From owner-freebsd-security@FreeBSD.ORG Thu Jun 4 20:15:35 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF96E1065674 for ; Thu, 4 Jun 2009 20:15:35 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 616BF8FC19 for ; Thu, 4 Jun 2009 20:15:35 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by fg-out-1718.google.com with SMTP id 22so342198fge.12 for ; Thu, 04 Jun 2009 13:15:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=bt3NYMFeMYbDM3I19g/rnBw/lFKClnvempitnWnc2Dc=; b=uSkVdgpEQ2fzF27/eTtLmtbB8QLoV9VjlJbLqZkmP2XNC3ga9+smmh+PQhq3rQnFcK mdNuIvDtSZQB3QGcYIO6G4nOD88Yjn5AvN1BagXAU/JHXPr3tqLA8BJATFdANvjTGurq lYmPtfL3PxMwMlmnJuSJJPo5RygxwZ5ZNqEgY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=og3VNUq+32WLcNBGVuhsOHJPLtZZiSHEtiV8wsruF5ABjaiiTxz5E7LcVl2YWWZKBJ KjmAxqvPfR3I34lFq2uwTOXRP91yzmNXofwLJuLLLANzEO7lcE9hN7pGpkFjs9TdYfpL GNq884l8cOrkKJF77p2RhCHPplwYpLw88ohEM= MIME-Version: 1.0 Received: by 10.86.95.8 with SMTP id s8mr3119278fgb.2.1244146534256; Thu, 04 Jun 2009 13:15:34 -0700 (PDT) Date: Thu, 4 Jun 2009 22:15:34 +0200 Message-ID: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> From: Oliver Pinter To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 20:15:36 -0000 the base system contins 0.9.8e and this PoC is affected up to 0.9.8i not yet tested the question is, the freebsd is affected for this error/malware/poc? http://milw0rm.com/exploits/8873 From owner-freebsd-security@FreeBSD.ORG Thu Jun 4 21:47:00 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CCC41065670 for ; Thu, 4 Jun 2009 21:47:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 62AEE8FC12 for ; Thu, 4 Jun 2009 21:47:00 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id 4A02A61C29; Thu, 4 Jun 2009 23:47:00 +0200 (CEST) Message-ID: <4A2840CF.6020209@thedarkside.nl> Date: Thu, 04 Jun 2009 23:46:55 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.21 (X11/20090523) MIME-Version: 1.0 To: Oliver Pinter References: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> In-Reply-To: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 21:47:00 -0000 Oliver Pinter wrote: > the base system contins 0.9.8e and this PoC is affected up to 0.9.8i > not yet tested > the question is, the freebsd is affected for this error/malware/poc? > http://milw0rm.com/exploits/8873 (term1) OpenSSL> version OpenSSL 0.9.8e 23 Feb 2007 % openssl s_server -cert /usr/src/crypto/openssl/apps/server.pem -accept 1234 -dtls1 ... (term2) % ./cve-2009-1386 localhost 1234 [+] Sending DTLS datagram of death at localhost:1234... ... (term1) zsh: segmentation fault (core dumped) openssl s_server -cert /usr/src/crypto/openssl/apps/server.pem -accept 1234 GDB shows: Program received signal SIGSEGV, Segmentation fault. 0x480fe28d in ssl3_do_change_cipher_spec () from /usr/lib/libssl.so.5 ... 0x480fe28d : mov %eax,0xac(%edx) ... (gdb) i r edx edx 0x0 0 Looks vulnerable, but I had to force DTLS using the -dtls1 switch, so it may not be much of an issue in most real world configurations? -- Pieter From owner-freebsd-security@FreeBSD.ORG Fri Jun 5 06:37:16 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4233A1065673 for ; Fri, 5 Jun 2009 06:37:16 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id B409A8FC14 for ; Fri, 5 Jun 2009 06:37:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=ZPefVnADsYkjJKEQIxk2sJt3I5Vqdld4nb2knb5AbMyOwoeKAGnMTB6gX8cWD4SpEPybjUQmKJMJOKWkqXOQiNR7jsdm+pwsRl2d14IfwScm6b44lb2ueTPk+lK6v5ttGii+dR7VPwyrix75D7y/cba9GZRia4GZ+5/0czcPAF0=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MCT3A-000Bwv-DG; Fri, 05 Jun 2009 10:37:12 +0400 Date: Fri, 5 Jun 2009 10:37:10 +0400 From: Eygene Ryabinkin To: Oliver Pinter Message-ID: References: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 06:37:16 -0000 Thu, Jun 04, 2009 at 10:15:34PM +0200, Oliver Pinter wrote: > the base system contins 0.9.8e and this PoC is affected up to 0.9.8i There was combined PR for the ports/base system OpenSSL, http://www.freebsd.org/cgi/query-pr.cgi?pr=134653 Probably more complete patch for DTLS stuff, http://sctp.fh-muenster.de/dtls/dtls-bugs.patch that additionally fixes MTU problems and other stuff can be integrated to the base system as it was recently done with the security/openssl. I am in ENOTIME now, so I'm not able to test these patches myself, sorry. