[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenSSL 1.0.1 Buffer Overflow Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OpenSSL 1.0.1 Buffer Overflow Vulnerability
From: chenz9187@xxxxxxxxx
Date: Thu, 31 May 2012 15:11:59 GMT

Title
-----
OpenSSL Buffer Overflow Vulnerability

Severity
--------
Medium

Date Discovered
---------------
May 22, 2012

Discovered By
-------------
Vincent J. Buccigrossi III and David M. Anthony


chenz9187 [AT]gmail<DOT>COM
david<DOT>infosec[AT]gmail<DOT>com


Vulnerability Description
-------------------------
A buffer overflow vulnerability has been discovered within the OpenSSL command 
line utility. The vulnerability is revealed within the signing of a 
certificate. When issuing a sample command ?openssl ca -config /path/to/cnf -in 
/path/to/csr -extensions v3_ca -out /path/to/crt? the user is prompted for the 
password of the signing certificate. This input data is improperly handled 
which results in a buffer overflow when the user enters a large amount of data. 
The password prompt requests 4 - 8191 characters however with large data input, 
stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and 
Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary 
found on Backtrack 5 R2 was presumably compiled without buffer overflow 
countermeasures.


This vulnerability can be leveraged by an attacker to gain root access in 
multiple situations. 


1. The SetUID or SetGID bits may be set on the OpenSSL binary when using 
OpenSSL to create secure tunnels

2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting 
to grab entropy from system memory

3. The SetUID or SetGID bits may be set on the OpenSSL binary in a 
misconfiguration or by the administrator in order to manage root certificates 
without having to login to the system as root. 


Solution Description
--------------------
Check data input and limit the number of characters read from STDIN to the 
buffer size. 

Tested Systems / Software
-------------------------
OpenSSL 1.0.1 on Ubuntu 12.04 x64
OpenSSL 1.0.1 on Suse Linux Enterprise Server 10
OpenSSL 1.0.1 on BackTrack 5 R2 

Vendor Contact
--------------
Vendor Name: OpenSSL
Vendor Website: http://openssl.org

Prev by Date: [security bulletin] HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code
Next by Date: [SECURITY] [DSA 2483-1] strongswan security update
Previous by thread: [security bulletin] HPSBMU02785 SSRT100526 rev.1 - HP LoadRunner Running on Windows, Remote Execution of Arbitrary Code
Next by thread: [SECURITY] [DSA 2483-1] strongswan security update
Index(es):
- Date
- Thread