Hosting Provided By

OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow

From: Moritz Jodeit <moritz(at)jodeit.org>
Date: Thu Sep 27 2007 - 12:21:40 EDT

Application details:

	OpenSSL is a widely used open source implementation of the
	SSL v2/v3 and TLS v1 protocols.

Vulnerability description:

	OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
	the SSL_get_shared_ciphers() function reported by Tavis
	Ormandy and Will Drewry of the Google Security Team.

	Although this fix prevented the unlimited overflow of the
	buffer, it still allowed an off-by-one buffer overflow to
	happen, which could potentially still result in remote code
	execution.

	Here is an excerpt of the function from ssl/ssl_lib.c:

	p=buf;
	sk=s->session->ciphers;
	for (i=0; iname; *cp; )
	                {
	                if (len-- <= 0)				[1]
	                        {
	                        *p='\0';			[5]
	                        return(buf);
	                        }
	                else
	                        *(p++)= *(cp++);		[2]
	                }
	        *(p++)=':';					[3]
	        }
	p[-1]='\0';
	return(buf);

	The old vulnerability got fixed at [1] by comparing 'len'
	against <= 0 instead of == 0 to detect the possible
	underflow of 'len'.

	To trigger the off-by-one, you'd just fill the buffer
	with cipher strings up to the point, where 'len' == 1 and
	'cp' pointing to the last character of the current cipher
	string. The last round of the inner for() loop would then
	decrement 'len' to 0 at [1] and write the last byte of the
	current cipher string into the buffer [2], increasing 'p'
	to point to the last free byte of the buffer.
	The last free byte is then filled by the ':' separator and
	'p' is increased to point one byte behind the buffer.
	Now if there are still ciphers remaining, we enter the
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
	outer loop again, decrease 'len' to -1 at [4] and then
	hit the check at [1] again. This time it's true and the
	terminating '\0' byte is written one byte behind the
	buffer [5] before returning.

Vendor response:

	2007/06/06	Initial contact with openssl-security@openssl.org
	2007/07/06	Response received by Ben Laurie 
			regarding a proposed fix.
	2007/09/19	Fix committed to the OpenSSL_0_9_8-stable branch
			in CVS.

Vulnerable packages:

	All applications using the SSL_get_shared_ciphers() function from
	the OpenSSL library up to 0.9.7m and 0.9.8e.

Received on Thu Sep 27 15:19:41 2007

This message: [ Message body ]
Next message: iDefense Labs: "iDefense Security Advisory 09.27.07: Computer Associates BrightStor HSM r11.5 Multiple Vulnerabilities"
Previous message: none(at)none.com: "Re: Possible Windows Explorer bad PNG file preview integer overflow handling"
Next in thread: snagg(at)securenetwork.it: "Re: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow"
Maybe reply: snagg(at)securenetwork.it: "Re: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow"
Maybe reply: ejc(at)thousandplaces.org: "Re: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:18:18 EDT