OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow



-----------------------------------------------------------------
OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow

Copyright (c) 2007 Moritz Jodeit <moritz@xxxxxxxxxx> (2007/09/27)
-----------------------------------------------------------------

Application details:

OpenSSL is a widely used open source implementation of the
SSL v2/v3 and TLS v1 protocols.

Vulnerability description:

OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
the SSL_get_shared_ciphers() function reported by Tavis
Ormandy and Will Drewry of the Google Security Team.

Although this fix prevented the unlimited overflow of the
buffer, it still allowed an off-by-one buffer overflow to
happen, which could potentially still result in remote code
execution.

Here is an excerpt of the function from ssl/ssl_lib.c:

p=buf;
sk=s->session->ciphers;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
/* Decrement for either the ':' or a '\0' */
len--; [4]
c=sk_SSL_CIPHER_value(sk,i);
for (cp=c->name; *cp; )
{
if (len-- <= 0) [1]
{
*p='\0'; [5]
return(buf);
}
else
*(p++)= *(cp++); [2]
}
*(p++)=':'; [3]
}
p[-1]='\0';
return(buf);

The old vulnerability got fixed at [1] by comparing 'len'
against <= 0 instead of == 0 to detect the possible
underflow of 'len'.

To trigger the off-by-one, you'd just fill the buffer
with cipher strings up to the point, where 'len' == 1 and
'cp' pointing to the last character of the current cipher
string. The last round of the inner for() loop would then
decrement 'len' to 0 at [1] and write the last byte of the
current cipher string into the buffer [2], increasing 'p'
to point to the last free byte of the buffer.
The last free byte is then filled by the ':' separator and
'p' is increased to point one byte behind the buffer.
Now if there are still ciphers remaining, we enter the
outer loop again, decrease 'len' to -1 at [4] and then
hit the check at [1] again. This time it's true and the
terminating '\0' byte is written one byte behind the
buffer [5] before returning.

Vendor response:

2007/06/06 Initial contact with openssl-security@xxxxxxxxxxx
2007/07/06 Response received by Ben Laurie <ben@xxxxxxxxx>
regarding a proposed fix.
2007/09/19 Fix committed to the OpenSSL_0_9_8-stable branch
in CVS.

Vulnerable packages:

All applications using the SSL_get_shared_ciphers() function from
the OpenSSL library up to 0.9.7m and 0.9.8e.



Relevant Pages

  • [RHSA-2002:155-11] Updated openssl packages fix remote vulnerabilities
    ... Updated OpenSSL packages are available which fix several serious buffer ... DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7 ... A large number of applications within Red Hat Linux make use the OpenSSL ...
    (Bugtraq)
  • Re: Security bugs and vulnerabilities of open source
    ... it may be possible to lock all the doors today and still have ... That it is essentially a buffer overflow - which should _never_ ... has remarked that openssl does indeed use a private version ... I also realize that most people would have a hard time working with the low level tools. ...
    (comp.os.vms)
  • [fw-wiz] TLS/SSL revisited slightly...
    ... excerpt and summarize briefly- several remotely exploitable bugs have been ... > overrun a buffer. ... This issues only affects OpenSSL ...
    (Firewall-Wizards)
  • Security bugs and vulnerabilities of open source
    ... it may be possible to lock all the doors today and still have ... That it is essentially a buffer overflow - which should _never_ ... has remarked that openssl does indeed use a private version ... in a memory safe language like ...
    (comp.os.vms)
  • Re: Security bugs and vulnerabilities of open source
    ... it may be possible to lock all the doors today and still have ... That it is essentially a buffer overflow - which should _never_ ... has remarked that openssl does indeed use a private version ... in a memory safe language like ...
    (comp.os.vms)