Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31814
HistoryMar 21, 2015 - 12:00 a.m.

Security Audit Notes: OpenSSL d1_srvr.c Overflow - Advanced Information Security

2015-03-2100:00:00
vulners.com
75
JSON

-=[ Advanced Information Security Corporation ]=-

Author: Nicholas Lemonias
Type: Security Audit Notes
Date: 17/3/2015
Email: lem.nikolas (at) gmail (dot) com
Audit: OpenSSL v1.0.2 (22nd of January, 2015 Release)

Introduction

During a source-code audit of the OpenSSL v1.0.2 implementation for
Linux; conducted internally by the Advanced Information Security
Group, instances of deprecated function use, were observed.
An insecure memcpy() is utilized; where a destination buffer, a
source buffer, and the number of bytes to copy are accepted by the
called function.

It is pertinent to note, that the memcpy() function does not check
for a potential overflow of the receiving memory area in this
instance, and no custom security validation controls are in place. [1]
[2]

Software Overview

OpenSSL is an open-source implementation of the SSL and TLS protocol.
The core library is written in the C Language, and implements basic
cryptographic functions, and
also provides various utility functions. Implementation versions are
available for most UNIX-like operating systems (including
Solaris,Linux, Mac OS X and the various open-source BSD operating
systems), OpenVMS and Microsoft Windows. IBM provides a port for the
System i (OS/400). OpenSSL is based on SSLeay by Eric Andrew Young and
Tim Hudson, development of which unofficially ended on December 17,
1998, when Young and Hudson both started to work for RSA Security.

Vulnerability

(1) Deprecated function use / Insecure memcpy() utilization.

The insecurity stems from the lack of any bounds-checking of the
called memcpy function. The memcpy function permits the "peer's"
cookie length, to overlap buffers.

The provided buffer (s->d1->cookie) is for the user-app to fill in;
however, a custom user application could provide an overlong cookie to
exceed it's buffer, and to overflow beyond and into other volatile
memory locations.

Therefore any security is purely on the basis of trust that the remote
peer will not act contrary to protocol, and that the user app is
trusted not to abuse functionality.

PoC - Code Snippet

(…/openssl/ssl/d1_srvr.c)

{ Lines 918 - 942 }

int dtls1_send_hello_verify_request(SSL *s)
{
unsigned int msg_len;
unsigned char *msg, *buf, *p;

if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
    buf = (unsigned char *)s->init_buf->data;

   msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]); //buf is equal to 12
    /* Always use DTLS 1.0 version: see RFC 6347 */
    *(p++) = DTLS1_VERSION >> 8;
    *(p++) = DTLS1_VERSION & 0xFF;

    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
                                  &(s->d1->cookie_len)) == 0) {
        SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
               ERR_R_INTERNAL_ERROR);
        return 0;
    }

    *(p++) = (unsigned char)s->d1->cookie_len;
    memcpy(p, s->d1->cookie, s->d1->cookie_len);

// Cookie_len is provided by a callback function above - and where,
input is // provided by the user-app.

    p += s->d1->cookie_len;
    msg_len = p - msg;

Appendices

Sincere Thanks to the OpenSSL team for their feedback.

References

[1] Oracle (2015). Basic Library Functions - Title: memcpy() man pages [Online]
Available at: https://docs.oracle.com/cd/E19683-01/816-0213/6m6ne386d/index.html
[Last Accessed 17 Mar. 2015]

[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press

JSON