From owner-freebsd-security Thu Feb 28 7:35:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (freebsddiary.org.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id CAD7037B42A for ; Thu, 28 Feb 2002 07:35:29 -0800 (PST) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.11.6/8.11.4) id g1SFZNw49223 for security@FreeBSD.Org; Thu, 28 Feb 2002 17:35:23 +0200 (EET) (envelope-from never) Date: Thu, 28 Feb 2002 17:35:12 +0200 From: Nevermind To: security@FreeBSD.Org Subject: mod_ssl Buffer Overflow Message-ID: <20020228153512.GA48368@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://marc.theaimsgroup.com/?l=bugtraq&m=101484301309557 SYNOPSIS mod_ssl (www.modssl.org) is a commonly used Apache module that provides strong cryptography for the Apache web server. The module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment, however, for reasons detailed below. CAUSE The session caching mechanisms utilizing dbm and shared memory utilize the OpenSSL routine i2d_SSL_SESSION, which "serializes" an SSL session into a format that can be stored in the session cache. The OpenSSL docs inform us: When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold the binary representation of the session. There is no known limit on the size of the created ASN1 representation, so the necessary amount of space should be obtained by first calling i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call i2d_SSL_SESSION() again. mod_ssl < the version listed above do not do this, however, and could potentially lead to an overflow of the static buffer used by mod_ssl for holding the contents of the serialized session. .... -- NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message