Date: Thu, 28 Feb 2002 17:35:12 +0200 From: Nevermind <never@nevermind.kiev.ua> To: security@FreeBSD.Org Subject: mod_ssl Buffer Overflow Message-ID: <20020228153512.GA48368@nevermind.kiev.ua>
next in thread | raw e-mail | index | archive | help
http://marc.theaimsgroup.com/?l=bugtraq&m=101484301309557 <cut> SYNOPSIS mod_ssl (www.modssl.org) is a commonly used Apache module that provides strong cryptography for the Apache web server. The module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment, however, for reasons detailed below. CAUSE The session caching mechanisms utilizing dbm and shared memory utilize the OpenSSL routine i2d_SSL_SESSION, which "serializes" an SSL session into a format that can be stored in the session cache. The OpenSSL docs inform us: When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold the binary representation of the session. There is no known limit on the size of the created ASN1 representation, so the necessary amount of space should be obtained by first calling i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call i2d_SSL_SESSION() again. mod_ssl < the version listed above do not do this, however, and could potentially lead to an overflow of the static buffer used by mod_ssl for holding the contents of the serialized session. .... </cut> -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020228153512.GA48368>