OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow

2007.09.30
Credit: Moritz Jodeit
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

----------------------------------------------------------------- OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow Copyright (c) 2007 Moritz Jodeit <moritz (at) jodeit (dot) org [email concealed]> (2007/09/27) ----------------------------------------------------------------- Application details: OpenSSL is a widely used open source implementation of the SSL v2/v3 and TLS v1 protocols. Vulnerability description: OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in the SSL_get_shared_ciphers() function reported by Tavis Ormandy and Will Drewry of the Google Security Team. Although this fix prevented the unlimited overflow of the buffer, it still allowed an off-by-one buffer overflow to happen, which could potentially still result in remote code execution. Here is an excerpt of the function from ssl/ssl_lib.c: p=buf; sk=s->session->ciphers; for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { /* Decrement for either the ':' or a '\0' */ len--; [4] c=sk_SSL_CIPHER_value(sk,i); for (cp=c->name; *cp; ) { if (len-- <= 0) [1] { *p='\0'; [5] return(buf); } else *(p++)= *(cp++); [2] } *(p++)=':'; [3] } p[-1]='\0'; return(buf); The old vulnerability got fixed at [1] by comparing 'len' against <= 0 instead of == 0 to detect the possible underflow of 'len'. To trigger the off-by-one, you'd just fill the buffer with cipher strings up to the point, where 'len' == 1 and 'cp' pointing to the last character of the current cipher string. The last round of the inner for() loop would then decrement 'len' to 0 at [1] and write the last byte of the current cipher string into the buffer [2], increasing 'p' to point to the last free byte of the buffer. The last free byte is then filled by the ':' separator and 'p' is increased to point one byte behind the buffer. Now if there are still ciphers remaining, we enter the outer loop again, decrease 'len' to -1 at [4] and then hit the check at [1] again. This time it's true and the terminating '\0' byte is written one byte behind the buffer [5] before returning. Vendor response: 2007/06/06 Initial contact with openssl-security (at) openssl (dot) org [email concealed] 2007/07/06 Response received by Ben Laurie <ben (at) links (dot) org [email concealed]> regarding a proposed fix. 2007/09/19 Fix committed to the OpenSSL_0_9_8-stable branch in CVS. Vulnerable packages: All applications using the SSL_get_shared_ciphers() function from the OpenSSL library up to 0.9.7m and 0.9.8e.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top