Penetration Testing mailing list archives
Re: Openssl proof of concept code?
From: "Bram Matthys (Syzop)" <syzop () vulnscan org>
Date: Thu, 08 Jan 2004 23:50:18 +0100
Hi, Lachniet, Mark wrote:
A few months ago, there were issues with the openssl code base, as noted on bugtraq and in the following URLs: http://www.openssl.org/news/secadv_20031104.txt and http://www.openssl.org/news/secadv_20030930.txt.
[..]
Is anyone aware of a reasonable way for an analyst to definitively demonstrate if the vulnerabilities exist in a particular product? Since some of the bugs deal with bad client certificates, some might be as easy as getting a copy of a "bad" client certificate and connecting to the server using a program such as stunnel, but I have yet to see anything about this.
I'm an ircd coder and we have (optional) support for SSL connections so at that time I was interrested in this issue and was surprised nobody released a proof of concept code too. A week or so after the announcement I started looking at it myself. I won't release my PoC since it's way too ugly, but what I did was look how a valid SSL handshake took place (with a client certificate) [I just sniffed a stunnel session w/client certificate] Then I wrote a C program which does exactly that EXCEPT modifying some random bytes to random values.. Quite quickly I managed to crash the ircd server (after 5-15 attempts). I was able to crash it at (at least) 2 different locations. I also tested it against apache w/SSL but that mainly generated lots of warning messages, like: [error] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [error] error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error [error] error:1408900D:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:ASN1 lib [error] SSL_accept failed etc... Besides that it didn't seem to have much effect (no signal 11's..). After running the program for several hours however I somehow managed to put some apache childs into a loop, eating 100% cpu and my load avg. went up to 4 / 5. Unfortunately I didn't have much time to investigate it. Hope this helps, Bram Matthys (Syzop). --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Openssl proof of concept code? Lachniet, Mark (Jan 08)
- Re: Openssl proof of concept code? Bram Matthys (Syzop) (Jan 09)
- Re: Openssl proof of concept code? Ivan Arce (Jan 09)
- Re: [Full-Disclosure] Openssl proof of concept code? John Lampe (Jan 09)
- <Possible follow-ups>
- Re: Openssl proof of concept code? David Kennedy CISSP (Jan 09)