[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Two possible vulnerabilities in OpenSSL?




> Message du 10/04/14 13:11
> De : "Peter Malone" 

> A : "[email protected]" 
> Copie à : 
> Objet : Two possible vulnerabilities in OpenSSL?
>

> Hey there,
> 
> I was auditing OpenSSL last night. I looked at several files and found
> the following:
> 
> https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893
> /* Determine if we need to see RI. Strictly speaking if we want to 
> * avoid an attack we should *always* see RI even on initial server 
> * hello because the client doesn't see any renegotiation during an 
> * attack. However this would mean we could not connect to any server 
> * which doesn't support RI so for the immediate future tolerate RI 
> * absence on initial connect only. 
> */ 
> 
> Well that's awful coding.
> 
> Unless I'm mistaken, the following memcmp is vulnerable to a remote
> timing attack.
> https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
> static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) 
> { 
> if (a->ssl_version != b->ssl_version) 
> return(1); 
> if (a->session_id_length != b->session_id_length) 
> return(1); 
> return(memcmp(a->session_id,b->session_id,a->session_id_length)); 
> } 
> 
> I posted both of these findings to the full disclosure list last night.
> I figured someone on this list might find it interesting as well.
> 
> Cheers,
> Peter.
> 
> 

Your best bet would be to make an automated exploit for proof-of-concept. If it allows skiddies to prank systems, people will rush to correct it and your name will be in the headlines for your 15 minutes of fame.