fmunozs/sslnull

## sslnull
OpenSSL Null pointer Dereference
=================================
I *think* anything below 1.0.2 is affected. I didn't have time to report it
but noticed that the last update doesn't crash anymore, so I guess one of
the recently fixed CVE's fixed this too [1].

[1] https://www.openssl.org/news/secadv_20150319.txt

(old) Openssl on OSX
====================

$ cat fuck.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASKBKgwggSkAgEAAoIBAQDATDHcRCvHOxmy
eSmnNjIIyc7dEsrjNMVSHIwMuW+aUKp8YWi4t0RqZ4iHVqtK6kZ9guuIf95MsGRq
mqgG8cQd8SUU2Tb4F7ex6jETQMfxPw24Owz4vvk1PvWYHv8V6vbWY2pio3VzLKdA
XwWJ0mB3b8FiwWrXhEKmHdv6uViErIeAbfoTVhEaTXFyOCRBJFpUTLWVImojQMGe
I88bqOpJ12alpQLXKuhA8//DJUz1CV44hQfzXEEW0OJpnpgPNHwgi+cYrBqruHv2
BwDek50xduZQX27An9OYfbXGsRKXVxc6tyK+hD+L3I1IT0XjDkrPsXV+me0jG874
8l9CJqZJAgMBAAECggEAWx/AQPDNDgwjkT95TZORAjkfngNZwXEwUEjW1PDKwgWX
xHkkduPht8p4GCop4cZCwRdZJcXyQcUU0K+ZEDFhDg9H0ylbsxUKJ3Ui7Ey2csu+
ZJ8W9okI7wJ2vy9xEaHWdqGFuFhdP8bZOtfMeBMJQ4/hxDqDtr0mGDHuHFHYcIW+
+RaaxAUmINKJ/K/yru0uOwDmmVSTT7sIQMGVqZhEFXDbFEFVxLgJ7Gk5VDUdiYEv
eBdJFPEXGJr/Mg64/A2jBT2RRFEDLB5JevFuV0T3GPS4NzTlLaADGf9gGfmyBO6X
4beQ9MT9o+WCTVJtFnbAkuk5V5p3+khNfXYq7gRdQQKBgQDnVovh7+W0ZFoGA8Lk
/t0q6JVBiIosnnAJlHiiFL8OlaRsWxKDfEoB2Cp8jQN1c9r1Y1EA3tefxAR+PcSy
QFj0gT0mATk5WI74jjAUomouwk4kKD8Hmz9NBrIC2Lecf287a9A34AW9oOZK6Eet
VLQ/CUzJzLWJ8wEfXv8sIjvUgwKBgQDUzDHbP8vPidPwx4jFqjWJCf4iMUzTkzR+
kW9gX0wiz9sAlHXtK4w8wte1nWpeC2nRekZZzog5UEZ1NaDUcQdTPOmKV2WhHiFK
OIhfCkel2HFJ5+tpoZNMMPeqzqK1ztVJzXStkfLQtxpYpC2gZW8XK3kDQ3fYRIuF
N4eB9ftYQwKBgQCQlJ+CCouWTW2R+sHQmpShX5EAzxQERNUit58ZNTwfIlkLu3N7
p68dLfuHsh3qRwkeef7DO4KpgDmKqJIJEXxG+4q6+OLJu1ZHc54LF2KjbJ6nrFuQ
Jm/OdRPGAannbiGXko8kjKcp16h2QmuhoaGxD9/k80K2P6CA+b8i1xZrfwKBgF7K
32K1lorK8PiPSiQTYGm9Y9HDeF+/cWD4VE7v5LCVOw+VErsl7QCcIw8qIlnmZ6sC
9xfGYvR1CA3qZ8x61TKFLduMdx9Alr/DUyxTHfuI4V50y29wpHcKUSlrhxvKGUUZ
GuK+4xWKm1flOtX6mXQOz4depKJYVnZveBOyidaVAoGBAJcI1K8QIg2owNuWmE+Y
YeUa8OHvXhaPmErcWZqXAPzf1LWI3wmd7j9wzj8g7nZz8eTwAZUNUw4xbzMBF+Hb
d+/2XrEcQMEe+jeWhGMZPsZ8DFUTan1jA9StZN6ngHAaRs7P47o/+1As5AOJioyt
9zeQErFpG8e3F4WpsawsM+Dh
-----END PRIVATE KEY-----
$ gdb ssh
GNU gdb 6.3.50-20050815 (Apple version gdb-1824) (Wed Feb  6 22:51:23 UTC 2013)
..
(gdb) run -i fuck.key root@localhost
Starting program: /usr/bin/ssh -i fuck.key root@localhost
Reading symbols for shared libraries ..... done
...

