenSSL is a widely used open source implementation of the SSL v2/v3 and TLS v1 protocols. Vulnerability description: OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in the SSL_get_shared_ciphers() function reported by Tavis Ormandy and Will Drewry of the Google Security Team. Although this fix prevented the unlimited overflow of the buffer, it still allowed an off-by-one buffer overflow to happen, which could potentially still result in remote code execution. Here is an excerpt of the function from ssl/ssl_lib.c: p=buf; sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { /* Decrement for either the ':' or a '�' */ len--; [4] c=sk_SSL_CIPHER_value(sk,i); for (cp=c->name; *cp; ) { if (len-- <= 0) [1] { *p='�'; [5] return(buf); } else *(p++)= *(cp++); [2] } *(p++)=':'; [3] } p[-1]='�'; return(buf); The old vulnerability got fixed at [1] by comparing 'len' against <= 0 instead of == 0 to detect the possible underflow of 'len'. To trigger the off-by-one, you'd just fill the buffer with cipher strings up to the point, where 'len' == 1 and 'cp' pointing to the last character of the current cipher string. The last round of the inner for() loop would then decrement 'len' to 0 at [1] and write the last byte of the current cipher string into the buffer [2], increasing 'p' to point to the last free byte of the buffer. The last free byte is then filled by the ':' separator and 'p' is increased to point one byte behind the buffer. Now if there are still ciphers remaining, we enter the outer loop again, decrease 'len' to -1 at [4] and then hit the check at [1] again. This time it's true and the terminating '�' byte is written one byte behind the buffer [5] before returning. Vendor response: 2007/06/06 Initial contact with openssl-security (at) openssl (dot) org [email concealed] 2007/07/06 Response received by Ben Laurie <ben (at) links (dot) org [email concealed]> regarding a proposed fix. 2007/09/19 Fix committed to the OpenSSL_0_9_8-stable branch in CVS. Vulnerable packages: All applications using the SSL_get_shared_ciphers() function from the OpenSSL library up to 0.9.7m and 0.9.8e.  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |