Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2020-1967: proving sigalg != NULL

Related Vulnerabilities: CVE-2020-1967  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="4"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#5">By Date</a>
<a href="6"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="4"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#5">By Thread</a>
<a href="6"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2020-1967: proving sigalg != NULL</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Imre Rad &lt;radimre83 () gmail com&gt;


<em>Date</em>: Wed, 29 Apr 2020 19:39:31 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">I created a proof of concept exploit about the recent OpenSSL
signature_algorithms_cert DoS flaw (CVE-2020-1967). Credit for the
original finding goes to Bernd Edlinger.

This is a null pointer dereference while processing a crafted
signature_algorithms_cert TLS extension via the SSL_check_chain() API
method. Applications do need to call this method explicitly, it is not
invoked by default during the handshake. The segmentation fault of a
TLS service could look like this:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
(gdb) bt
#0  0x00007f09bcff3770 in tls1_check_sig_alg.part.0.cold () from
/data/openssl-1.1.1d/libssl.so
#1  0x00007f09bd03f309 in tls1_check_chain () from
/data/openssl-1.1.1d/libssl.so
#2  0x00007f09bd403fc8 in set_cert_cb ()
#3  0x00007f09bd037f75 in tls_post_process_client_hello () from
/data/openssl-1.1.1d/libssl.so
#4  0x00007f09bd02703f in state_machine.part () from
/data/openssl-1.1.1d/libssl.so
#5  0x00007f09bcffa3f8 in ssl3_write_bytes () from
/data/openssl-1.1.1d/libssl.so
#6  0x00007f09bd00fbb9 in ssl_write_internal () from
/data/openssl-1.1.1d/libssl.so
#7  0x00007f09bd00fd07 in SSL_write () from /data/openssl-1.1.1d/libssl.so
#8  0x00007f09bd3e337d in sv_body ()
#9  0x00007f09bd40757a in do_server ()
#10 0x00007f09bd3e7c27 in s_server_main ()
#11 0x00007f09bd3cea46 in do_cmd ()
#12 0x00007f09bd3b89fd in main ()

This exploit relies on a patched version of openssl's s_client and can
be found here:

<a rel="nofollow" href="https://github.com/irsl/CVE-2020-1967">https://github.com/irsl/CVE-2020-1967</a>

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="4"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#5">By Date</a>
<a href="6"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="4"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#5">By Thread</a>
<a href="6"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2020-1967: proving sigalg != NULL</strong> <em>Imre Rad (May 01)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started