second opinion regarding mod-ssl BO...

[Ed Moyle <emoyle () scsnet csc com>]

Howdy.

I am currently in the process of writing this up, and I'd like a second opinion on exploitability (modssl team fixed w/ 
Sat's release):

(mod_ssl < 2.8.7) (www.modssl.org)

ssl_util_ssl.h:

> #define SSL_SESSION_MAX_DER 1024*10

ssl_scache_dbm.c:

> BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
> L_SESSION *sess) {

<snip>

> UCHAR ucaData[SSL_SESSION_MAX_DER];

<snip>

> ucp = ucaData;
> nData = i2d_SSL_SESSION(sess, &ucp);

relevant openssl docs (from http://www.openssl.org/docs/ssl/d2i_SSL_SESSION.html):

> When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold the
> binary representation of the session. There is no known limit on the size of the created ASN1 
> representation, so the necessary amount of space should be obtained by first calling
> i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call
> i2d_SSL_SESSION() again. 

I contend that the only way to exploit this is to generate a trusted client cert that has embedded shell code in it (a 
difficult task at best).  Can anybody out there in the vast wide ether provide other opinions on exploitability 
scenarios?

-E