Invalid characters in SNI hostname are replaced with uninitialized memory (possible privilege escalation vulnerability)

[GoogleCodeExporter]

sslSNICallback has a loop to skip over copying invalid characters from the 
client-provided hostname.  However, nothing else initializes those characters 
if they are skipped.  So it could still be possible for a sufficiently clever 
attacker who understands how malloc() lays out the heap to insert malicious 
characters into the hostname string.

This hostname string is later passed to system() without further filtering, so 
this vulnerability could be used to execute arbitrary shell code.

I’ve attached a patch to ignore hostnames containing invalid characters, and 
another patch to invoke openssl directly with fork+exec to avoid the 
possibility of shell code injection in the filename.

Original issue reported on code.google.com by andersk@mit.edu on 12 Jan 2012 at 5:05

Attachments:

• 0001-sslSNICallback-Properly-disallow-invalid-characters.patch
• 0002-sslGenerateCertificate-Don-t-use-the-shell.patch

[GoogleCodeExporter]

Thanks for the patches.

https://github.com/jayschwa/shellinabox/commit/8059075f63135f58127349ce6a12678e5
2ab1fda

https://github.com/jayschwa/shellinabox/commit/38388d326cf9de9e80082e827bdfeef6a
4055d04

Original comment by Jayschwa on 2 Feb 2012 at 6:32

[GoogleCodeExporter]

Applied for 2.11.

Original comment by beewoo...@gmail.com on 31 Mar 2012 at 11:23

• Changed state: Fixed