Full Disclosure mailing list archives
CVE-2020-1967: proving sigalg != NULL
From: Imre Rad <radimre83 () gmail com>
Date: Wed, 29 Apr 2020 19:39:31 +0200
I created a proof of concept exploit about the recent OpenSSL signature_algorithms_cert DoS flaw (CVE-2020-1967). Credit for the original finding goes to Bernd Edlinger. This is a null pointer dereference while processing a crafted signature_algorithms_cert TLS extension via the SSL_check_chain() API method. Applications do need to call this method explicitly, it is not invoked by default during the handshake. The segmentation fault of a TLS service could look like this: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from /data/openssl-1.1.1d/libssl.so (gdb) bt #0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from /data/openssl-1.1.1d/libssl.so #1 0x00007f09bd03f309 in tls1_check_chain () from /data/openssl-1.1.1d/libssl.so #2 0x00007f09bd403fc8 in set_cert_cb () #3 0x00007f09bd037f75 in tls_post_process_client_hello () from /data/openssl-1.1.1d/libssl.so #4 0x00007f09bd02703f in state_machine.part () from /data/openssl-1.1.1d/libssl.so #5 0x00007f09bcffa3f8 in ssl3_write_bytes () from /data/openssl-1.1.1d/libssl.so #6 0x00007f09bd00fbb9 in ssl_write_internal () from /data/openssl-1.1.1d/libssl.so #7 0x00007f09bd00fd07 in SSL_write () from /data/openssl-1.1.1d/libssl.so #8 0x00007f09bd3e337d in sv_body () #9 0x00007f09bd40757a in do_server () #10 0x00007f09bd3e7c27 in s_server_main () #11 0x00007f09bd3cea46 in do_cmd () #12 0x00007f09bd3b89fd in main () This exploit relies on a patched version of openssl's s_client and can be found here: https://github.com/irsl/CVE-2020-1967 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2020-1967: proving sigalg != NULL Imre Rad (May 01)