what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenSSL 1.0.1 Buffer Overflow

OpenSSL 1.0.1 Buffer Overflow
Posted Jun 1, 2012
Authored by David M. Anthony, Vincent J. Buccigrossi III

OpenSSL version 1.0.1 suffers from a local buffer overflow vulnerability in the command line utility.

tags | advisory, overflow, local
SHA-256 | a5fcc3832f2520c9e1f546ab32a9b27fdfd7926a5b3de285d09980efe0d00fff

OpenSSL 1.0.1 Buffer Overflow

Change Mirror Download
Title
-----
OpenSSL Buffer Overflow Vulnerability

Severity
--------
Medium

Date Discovered
---------------
May 22, 2012

Discovered By
-------------
Vincent J. Buccigrossi III and David M. Anthony


chenz9187 [AT]gmail<DOT>COM
david<DOT>infosec[AT]gmail<DOT>com


Vulnerability Description
-------------------------
A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is revealed within the signing of a certificate. When issuing a sample command “openssl ca -config /path/to/cnf -in /path/to/csr -extensions v3_ca -out /path/to/crt” the user is prompted for the password of the signing certificate. This input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures.


This vulnerability can be leveraged by an attacker to gain root access in multiple situations.


1. The SetUID or SetGID bits may be set on the OpenSSL binary when using OpenSSL to create secure tunnels

2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting to grab entropy from system memory

3. The SetUID or SetGID bits may be set on the OpenSSL binary in a misconfiguration or by the administrator in order to manage root certificates without having to login to the system as root.


Solution Description
--------------------
Check data input and limit the number of characters read from STDIN to the buffer size.

Tested Systems / Software
-------------------------
OpenSSL 1.0.1 on Ubuntu 12.04 x64
OpenSSL 1.0.1 on Suse Linux Enterprise Server 10
OpenSSL 1.0.1 on BackTrack 5 R2

Vendor Contact
--------------
Vendor Name: OpenSSL
Vendor Website: http://openssl.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close