[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OpenSSL 1.1.0 remote client memory corruption
From: Guido Vranken <guidovranken () gmail ! com>
Date: 2016-10-13 16:06:48
Message-ID: CAO5O-E+Mnk6DkT8_yHhnczS77gHVKzYiw_AKjTyG9OFi211_aw () mail ! gmail ! com
[Download RAW message or body]
Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past OpenSSL's heap buffer.
openssl s_client -reconnect -status -alpn `python -c "import sys;
sys.stdout.write('x,'*4000+'x')"`
If the server sends a session ticket with a special length (16022 bytes),
the client will crash.
More technical details here:
https://guidovranken.wordpress.com/2016/10/13/openssl-1-1-0-remote-client-memory-corruption-in-ssl_add_clienthello_tlsext/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic