Penetration Testing mailing list archives

Re: Openssl proof of concept code?

From: Ivan Arce <ivan.arce () corest com>
Date: Thu, 08 Jan 2004 19:44:23 -0300

Lachniet, Mark wrote:

...

Is anyone aware of a reasonable way for an analyst to definitively
demonstrate if the vulnerabilities exist in a particular product?  Since
some of the bugs deal with bad client certificates, some might be as
easy as getting a copy of a "bad" client certificate and connecting to
the server using a program such as stunnel, but I have yet to see
anything about this.  Alternately, has anyone written a good program to
remotely identify what SSL codebase is in use, other than looking for it
in HTTP server headers?  Nessus' ssltest.nasl can allegedly distinguish
between a openssl and MS CryptoAPI or Novell, but this isn't really
enough in my opinion.  If conventional tools (i.e. Nessus and other
scanners) can't really fingerprint it, how might one go a little further
and determine this from a "black box" perspective?  I understand that
with a good deal of development time and effort, this can probably be
done, but this is probably not realistic for most organizations to do on
their own.


Here is were the usefulness of exploit code is demostrated.

The best way to determine if a system is vulnerable to a given vulnerabilityis to actually try to exploit it. If you had a reliable exploit for the bug

you wouldnt care that much about putting a great effort into identifying
the specific codebase and version of the SSL implementation you are
testing.

Writing a good-enough vulnerability check without explotation is sometimesas hard or even harder than writing a working exploit.


And while we are at this. Has anybody done any research on the possibility
of stack overflows due to infinite recursion on windows or linux systems?

-ivan

---
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Openssl proof of concept code? Lachniet, Mark (Jan 08)
- Re: Openssl proof of concept code? Bram Matthys (Syzop) (Jan 09)
- Re: Openssl proof of concept code? Ivan Arce (Jan 09)
- Re: [Full-Disclosure] Openssl proof of concept code? John Lampe (Jan 09)
- <Possible follow-ups>
- Re: Openssl proof of concept code? David Kennedy CISSP (Jan 09)