CSCG / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

Invalid characters in SNI hostname are replaced with uninitialized memory (possible privilege escalation vulnerability) #158

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
sslSNICallback has a loop to skip over copying invalid characters from the 
client-provided hostname.  However, nothing else initializes those characters 
if they are skipped.  So it could still be possible for a sufficiently clever 
attacker who understands how malloc() lays out the heap to insert malicious 
characters into the hostname string.

This hostname string is later passed to system() without further filtering, so 
this vulnerability could be used to execute arbitrary shell code.

I’ve attached a patch to ignore hostnames containing invalid characters, and 
another patch to invoke openssl directly with fork+exec to avoid the 
possibility of shell code injection in the filename.

Original issue reported on code.google.com by andersk@mit.edu on 12 Jan 2012 at 5:05

Attachments:

GoogleCodeExporter commented 9 years ago
Thanks for the patches.

https://github.com/jayschwa/shellinabox/commit/8059075f63135f58127349ce6a12678e5
2ab1fda

https://github.com/jayschwa/shellinabox/commit/38388d326cf9de9e80082e827bdfeef6a
4055d04

Original comment by Jayschwa on 2 Feb 2012 at 6:32

GoogleCodeExporter commented 9 years ago
Applied for 2.11.

Original comment by beewoo...@gmail.com on 31 Mar 2012 at 11:23