Hi,
A friend of mine forwarded the ChangeLog from 0.9.6g, it mentioned an
ASN.1 parser fix but didn't really say whether there were any security
implications with it. Just about everyone had to do a massive update to
0.9.6e last week, I was wondering whether the bug was serious enough to
make the public aware via the normal channels (mailing lists, etc).
As far as I could tell, the bug allows someone to specify an ASN.1 value
whose length would be 4 bytes longer than the actual buffer. To do
anything interesting with this, they would have to have this value as the
last one (entity?) in the buffer being parsed, otherwise the read will
start 4 bytes into the next chunk and it will error when it tries to
parse it.
An easy way to test for the bug:
perl -e 'print "\x02\x7f" . ("A" x 123)' | /usr/local/ssl/bin/openssl \
asn1parse -inform DER
The last bytes are all 0 on systems running 0.9.6e and below, while the
latest version gives the correct error message (ASN1_get_object:too
long).
Can anyone think of a case where this could be used to exploit an
application using openssl? For instance, the asn1_parse2 function relies
on the &len value for all sorts of things. I can't see an easy way to
abuse the bug into crashing anything, since the values read at the end of
the buffer will most likely be all nulls or in the worst case random
values from memory. Anyways, I will keep playing with it, just wanted to
see what yall's take on it was ;)
-HD
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
