Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Sample OpenSSL vulnerability query

From: "jacki buddy" <jacki.buddy () gmail com>
Date: Wed, 13 Aug 2008 18:38:45 +0530
Hi!
Multiple Denial of Service vulnerabilities exist in how OpenSSL
versions 0.9.6 to 0.9.7 handle ASN.1 based X.509 certificates. These
are documented in :
CVE-2003-0851   CERT-VN:VU#412478
CVE-2003-0543   CERT-VN:VU#255484
CVE-2003-0544   CERT-VN:VU#380864
CVE-2003-0545   CERT-VN:VU#935264
The problem exists in how Tag type and length values of ANS.1 Objects
are specified in a certificate. Malformed certificates will trigger a
Denial of service. How do we write a signature to detect all the ASN.1
objects in the certificate?
Sample PCAP of genuine traffic can be found at :
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz


Regards
jacki

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: