Penetration Testing mailing list archives
Sample OpenSSL vulnerability query
From: "jacki buddy" <jacki.buddy () gmail com>
Date: Wed, 13 Aug 2008 18:38:45 +0530
Hi! Multiple Denial of Service vulnerabilities exist in how OpenSSL versions 0.9.6 to 0.9.7 handle ASN.1 based X.509 certificates. These are documented in : CVE-2003-0851 CERT-VN:VU#412478 CVE-2003-0543 CERT-VN:VU#255484 CVE-2003-0544 CERT-VN:VU#380864 CVE-2003-0545 CERT-VN:VU#935264 The problem exists in how Tag type and length values of ANS.1 Objects are specified in a certificate. Malformed certificates will trigger a Denial of service. How do we write a signature to detect all the ASN.1 objects in the certificate? Sample PCAP of genuine traffic can be found at : http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz Regards jacki ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Sample OpenSSL vulnerability query jacki buddy (Aug 13)