-=[ Advanced Information Security Corporation ]=-
-----------------------------------------------------------------------------------
Author: Nicholas Lemonias
Type: Security Audit Notes
Date: 07/3/2015
Email: lem.nikolas@xxxxxxxxx
Audit: OpenSSL v1.0.2 (22nd of January, 2015 Release)
-----------------------------------------------------------------------------------
Introduction
==========
During a source-code audit of the OpenSSL v1.0.2 implementation for
Linux; conducted internally by the Advanced Information Security
Group, instances of deprecated function use, were observed in relation
to the GHOST vulnerability (CVE-2015-0235). However this may not be a
direct vulnerability in the way the SSL/TLS protocol functions, the
OpenSSL implementation is impacted, leaving systems subtle to attacks.
The issue stems from a heap based buffer overflow in the
__nss_hostname_digits_dots() function in glibc and which subsequently
affects the _gethostbyname as per the (CVE-2015-0235). [1] [2]
Software Overview
===============
OpenSSL is an open-source implementation of the SSL and TLS protocol.
The core library is written in the C Language, and implements basic
cryptographic functions, and
also provides various utility functions. Implementation versions are
available for most
UNIX-like operating systems (including Solaris,Linux, Mac OS X and the
various open-
source BSD operating systems), OpenVMS and
Microsoft Windows. IBM provides a port for the System i (OS/400).
OpenSSL is based on SSLeay by Eric Andrew Young and Tim Hudson,
development of which unofficially ended on December 17, 1998, when
Young and Hudson both started to work for RSA Security
.
Vulnerability
===============
Software that make use of _gethostbyname()
are affected ( when glibc 2.2 through to 2.17 is used).
The issues stem from a heap-based buffer overflow in the
__nss_hostname_digits_dots() function in glibc, and which subsequently
affects the _gethostbyname family.
Therefore, this security note is to inform OpenSSL users and service,
since many Linux distributions have still not backported an upgrade
for the GHOST vulnerability for their distros, thus constituing the
OpenSSL v1.0.2 implementation for Linux a point of intrusion.
PoC - Code Snippet
========================
(.../crypto/bio/b_sock.c)
{ Line 114 - 148 }
int BIO_get_host_ip(const char *str, unsigned char *ip)
{
int i;
int err = 1;
int locked = 0;
struct hostent *he; /* vulnerable structure */
i = get_ip(str, ip);
if (i < 0) {
BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_INVALID_IP_ADDRESS);
goto err;
}
/*
* At this point, we have something that is most probably correct in some
* way, so let's init the socket.
*/
if (BIO_sock_init() != 1)
return 0; /* don't generate another error code here */
/*
* If the string actually contained an IP address, we need not do
* anything more
*/
if (i > 0)
return (1);
/* do a gethostbyname */
CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
locked = 1;
he = BIO_gethostbyname(str); /* affected gethostbyname function*/
if (he == NULL) {
BIOerr(BIO_F_BIO_GET_HOST_IP, BIO_R_BAD_HOSTNAME_LOOKUP);
goto err;
}
--------------------------[Continue]--------------------------------------------------------------
{ Lines 374 - 379 }
struct hostent *BIO_gethostbyname(const char *name) /* affected code */
{
# if 1
/*
* Caching gethostbyname() results forever is wrong, so we have to let
* the true gethostbyname() worry about this
*/
# if (defined(NETWARE_BSDSOCK) && !defined(__NOVELL_LIBC__))
return gethostbyname((char *)name);
# else
return gethostbyname(name); /* affected code */
# endif
# else
struct hostent *ret;
int i, lowi = 0, j;
unsigned long low = (unsigned long)-1;
(.../apps/s_server.c)
===============
When a BIO_do_connect() is issued by a client and the reverse dns
procedure fails the following error occurs on the server side:
gethostbyname failure
0 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
0 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
0 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows
(.../apps/s_client.c)
===============
openssltest@shell:~$ openssl s_client -connect 0x1337.1337.12883.us:5061
gethostbyname failure
connect:errno=0
openssltest@shell:~$
Appendice
==========
Sincere Thanks to the OpenSSL team for their feedback.
The heap overflow can affect OpenSSL implementations when an unpatched
version of glibc is use. However, while Redhat and other major
distributions have issued a fix for (CVE-2015-0235) recently, many
others failed to backport an upgrade, as of yet.
References
==========
[1] CVE Mitre (2015). March 2015 CVE Mitre - CVE-2015-0235 [Online]
Available at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
[Last Accessed 7 Mar. 2015]
[2] NVD Website (2015). March 2015. National Vulnerability Database
(NVD) | CVE-2015-0235 [Online] Available at:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235 [Last
Accessed 7 Mar. 2015]
