Two possible vulnerabilities in OpenSSL?
tpb-crypto at laposte.net
tpb-crypto at laposte.net
Thu Apr 10 06:16:26 PDT 2014
> Message du 10/04/14 13:11
> De : "Peter Malone"
> A : "cypherpunks at cpunks.org"
> Copie à :
> Objet : Two possible vulnerabilities in OpenSSL?
>
> Hey there,
>
> I was auditing OpenSSL last night. I looked at several files and found
> the following:
>
> https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893
> /* Determine if we need to see RI. Strictly speaking if we want to
> * avoid an attack we should *always* see RI even on initial server
> * hello because the client doesn't see any renegotiation during an
> * attack. However this would mean we could not connect to any server
> * which doesn't support RI so for the immediate future tolerate RI
> * absence on initial connect only.
> */
>
> Well that's awful coding.
>
> Unless I'm mistaken, the following memcmp is vulnerable to a remote
> timing attack.
> https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
> static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
> {
> if (a->ssl_version != b->ssl_version)
> return(1);
> if (a->session_id_length != b->session_id_length)
> return(1);
> return(memcmp(a->session_id,b->session_id,a->session_id_length));
> }
>
> I posted both of these findings to the full disclosure list last night.
> I figured someone on this list might find it interesting as well.
>
> Cheers,
> Peter.
>
>
Your best bet would be to make an automated exploit for proof-of-concept. If it allows skiddies to prank systems, people will rush to correct it and your name will be in the headlines for your 15 minutes of fame.
More information about the cypherpunks
mailing list