OpenSSL 1.0.1 Buffer Overflow Vulnerability May 31 2012 03:11PM
chenz9187 gmail com
OpenSSL Buffer Overflow Vulnerability


Date Discovered
May 22, 2012

Discovered By
Vincent J. Buccigrossi III and David M. Anthony

chenz9187 [AT]gmail<DOT>COM

Vulnerability Description
A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is revealed within the signing of a certificate. When issuing a sample command ?openssl ca -config /path/to/cnf -in /path/to/csr -extensions v3_ca -out /path/to/crt? the user is prompted for the password of the signing certificate. This input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures.

This vulnerability can be leveraged by an attacker to gain root access in multiple situations.

1. The SetUID or SetGID bits may be set on the OpenSSL binary when using OpenSSL to create secure tunnels

2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting to grab entropy from system memory

3. The SetUID or SetGID bits may be set on the OpenSSL binary in a misconfiguration or by the administrator in order to manage root certificates without having to login to the system as root.

Solution Description
Check data input and limit the number of characters read from STDIN to the buffer size.

Tested Systems / Software
OpenSSL 1.0.1 on Ubuntu 12.04 x64
OpenSSL 1.0.1 on Suse Linux Enterprise Server 10
OpenSSL 1.0.1 on BackTrack 5 R2

Vendor Contact
Vendor Name: OpenSSL
Vendor Website: http://openssl.org

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus