RSAREF Buffer Overflow Vulnerability

A buffer overflow vulnerability exists in the RSAREF cryptographic library which may possibly make any software using the library vulnerable.

The vulnerability exists in four functions in the rsa.c source file. The functions are:

int RSAPublicEncrypt()
int RSAPrivateEncrypt()
int RSAPublicDecrypt()
int RSAPrivateDecrypt()

All these function define a local variable called pkcsBlock of 128 byte length which can be overflowed making it possible to execute arbitrary code.

This vulnerability, in conbination with BUGTRAQ ID 797, allows versions of both the SSH client and server linked against the RSAREF2 library to be vulnerable to a remote exploit.

Programs linked against the SSLeay and OpenSSL libraries are not vulnerable as these libraries check the modulus lenght is not longer than what the RSAREF library can handle (MAX_RSA_MODULUS_LEN) in the RSAref_Public_eay2ref() and RSAref_Private_eay2ref() glue functions.


Privacy Statement
Copyright 2010, SecurityFocus