Full Disclosure mailing list archives
OpenSSL 1.1.0 remote client memory corruption
From: Guido Vranken <guidovranken () gmail com>
Date: Thu, 13 Oct 2016 18:06:48 +0200
Triggering this requires that the client sets a very large ALPN list (several thousand bytes). This would be very unusual in a real-world application. For this reason OpenSSL does not treat this as a security vulnerability and I am inclined to agree with this decision. However, if an attacker can somehow influence the ALPN list of an OpenSSL-enabled application (perhaps through another vulnerability), the attacker can write arbitrary data past OpenSSL's heap buffer. openssl s_client -reconnect -status -alpn `python -c "import sys; sys.stdout.write('x,'*4000+'x')"` If the server sends a session ticket with a special length (16022 bytes), the client will crash. More technical details here: https://guidovranken.wordpress.com/2016/10/13/openssl-1-1-0-remote-client-memory-corruption-in-ssl_add_clienthello_tlsext/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- OpenSSL 1.1.0 remote client memory corruption Guido Vranken (Oct 19)