Full Disclosure mailing list archives
OpenSSL <=3D 0.9.6m vulnerability
From: <cyber_tal0n () hushmail com>
Date: Wed, 2 Mar 2005 05:58:34 -0800
IMPORTANT: THIS IS NOT A FAKE ADVISORY, NOR IS IT A SPOOF. WE ARE NOT ROCKY TRYING TO BE COOL BY POSTING AS STEFAN 'LORIAN' ESSER (WHEN WILL THIS KID GROW UP?!?!) AND WHEN WILL ISEC.PL STOP BEING OWNED? OpenSSL <= 0.9.6m GetHostByName vulnerability tal0n Security Advisory 02.03.05 cyber_talon () hushmail com March 2, 2005 I. BACKGROUND OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) protocol. A remotely exploitable vulnerability exists in OpenSSL servers that could lead to the execution of arbitrary code on the server. OpenSSL has been penetrated more times than theo de raadt's ass. II. DESCRIPTION I would like to retract the statement from my "Code Auditing in C" article, that strncpy is safe, I now believe this to be false. Remote exploitation of a stack-based buffer overflow vulnerability in the GetHostByName function of OpenSSL could allow remote attackers to execute arbitrary code. The vulnerability specifically exists due inproper use of then strncpy function. The vulnerable code is shown below: -- snip -- char name[128]; -- snip -- if (ghbn_cache[i].order > 0) { if (strncmp(name,ghbn_cache[i].name,128) == 0) break; } Due to a routine security audit of the strncpy man file, we at tal0n security now know that the result of strncpy will not be null terminated !!!!!! This leads to exploitation of adjacent memory spaces, uH oH! III. DETECTION tal0n Security discovered this problem 01.05.04 and has been owning kernel.org ever since. We at tal0n Security do not believe in notifying vendors, therefore this vulnerability still exists in the wild. IV. WORKAROUND There are no known workarounds for this vulnerability. You MUST rm your system V. VENDOR RESPONSE A vendor advisory for this issue is available at: http://www.fuckthevendor.com VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-0444 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 01/14/2005 Initial vendor notification 01/19/2005 Initial vendor response 03/01/2005 Coordinated public disclosure VIII. CREDIT The discoverer of this vulnerability wishes to remain anonymous. tal0n Security is actively recruiting members so if you want to get LAID for vulnerability research E-mail: cyber_tal0n () hushmail com Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- OpenSSL <=3D 0.9.6m vulnerability cyber_tal0n (Mar 02)
- Re: OpenSSL <=3D 0.9.6m vulnerability Martin Pitt (Mar 03)