Title ----- OpenSSL Buffer Overflow Vulnerability Severity -------- Medium Date Discovered --------------- May 22, 2012 Discovered By ------------- Vincent J. Buccigrossi III and David M. Anthony chenz9187 [AT]gmailCOM davidinfosec[AT]gmailcom Vulnerability Description ------------------------- A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is revealed within the signing of a certificate. When issuing a sample command “openssl ca -config /path/to/cnf -in /path/to/csr -extensions v3_ca -out /path/to/crt” the user is prompted for the password of the signing certificate. This input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures. This vulnerability can be leveraged by an attacker to gain root access in multiple situations. 1. The SetUID or SetGID bits may be set on the OpenSSL binary when using OpenSSL to create secure tunnels 2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting to grab entropy from system memory 3. The SetUID or SetGID bits may be set on the OpenSSL binary in a misconfiguration or by the administrator in order to manage root certificates without having to login to the system as root. Solution Description -------------------- Check data input and limit the number of characters read from STDIN to the buffer size. Tested Systems / Software ------------------------- OpenSSL 1.0.1 on Ubuntu 12.04 x64 OpenSSL 1.0.1 on Suse Linux Enterprise Server 10 OpenSSL 1.0.1 on BackTrack 5 R2 Vendor Contact -------------- Vendor Name: OpenSSL Vendor Website: http://openssl.org