Sunday, January 21, 2024

TLS V1.2 Sigalgs Remote Crash (CVE-2015-0291)


OpenSSL 1.0.2a fix several security issues, one of them let crash TLSv1.2 based services remotelly from internet.


Regarding to the TLSv1.2 RFC,  this version of TLS provides a "signature_algorithms" extension for the client_hello. 

Data Structures
If a bad signature is sent after the renegotiation, the structure will be corrupted, becouse structure pointer:
s->c->shared_sigalgs will be NULL, and the number of algorithms:
s->c->shared_sigalgslen will not be zeroed.
Which will be interpreted as one algorithm to process, but the pointer points to 0x00 address. 


Then tls1_process_sigalgs() will try to process one signature algorithm (becouse of shared_sigalgslen=1) then sigptr will be pointer to c->shared_sigalgs (NULL) and then will try to derreference sigptr->rhash. 


This mean a Segmentation Fault in  tls1_process_sigalgs() function, and called by tls1_set_server_sigalgs() with is called from ssl3_client_hello() as the stack trace shows.




StackTrace

The following code, points sigptr to null and try to read sigptr->rsign, which is assembled as movzbl eax,  byte ptr [0x0+R12] note in register window that R12 is 0x00

Debugger in the crash point.


radare2 static decompiled


The patch fix the vulnerability zeroing the sigalgslen.
Get  David A. Ramos' proof of concept exploit here





Related news


  1. Hack Apps
  2. Underground Hacker Sites
  3. Hacking Tools Hardware
  4. Termux Hacking Tools 2019
  5. Pentest Automation Tools
  6. Hacking Tools 2020
  7. Hacker Tools
  8. Pentest Recon Tools
  9. Wifi Hacker Tools For Windows
  10. Computer Hacker
  11. Hack And Tools
  12. What Are Hacking Tools
  13. Hacking Tools Usb
  14. Pentest Tools Url Fuzzer
  15. Pentest Box Tools Download
  16. Hacker Tools For Ios
  17. Hacker
  18. Beginner Hacker Tools
  19. Nsa Hack Tools
  20. Hack Tools For Games
  21. Hack Tools For Games
  22. Hacking Tools Online
  23. Hacker Tool Kit
  24. Hacking Tools
  25. Hack Tools Mac
  26. Hacking Tools And Software
  27. Ethical Hacker Tools
  28. Pentest Tools Subdomain
  29. Nsa Hack Tools Download
  30. Hacking Tools For Beginners
  31. Hacking Tools For Mac
  32. Hacking Tools Name
  33. Hacking Tools Download
  34. Hack Tools For Ubuntu
  35. Pentest Tools For Mac
  36. Bluetooth Hacking Tools Kali
  37. Hackers Toolbox
  38. Hacking Tools For Windows Free Download
  39. Nsa Hacker Tools
  40. Hacking Tools Github
  41. Pentest Tools Apk
  42. Hacking Tools For Mac
  43. Hacking Tools For Kali Linux
  44. Pentest Tools Framework
  45. Bluetooth Hacking Tools Kali
  46. Hacking Tools Mac
  47. Hack Tools Online
  48. How To Make Hacking Tools
  49. Pentest Tools For Ubuntu
  50. Hack Tools Mac
  51. Pentest Tools Port Scanner
  52. Game Hacking
  53. Pentest Reporting Tools
  54. Hacking Tools Usb
  55. Pentest Tools Find Subdomains
  56. Bluetooth Hacking Tools Kali
  57. Pentest Tools Nmap
  58. Pentest Tools Port Scanner
  59. Hacking Tools Software
  60. Pentest Tools Github
  61. Hacker Tools Apk
  62. Pentest Tools Website Vulnerability
  63. Hacker Tool Kit
  64. Top Pentest Tools
  65. Pentest Tools Bluekeep
  66. Hacking Tools Online
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)