[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2020-1967: proving sigalg != NULL
From: Imre Rad <radimre83 () gmail ! com>
Date: 2020-04-29 17:39:31
Message-ID: CAPWzz4zbMm0j1O6EBDnQb1UpHza80=NND0dWeSaySf_s83ucQQ () mail ! gmail ! com
[Download RAW message or body]
I created a proof of concept exploit about the recent OpenSSL
signature_algorithms_cert DoS flaw (CVE-2020-1967). Credit for the
original finding goes to Bernd Edlinger.
This is a null pointer dereference while processing a crafted
signature_algorithms_cert TLS extension via the SSL_check_chain() API
method. Applications do need to call this method explicitly, it is not
invoked by default during the handshake. The segmentation fault of a
TLS service could look like this:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
(gdb) bt
#0 0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
#1 0x00007f09bd03f309 in tls1_check_chain () from
/data/openssl-1.1.1d/libssl.so
#2 0x00007f09bd403fc8 in set_cert_cb ()
#3 0x00007f09bd037f75 in tls_post_process_client_hello () from
/data/openssl-1.1.1d/libssl.so
#4 0x00007f09bd02703f in state_machine.part () from
/data/openssl-1.1.1d/libssl.so
#5 0x00007f09bcffa3f8 in ssl3_write_bytes () from
/data/openssl-1.1.1d/libssl.so
#6 0x00007f09bd00fbb9 in ssl_write_internal () from
/data/openssl-1.1.1d/libssl.so
#7 0x00007f09bd00fd07 in SSL_write () from /data/openssl-1.1.1d/libssl.so
#8 0x00007f09bd3e337d in sv_body ()
#9 0x00007f09bd40757a in do_server ()
#10 0x00007f09bd3e7c27 in s_server_main ()
#11 0x00007f09bd3cea46 in do_cmd ()
#12 0x00007f09bd3b89fd in main ()
This exploit relies on a patched version of openssl's s_client and can
be found here:
https://github.com/irsl/CVE-2020-1967
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic