Openssl proof of concept code?

From: Lachniet, Mark (mlachniet@sequoianet.com)
Date: Thu Jan 08 2004 - 15:46:21 EST

• Next message: R. DuFresne: "Re: VMWare and which linux distro?"
• Previous message: Andrew Lancashire: "Re: l0phtcrack under wine - successful"
• Next in thread: Bram Matthys (Syzop): "Re: Openssl proof of concept code?"
• Reply: Bram Matthys (Syzop): "Re: Openssl proof of concept code?"
• Reply: Ivan Arce: "Re: Openssl proof of concept code?"
• Reply: John Lampe: "Re: [Full-Disclosure] Openssl proof of concept code?"
• Maybe reply: David Kennedy CISSP: "Re: Openssl proof of concept code?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Please excuse the cross-post, and please forgive me if I am missing
something that I should have found through conventional sources.

A few months ago, there were issues with the openssl code base, as noted
on bugtraq and in the following URLs:
http://www.openssl.org/news/secadv_20031104.txt and
http://www.openssl.org/news/secadv_20030930.txt. It was stated that
these flaws were found using a test suite from NISCC (www.niscc.gov.uk).
However, this toolkit is apparently not publicly available (you need to
be a SSL developer?), and I find no record of a proof of concept test
for this vulnerability. Given that a large number of vendors use this
code base in their products it is no surprise that there are a lot of
products that needed updates. However, I'm not convinced that every
vendor has actually "come clean" about their vulnerability to these
problems.

Is anyone aware of a reasonable way for an analyst to definitively
demonstrate if the vulnerabilities exist in a particular product? Since
some of the bugs deal with bad client certificates, some might be as
easy as getting a copy of a "bad" client certificate and connecting to
the server using a program such as stunnel, but I have yet to see
anything about this. Alternately, has anyone written a good program to
remotely identify what SSL codebase is in use, other than looking for it
in HTTP server headers? Nessus' ssltest.nasl can allegedly distinguish
between a openssl and MS CryptoAPI or Novell, but this isn't really
enough in my opinion. If conventional tools (i.e. Nessus and other
scanners) can't really fingerprint it, how might one go a little further
and determine this from a "black box" perspective? I understand that
with a good deal of development time and effort, this can probably be
done, but this is probably not realistic for most organizations to do on
their own.

Its been a while now, and responsible vendors should have already issued
patches. Also, since there is no proof of concept, that I am aware of
anyway, it seems to me that there is still some exposure from these bugs
that people may not be aware of. It would be nice to have a test so
that people could better gauge their exposure. Can anyone offer a
reasonable solution to this problem?

Thanks,

Mark Lachniet

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: R. DuFresne: "Re: VMWare and which linux distro?"
• Previous message: Andrew Lancashire: "Re: l0phtcrack under wine - successful"
• Next in thread: Bram Matthys (Syzop): "Re: Openssl proof of concept code?"
• Reply: Bram Matthys (Syzop): "Re: Openssl proof of concept code?"
• Reply: Ivan Arce: "Re: Openssl proof of concept code?"
• Reply: John Lampe: "Re: [Full-Disclosure] Openssl proof of concept code?"
• Maybe reply: David Kennedy CISSP: "Re: Openssl proof of concept code?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT