[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] OpenSSL 1.1.0 remote client memory corruption

Triggering this requires that the client sets a very large ALPN list
(several thousand bytes). This would be very unusual in a real-world
application. For this reason OpenSSL does not treat this as a security
vulnerability and I am inclined to agree with this decision. However, if an
attacker can somehow influence the ALPN list of an OpenSSL-enabled
application (perhaps through another vulnerability), the attacker can write
arbitrary data past OpenSSL's heap buffer.

openssl s_client -reconnect -status -alpn `python -c "import sys;

If the server sends a session ticket with a special length (16022 bytes),
the client will crash.

More technical details here:


Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/