Related information

Multiple OpenSSL security vulnerabilities

[OpenPKG-SA-2006. 021] OpenPKG Security Advisory (openssl)

From:	Moritz Jodeit <moritz_(at)_jodeit.org>
Date:	28.09.2007
Subject:	OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow

-----------------------------------------------------------------
OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow

Copyright (c) 2007 Moritz Jodeit <moritz@jodeit.org> (2007/09/27)
-----------------------------------------------------------------

Application details:

       OpenSSL is a widely used open source implementation of the
       SSL v2/v3 and TLS v1 protocols.

Vulnerability description:

       OpenSSL 0.9.7l and 0.9.8d fixed a buffer overflow found in
       the SSL_get_shared_ciphers() function reported by Tavis
       Ormandy and Will Drewry of the Google Security Team.

       Although this fix prevented the unlimited overflow of the
       buffer, it still allowed an off-by-one buffer overflow to
       happen, which could potentially still result in remote code
       execution.

       Here is an excerpt of the function from ssl/ssl_lib.c:

       p=buf;
       sk=s->session->ciphers;
       for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
               {
               /* Decrement for either the ':' or a '\0' */
               len--;                                          [4]
               c=sk_SSL_CIPHER_value(sk,i);
               for (cp=c->name; *cp; )
                       {
                       if (len-- <= 0)                         [1]
                               {
                               *p='\0';                        [5]
                               return(buf);
                               }
                       else
                               *(p++)= *(cp++);                [2]
                       }
               *(p++)=':';                                     [3]
               }
       p[-1]='\0';
       return(buf);

       The old vulnerability got fixed at [1] by comparing 'len'
       against <= 0 instead of == 0 to detect the possible
       underflow of 'len'.

       To trigger the off-by-one, you'd just fill the buffer
       with cipher strings up to the point, where 'len' == 1 and
       'cp' pointing to the last character of the current cipher
       string. The last round of the inner for() loop would then
       decrement 'len' to 0 at [1] and write the last byte of the
       current cipher string into the buffer [2], increasing 'p'
       to point to the last free byte of the buffer.
       The last free byte is then filled by the ':' separator and
       'p' is increased to point one byte behind the buffer.
       Now if there are still ciphers remaining, we enter the
       outer loop again, decrease 'len' to -1 at [4] and then
       hit the check at [1] again. This time it's true and the
       terminating '\0' byte is written one byte behind the
       buffer [5] before returning.

Vendor response:

       2007/06/06      Initial contact with openssl-security@openssl.org
       2007/07/06      Response received by Ben Laurie <ben@links.org>
                       regarding a proposed fix.
       2007/09/19      Fix committed to the OpenSSL_0_9_8-stable branch
                       in CVS.

Vulnerable packages:

       All applications using the SSL_get_shared_ciphers() function from
       the OpenSSL library up to 0.9.7m and 0.9.8e.