From owner-freebsd-security@FreeBSD.ORG Thu Jun 4 21:47:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CCC41065670 for ; Thu, 4 Jun 2009 21:47:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 62AEE8FC12 for ; Thu, 4 Jun 2009 21:47:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id 4A02A61C29; Thu, 4 Jun 2009 23:47:00 +0200 (CEST) Message-ID: <4A2840CF.6020209@thedarkside.nl> Date: Thu, 04 Jun 2009 23:46:55 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.21 (X11/20090523) MIME-Version: 1.0 To: Oliver Pinter References: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> In-Reply-To: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 21:47:00 -0000 Oliver Pinter wrote: > the base system contins 0.9.8e and this PoC is affected up to 0.9.8i > not yet tested > the question is, the freebsd is affected for this error/malware/poc? > http://milw0rm.com/exploits/8873 (term1) OpenSSL> version OpenSSL 0.9.8e 23 Feb 2007 % openssl s_server -cert /usr/src/crypto/openssl/apps/server.pem -accept 1234 -dtls1 ... (term2) % ./cve-2009-1386 localhost 1234 [+] Sending DTLS datagram of death at localhost:1234... ... (term1) zsh: segmentation fault (core dumped) openssl s_server -cert /usr/src/crypto/openssl/apps/server.pem -accept 1234 GDB shows: Program received signal SIGSEGV, Segmentation fault. 0x480fe28d in ssl3_do_change_cipher_spec () from /usr/lib/libssl.so.5 ... 0x480fe28d : mov %eax,0xac(%edx) ... (gdb) i r edx edx 0x0 0 Looks vulnerable, but I had to force DTLS using the -dtls1 switch, so it may not be much of an issue in most real world configurations? -- Pieter