exploit the possibilities

OpenSSL 1.0.1 Buffer Overflow

OpenSSL 1.0.1 Buffer Overflow
Posted Jun 1, 2012
Authored by David M. Anthony, Vincent J. Buccigrossi III

OpenSSL version 1.0.1 suffers from a local buffer overflow vulnerability in the command line utility.

tags | advisory, overflow, local
MD5 | 1fd8a707dc41a89cddf0e6e041266d85

OpenSSL 1.0.1 Buffer Overflow

Change Mirror Download
Title
-----
OpenSSL Buffer Overflow Vulnerability

Severity
--------
Medium

Date Discovered
---------------
May 22, 2012

Discovered By
-------------
Vincent J. Buccigrossi III and David M. Anthony


chenz9187 [AT]gmail<DOT>COM
david<DOT>infosec[AT]gmail<DOT>com


Vulnerability Description
-------------------------
A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is revealed within the signing of a certificate. When issuing a sample command “openssl ca -config /path/to/cnf -in /path/to/csr -extensions v3_ca -out /path/to/crt” the user is prompted for the password of the signing certificate. This input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures.


This vulnerability can be leveraged by an attacker to gain root access in multiple situations.


1. The SetUID or SetGID bits may be set on the OpenSSL binary when using OpenSSL to create secure tunnels

2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting to grab entropy from system memory

3. The SetUID or SetGID bits may be set on the OpenSSL binary in a misconfiguration or by the administrator in order to manage root certificates without having to login to the system as root.


Solution Description
--------------------
Check data input and limit the number of characters read from STDIN to the buffer size.

Tested Systems / Software
-------------------------
OpenSSL 1.0.1 on Ubuntu 12.04 x64
OpenSSL 1.0.1 on Suse Linux Enterprise Server 10
OpenSSL 1.0.1 on BackTrack 5 R2

Vendor Contact
--------------
Vendor Name: OpenSSL
Vendor Website: http://openssl.org

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close