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x00007fff81bd8770 in pkey_cb ()

LibreSSL +debug info
======================

[fmunozs@hydra libressl-2.1.1]$ LD_LIBRARY_PATH=ssl/.libs/:crypto/.libs/ gdb ./apps/.libs/openssl
GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./apps/.libs/openssl...done.
(gdb) run rsa -in fuck.key -check
Starting program: /home/fmunozs/libressl/src/libressl-2.1.1/apps/.libs/openssl rsa -in fuck.key -check

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78499b7 in pkey_cb (operation=2, pval=0x7fffffffda78, it=0x7ffff7b559c0 <PKCS8_PRIV_KEY_INFO_it>, exarg=0x0) at asn1/p8_pkey.c:72
72			if (key->pkey->value.octet_string)
(gdb) print key
$1 = (PKCS8_PRIV_KEY_INFO *) 0x690a30
(gdb) print key->pkey
$2 = (ASN1_TYPE *) 0x0
(gdb)
	OpenSSL Null pointer Dereference
	=================================
	I think anything below 1.0.2 is affected. I didn't have time to report it
	but noticed that the last update doesn't crash anymore, so I guess one of
	the recently fixed CVE's fixed this too [1].

	[1] https://www.openssl.org/news/secadv_20150319.txt

	(old) Openssl on OSX
	====================

	$ cat fuck.key
	-----BEGIN PRIVATE KEY-----
	MIIEvgIBADANBgkqhkiG9w0BAQEFAASKBKgwggSkAgEAAoIBAQDATDHcRCvHOxmy
	eSmnNjIIyc7dEsrjNMVSHIwMuW+aUKp8YWi4t0RqZ4iHVqtK6kZ9guuIf95MsGRq
	mqgG8cQd8SUU2Tb4F7ex6jETQMfxPw24Owz4vvk1PvWYHv8V6vbWY2pio3VzLKdA
	XwWJ0mB3b8FiwWrXhEKmHdv6uViErIeAbfoTVhEaTXFyOCRBJFpUTLWVImojQMGe
	I88bqOpJ12alpQLXKuhA8//DJUz1CV44hQfzXEEW0OJpnpgPNHwgi+cYrBqruHv2
	BwDek50xduZQX27An9OYfbXGsRKXVxc6tyK+hD+L3I1IT0XjDkrPsXV+me0jG874
	8l9CJqZJAgMBAAECggEAWx/AQPDNDgwjkT95TZORAjkfngNZwXEwUEjW1PDKwgWX
	xHkkduPht8p4GCop4cZCwRdZJcXyQcUU0K+ZEDFhDg9H0ylbsxUKJ3Ui7Ey2csu+
	ZJ8W9okI7wJ2vy9xEaHWdqGFuFhdP8bZOtfMeBMJQ4/hxDqDtr0mGDHuHFHYcIW+
	+RaaxAUmINKJ/K/yru0uOwDmmVSTT7sIQMGVqZhEFXDbFEFVxLgJ7Gk5VDUdiYEv
	eBdJFPEXGJr/Mg64/A2jBT2RRFEDLB5JevFuV0T3GPS4NzTlLaADGf9gGfmyBO6X
	4beQ9MT9o+WCTVJtFnbAkuk5V5p3+khNfXYq7gRdQQKBgQDnVovh7+W0ZFoGA8Lk
	/t0q6JVBiIosnnAJlHiiFL8OlaRsWxKDfEoB2Cp8jQN1c9r1Y1EA3tefxAR+PcSy
	QFj0gT0mATk5WI74jjAUomouwk4kKD8Hmz9NBrIC2Lecf287a9A34AW9oOZK6Eet
	VLQ/CUzJzLWJ8wEfXv8sIjvUgwKBgQDUzDHbP8vPidPwx4jFqjWJCf4iMUzTkzR+
	kW9gX0wiz9sAlHXtK4w8wte1nWpeC2nRekZZzog5UEZ1NaDUcQdTPOmKV2WhHiFK
	OIhfCkel2HFJ5+tpoZNMMPeqzqK1ztVJzXStkfLQtxpYpC2gZW8XK3kDQ3fYRIuF
