Buffer over/underflows in ssldump prior to 0.9b3

[Eric Rescorla <ekr () rtfm com>]

http://www.rtfm.com/ssldump

The ssldump team has discovered a number of memory errors in
old versions of ssldump.


BACKGROUND
ssldump is an SSLv3/TLS network protocol analyzer.  If provided with
the appropriate keying material, it will also decrypt the connections
and display the application data traffic.


SUMMARY OF BUG
It's possible to send ssldump bogus protocol messages which will cause
a buffer under/overflow. Although no exploit is known, it is possible
that this buffer overflow can be used to take control of ssldump,
which might lead to execution of arbitrary code and compromise of the
affected system.
                                   

VULNERABLE VERSIONS
Any version of ssldump prior to ssldump-0.9b3


DETAILS
There are two problems.

(1) ssldump attempts to decrypt the PreMasterSecret into a 48 byte
buffer. This is the longest legal value for an RSA
PreMasterSecret. It's possible to overflow this buffer by using a
longer PMS. The maximum size of this overflow is limited by the
length of the server's RSA key and therefore will be about
64-bytes for a 1024-bit RSA key. This bug can only be exercised
in decryption mode.

(2) ssldump does not check the length of an SSLv2 "challenge"
value. The challenge value is copied into a right-aligned 32-byte
buffer and therefore it is possible to underrun the buffer
by up to 64k. 


EXPLOITS
No exploits are known at this time. This is the first announcement
of these problems.


SCOPE OF VULNERABILITY
Since ssldump is an analysis tool, you have to be actually
running it at the time when an attacker attempts to attack you.
However, this isn't impossible. If you're running ssldump on
a network where hostile parties can send you traffic, you should
stop or upgrade.


FIX
Upgrade to ssldump-0.9b3, found at:
        http://www.rtfm.com/ssldump/ssldump-0.9b3.tar.gz