mailing list archives
Re: Openssl proof of concept code?
From: "Bram Matthys (Syzop)" <syzop () vulnscan org>
Date: Thu, 08 Jan 2004 23:50:18 +0100
Lachniet, Mark wrote:
A few months ago, there were issues with the openssl code base, as noted
on bugtraq and in the following URLs:
Is anyone aware of a reasonable way for an analyst to definitively
demonstrate if the vulnerabilities exist in a particular product? Since
some of the bugs deal with bad client certificates, some might be as
easy as getting a copy of a "bad" client certificate and connecting to
the server using a program such as stunnel, but I have yet to see
anything about this.
I'm an ircd coder and we have (optional) support for SSL connections
so at that time I was interrested in this issue and was surprised
nobody released a proof of concept code too. A week or so after the
announcement I started looking at it myself.
I won't release my PoC since it's way too ugly, but what I did was
look how a valid SSL handshake took place (with a client certificate)
[I just sniffed a stunnel session w/client certificate]
Then I wrote a C program which does exactly that EXCEPT modifying
some random bytes to random values..
Quite quickly I managed to crash the ircd server (after 5-15 attempts).
I was able to crash it at (at least) 2 different locations.
I also tested it against apache w/SSL but that mainly generated lots
of warning messages, like:
[error] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error
[error] error:1408900D:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:ASN1 lib
[error] SSL_accept failed
Besides that it didn't seem to have much effect (no signal 11's..).
After running the program for several hours however I somehow managed
to put some apache childs into a loop, eating 100% cpu and my
load avg. went up to 4 / 5.
Unfortunately I didn't have much time to investigate it.
Hope this helps,
Bram Matthys (Syzop).
Full-Disclosure - We believe in it.