8068181 2002-02-27 13:05 -0500 /84 rader/ Ed Moyle <emoyle@scsnet.csc.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-02-28 01:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21168>
Ärende: mod_ssl Buffer Overflow Condition (Update Available)
------------------------------------------------------------
From: Ed Moyle <emoyle@scsnet.csc.com>
To: bugtraq@securityfocus.com
Message-ID: <3BD76687A1CBD74097E37CB67263AE973558BB@scsetbmail.scsnet.csc.com>
mod_ssl Buffer Overflow Condition (Update Available)
--------------------------------------------------------
SYNOPSIS
mod_ssl (www.modssl.org) is a commonly used Apache module that
provides strong cryptography for the Apache web server. The
module utilizes OpenSSL (formerly SSLeay) for the SSL implementation.
modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the
underlying OpenSSL routines in a manner which could overflow a buffer
within the implementation. This situation appears difficult to
exploit in a production environment, however, for reasons detailed
below.
CAUSE
The session caching mechanisms utilizing dbm and shared memory
utilize the OpenSSL routine i2d_SSL_SESSION, which "serializes"
an SSL session into a format that can be stored in the session cache.
The OpenSSL docs inform us:
When using i2d_SSL_SESSION(), the memory location pointed to by
pp must be large enough to hold the binary representation of the
session. There is no known limit on the size of the created ASN1
representation, so the necessary amount of space should be
obtained by first calling i2d_SSL_SESSION() with pp=NULL, and
obtain the size needed, then allocate the memory and call
i2d_SSL_SESSION() again.
mod_ssl < the version listed above do not do this, however, and could
potentially lead to an overflow of the static buffer used by mod_ssl
for holding the contents of the serialized session.
DETAILS
An example of the relevant mod_ssl source is listed below:
(mod_ssl < 2.8.7) (www.modssl.org)
ssl_util_ssl.h:
#define SSL_SESSION_MAX_DER 1024*10
ssl_scache_dbm.c:
BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int
idlen, time_t expiry, SSL_SESSION *sess) {
<snip>
UCHAR ucaData[SSL_SESSION_MAX_DER];
<snip>
ucp = ucaData;
nData = i2d_SSL_SESSION(sess, &ucp);
MITIGATING FACTORS
This vulnerability is unlikely to be exploitable in a production
environment. Since the buffer in question is the contents of the SSL
session, exploitability of this scenario would be tied to increasing
the size of the session. The most obvious way of doing this would
be through the use of client certificates. Therefore, generating a
really big client cert would overflow the buffer, and could
potentially be used to run arbitrary code. HOWEVER, these routines
are only called AFTER SUCCESSFUL VERIFICATION of the client cert,
which would mean that a CA *TRUSTED BY THE WEB SERVER* would have to
issue the certificate in question. In addition, both client cert
auth and the dbm or shared memory session caching functionality would
need to be enabled.
ACKNOWLEDGEMENTS
Thanks to Graeme Tait, Apache guru, whose persistence and clever
analysis once again made all the difference. Thanks to Ralf
Engelschall for fixing this so quickly, and also for pointing out
that the problem applies also to the shared memory cache.
(8068181) /Ed Moyle <emoyle@scsnet.csc.com>/(Ombruten)
Kommentar i text 8079067 av Ben Laurie <ben@algroup.co.uk>
Kommentar i text 8079240 av Ben Laurie <ben@algroup.co.uk>
8079067 2002-03-01 09:54 +0000 /40 rader/ Ben Laurie <ben@algroup.co.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-01 21:12 av Brevbäraren
Extern mottagare: Ed Moyle <emoyle@scsnet.csc.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21226>
Kommentar till text 8068181 av Ed Moyle <emoyle@scsnet.csc.com>
Ärende: Re: mod_ssl Buffer Overflow Condition (Update Available)
------------------------------------------------------------
From: Ben Laurie <ben@algroup.co.uk>
To: Ed Moyle <emoyle@scsnet.csc.com>
Cc: bugtraq@securityfocus.com
Message-ID: <3C7F4FE1.B5C16B1A@algroup.co.uk>
Ed Moyle wrote:
> MITIGATING FACTORS
>
> This vulnerability is unlikely to be exploitable in a production
> environment. Since the buffer in question is the contents of the
> SSL session, exploitability of this scenario would be tied to
> increasing the size of the session. The most obvious way of doing
> this would be through the use of client certificates. Therefore,
> generating a really big client cert would overflow the buffer, and
> could potentially be used to run arbitrary code. HOWEVER, these
> routines are only called AFTER SUCCESSFUL VERIFICATION of the client
> cert, which would mean that a CA *TRUSTED BY THE WEB SERVER* would have
> to issue the certificate in question. In addition, both client cert
> auth and the dbm or shared memory session caching functionality would
> need to be enabled.
This analysis is flawed: although the certificate would have to be
issued by a trusted CA, some parts of the certificate are under
control of the owner of the certificate, who could therefore get a
certificate of arbitrary size by, for example, requesting a very
large DN. I can see no reason that a CA would vet CSRs for size - why
should they? So, the fact that a trusted CA produced the certificate
has no bearing on its size.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
(8079067) /Ben Laurie <ben@algroup.co.uk>/(Ombruten)
8079240 2002-03-01 10:28 +0000 /35 rader/ Ben Laurie <ben@algroup.co.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-01 22:08 av Brevbäraren
Extern mottagare: Ed Moyle <emoyle@scsnet.csc.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21227>
Kommentar till text 8068181 av Ed Moyle <emoyle@scsnet.csc.com>
Ärende: Re: mod_ssl Buffer Overflow Condition (Update Available)
------------------------------------------------------------
From: Ben Laurie <ben@algroup.co.uk>
To: Ed Moyle <emoyle@scsnet.csc.com>
Cc: bugtraq@securityfocus.com
Message-ID: <3C7F57D4.A0F3A5E5@algroup.co.uk>
Ed Moyle wrote:
>
> mod_ssl Buffer Overflow Condition (Update Available)
> --------------------------------------------------------
>
> SYNOPSIS
>
> mod_ssl (www.modssl.org) is a commonly used Apache module that
> provides strong cryptography for the Apache web server. The
> module utilizes OpenSSL (formerly SSLeay) for the SSL implementation.
> modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the
> underlying OpenSSL routines in a manner which could overflow a buffer
> within the implementation. This situation appears difficult to
> exploit in a production environment, however, for reasons detailed
> below.
Ooops! Apologies, I misread my code. Apache-SSL is, in fact,
vulnerable to this flaw. I'll be issuing an advisory shortly.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
(8079240) /Ben Laurie <ben@algroup.co.uk>/(Ombruten)