Vulnerability Development mailing list archives
second opinion regarding mod-ssl BO...
From: Ed Moyle <emoyle () scsnet csc com>
Date: Mon, 25 Feb 2002 11:28:58 -0500
Howdy. I am currently in the process of writing this up, and I'd like a second opinion on exploitability (modssl team fixed w/ Sat's release): (mod_ssl < 2.8.7) (www.modssl.org) ssl_util_ssl.h:
#define SSL_SESSION_MAX_DER 1024*10
ssl_scache_dbm.c:
BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS L_SESSION *sess) {
<snip>
UCHAR ucaData[SSL_SESSION_MAX_DER];
<snip>
ucp = ucaData; nData = i2d_SSL_SESSION(sess, &ucp);
relevant openssl docs (from http://www.openssl.org/docs/ssl/d2i_SSL_SESSION.html):
When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold the binary representation of the session. There is no known limit on the size of the created ASN1 representation, so the necessary amount of space should be obtained by first calling i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call i2d_SSL_SESSION() again.
I contend that the only way to exploit this is to generate a trusted client cert that has embedded shell code in it (a difficult task at best). Can anybody out there in the vast wide ether provide other opinions on exploitability scenarios? -E
Current thread:
- second opinion regarding mod-ssl BO... Ed Moyle (Feb 25)