	N4eB9ftYQwKBgQCQlJ+CCouWTW2R+sHQmpShX5EAzxQERNUit58ZNTwfIlkLu3N7
	p68dLfuHsh3qRwkeef7DO4KpgDmKqJIJEXxG+4q6+OLJu1ZHc54LF2KjbJ6nrFuQ
	Jm/OdRPGAannbiGXko8kjKcp16h2QmuhoaGxD9/k80K2P6CA+b8i1xZrfwKBgF7K
	32K1lorK8PiPSiQTYGm9Y9HDeF+/cWD4VE7v5LCVOw+VErsl7QCcIw8qIlnmZ6sC
	9xfGYvR1CA3qZ8x61TKFLduMdx9Alr/DUyxTHfuI4V50y29wpHcKUSlrhxvKGUUZ
	GuK+4xWKm1flOtX6mXQOz4depKJYVnZveBOyidaVAoGBAJcI1K8QIg2owNuWmE+Y
	YeUa8OHvXhaPmErcWZqXAPzf1LWI3wmd7j9wzj8g7nZz8eTwAZUNUw4xbzMBF+Hb
	d+/2XrEcQMEe+jeWhGMZPsZ8DFUTan1jA9StZN6ngHAaRs7P47o/+1As5AOJioyt
	9zeQErFpG8e3F4WpsawsM+Dh
	-----END PRIVATE KEY-----
	$ gdb ssh
	GNU gdb 6.3.50-20050815 (Apple version gdb-1824) (Wed Feb 6 22:51:23 UTC 2013)
	..
	(gdb) run -i fuck.key root@localhost
	Starting program: /usr/bin/ssh -i fuck.key root@localhost
	Reading symbols for shared libraries ..... done
	...

	Program received signal EXC_BAD_ACCESS, Could not access memory.
	Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
	0x00007fff81bd8770 in pkey_cb ()

	LibreSSL +debug info
	======================

	[fmunozs@hydra libressl-2.1.1]$ LD_LIBRARY_PATH=ssl/.libs/:crypto/.libs/ gdb ./apps/.libs/openssl
	GNU gdb (GDB) 7.9
	Copyright (C) 2015 Free Software Foundation, Inc.
	License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
	This is free software: you are free to change and redistribute it.
	There is NO WARRANTY, to the extent permitted by law. Type "show copying"
	and "show warranty" for details.
	This GDB was configured as "x86_64-unknown-linux-gnu".
	Type "show configuration" for configuration details.
	For bug reporting instructions, please see:
	<http://www.gnu.org/software/gdb/bugs/>.
	Find the GDB manual and other documentation resources online at:
	<http://www.gnu.org/software/gdb/documentation/>.
	For help, type "help".
	Type "apropos word" to search for commands related to "word"...
	Reading symbols from ./apps/.libs/openssl...done.
	(gdb) run rsa -in fuck.key -check
	Starting program: /home/fmunozs/libressl/src/libressl-2.1.1/apps/.libs/openssl rsa -in fuck.key -check

	Program received signal SIGSEGV, Segmentation fault.
	0x00007ffff78499b7 in pkey_cb (operation=2, pval=0x7fffffffda78, it=0x7ffff7b559c0 <PKCS8_PRIV_KEY_INFO_it>, exarg=0x0) at asn1/p8_pkey.c:72
	72 if (key->pkey->value.octet_string)
	(gdb) print key
	$1 = (PKCS8_PRIV_KEY_INFO *) 0x690a30
	(gdb) print key->pkey
	$2 = (ASN1_TYPE *) 0x0
	(gdb)