BUEN FIN DE CUATRIMESTRE...!! A DISFRUTAR DE ESTAS MERECIDAS VACACIONES.. NOS VEMOS EL PRÓXIMO :)

jueves, 4 de junio de 2020

TLS V1.2 Sigalgs Remote Crash (CVE-2015-0291)


OpenSSL 1.0.2a fix several security issues, one of them let crash TLSv1.2 based services remotelly from internet.


Regarding to the TLSv1.2 RFC,  this version of TLS provides a "signature_algorithms" extension for the client_hello. 

Data Structures


If a bad signature is sent after the renegotiation, the structure will be corrupted, becouse structure pointer:
s->c->shared_sigalgs will be NULL, and the number of algorithms:
s->c->shared_sigalgslen will not be zeroed.
Which will be interpreted as one algorithm to process, but the pointer points to 0x00 address. 


Then tls1_process_sigalgs() will try to process one signature algorithm (becouse of shared_sigalgslen=1) then sigptr will be pointer to c->shared_sigalgs (NULL) and then will try to derreference sigptr->rhash. 


This mean a Segmentation Fault in  tls1_process_sigalgs() function, and called by tls1_set_server_sigalgs() with is called from ssl3_client_hello() as the stack trace shows.




StackTrace

The following code, points sigptr to null and try to read sigptr->rsign, which is assembled as movzbl eax,  byte ptr [0x0+R12] note in register window that R12 is 0x00

Debugger in the crash point.


radare2 static decompiled


The patch fix the vulnerability zeroing the sigalgslen.
Get  David A. Ramos' proof of concept exploit here





More articles


  1. Pentest Checklist
  2. Pentest Ubuntu
  3. Pentest +
  4. Hacking 3Ds
  5. Hacking Device
  6. Hacking Gif
  7. Hacking Software
  8. Hacker Code
  9. Pentest Practice Sites
  10. Pentester Academy
  11. Pentesting Tools
  12. Hacker Lab
  13. Pentest Windows
  14. Pentestlab
  15. Pentest Ftp
  16. Pentest Book
  17. Pentest Environment
  18. Pentest Services

No hay comentarios:

Publicar un comentario

Escríbe tus dudas, comentarios o sugerencias a:

Historia de la Educación

recetas de cocina