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From owner-freebsd-security@FreeBSD.ORG Fri Jun 5 09:51:29 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03EF81065672 for ; Fri, 5 Jun 2009 09:51:29 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-bw0-f217.google.com (mail-bw0-f217.google.com [209.85.218.217]) by mx1.freebsd.org (Postfix) with ESMTP id 8211B8FC0A for ; Fri, 5 Jun 2009 09:51:28 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: by bwz17 with SMTP id 17so251581bwz.43 for ; Fri, 05 Jun 2009 02:51:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=q6fOAY2/84taHmq0NFjS7YEgiI8lDvcj1tDvkz8k/ig=; b=NCoJx6Ybhl5Mf4ECpY6LmwcBBsyK6DYKKWJqw1gs2RDnY0LPhQdqgFPitxIRgPpLC+ PKXPucPSw5BsysN6BMh1c3+qQjZxQKJ7YhMHiey/RU5QNtY2E7ZO4EeFXustoQeF0HN2 Bf8Zk2YTpuOr5nZ792G6l4o0zHV9JEeaGDm54= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=k6WufigXiV9SplgjenipweE5H5YvRIgpt9xSGgg+SUV2vR44ZN1mIZTimXNCvxMlCY FexsC9xNZTwa4xYeYo71gRzDK7sDP93dRCqy2T/JgLMnHM2jlCkJRE6x+CxKCV7bfR+r JB7SUEz0rrLwy6rxG/Mho9Vx/VEJ3moTyH91o= MIME-Version: 1.0 Received: by 10.103.169.18 with SMTP id w18mr2056444muo.101.1244195487233; Fri, 05 Jun 2009 02:51:27 -0700 (PDT) In-Reply-To: References: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> Date: Fri, 5 Jun 2009 11:51:27 +0200 Message-ID: <6101e8c40906050251l6d744649ja6a051a807c860b8@mail.gmail.com> From: Oliver Pinter To: rea-fbsd@codelabs.ru Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 09:51:29 -0000 thanks for the fast reply, and the patch On 6/5/09, Eygene Ryabinkin wrote: > Thu, Jun 04, 2009 at 10:15:34PM +0200, Oliver Pinter wrote: >> the base system contins 0.9.8e and this PoC is affected up to 0.9.8i > > There was combined PR for the ports/base system OpenSSL, > http://www.freebsd.org/cgi/query-pr.cgi?pr=134653 > > Probably more complete patch for DTLS stuff, > http://sctp.fh-muenster.de/dtls/dtls-bugs.patch > that additionally fixes MTU problems and other stuff can be integrated > to the base system as it was recently done with the security/openssl. > I am in ENOTIME now, so I'm not able to test these patches myself, sorry. > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # > From owner-freebsd-security@FreeBSD.ORG Fri Jun 5 10:06:38 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7A32106566B for ; Fri, 5 Jun 2009 10:06:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 76BF78FC0C for ; Fri, 5 Jun 2009 10:06:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:Reply-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=Cm0ZRE1HkJvOjnmOPsEW4ckvkkHvNN52TGiJmtyjx6Bo0Lg8hcTwq7I04TWcqiZChufMT9Wdr39f0q2u+IRk3T5Wbx+TejrHGTm1+VBRiyOE9GepYBCdEI30Zcavk/kcujNhSQD1IJBJHcvWtibmH2YM+PjxHTOt/iqMLku8ri4=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1MCWJo-0007Rt-Sk; Fri, 05 Jun 2009 14:06:37 +0400 Date: Fri, 5 Jun 2009 14:06:34 +0400 From: Eygene Ryabinkin To: Oliver Pinter Message-ID: References: <6101e8c40906041315t5b9c2b6ep4f35b2068586f2c3@mail.gmail.com> <6101e8c40906050251l6d744649ja6a051a807c860b8@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6101e8c40906050251l6d744649ja6a051a807c860b8@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: freebsd-security@freebsd.org Subject: Re: OpenSSL DoS/PoC in milw0rm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rea-fbsd@codelabs.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 10:06:39 -0000 Oliver, good day. Fri, Jun 05, 2009 at 11:51:27AM +0200, Oliver Pinter wrote: > thanks for the fast reply, and the patch No problems. If you'll be messing with either of patches, please, report on your findings. Thanks! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #