Lucene search
K

OpenSSL 1.0.1 Buffer Overflow

🗓️ 22 May 2012 00:00:00Reported by Vincent BuccigrossiType 
zdt
 zdt
🔗 0day.today👁 22 Views

OpenSSL Buffer Overflow Vulnerability discovered on May 22, 2012 allows attackers to gain root access. Solution: Limit input data, tested on Ubuntu 12.04, Suse Linux Enterprise Server 10, and BackTrack 5 R2

Code
Title
-----
OpenSSL Buffer Overflow Vulnerability

Severity
--------
Medium

Date Discovered
---------------
May 22, 2012

Discovered By
-------------
Vincent J. Buccigrossi III and David M. Anthony


chenz9187 [AT]gmail<DOT>COM
david<DOT>infosec[AT]gmail<DOT>com


Vulnerability Description
-------------------------
A buffer overflow vulnerability has been discovered within the OpenSSL command line utility. The vulnerability is
revealed within the signing of a certificate. When issuing a sample command “openssl ca -config /path/to/cnf -in
/path/to/csr -extensions v3_ca -out /path/to/crt” the user is prompted for the password of the signing certificate. This
input data is improperly handled which results in a buffer overflow when the user enters a large amount of data. The
password prompt requests 4 - 8191 characters however with large data input, stack smashing is detected. Our testing
showed this to work on Ubuntu 12.04 and Suse Linux Enterprise Server 10. Our testing also found the OpenSSL binary found
on Backtrack 5 R2 was presumably compiled without buffer overflow countermeasures.


This vulnerability can be leveraged by an attacker to gain root access in multiple situations.


1. The SetUID or SetGID bits may be set on the OpenSSL binary when using OpenSSL to create secure tunnels

2. The SetUID or SetGID bits may be set on the OpenSSL binary when attempting to grab entropy from system memory

3. The SetUID or SetGID bits may be set on the OpenSSL binary in a misconfiguration or by the administrator in order to
manage root certificates without having to login to the system as root.


Solution Description
--------------------
Check data input and limit the number of characters read from STDIN to the buffer size.

Tested Systems / Software
-------------------------
OpenSSL 1.0.1 on Ubuntu 12.04 x64
OpenSSL 1.0.1 on Suse Linux Enterprise Server 10
OpenSSL 1.0.1 on BackTrack 5 R2

Vendor Contact
--------------
Vendor Name: OpenSSL
Vendor Website: http://openssl.org



#  0day.today [2018-02-18]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation