Wednesday, April 9, 2003

Upgrade your OpenSSL!

It's time to, once again, upgrade your code. The KEY_ARG overflow in OpenSSL versions 0.9.6d and prior now has a nasty exploit that anyone can use (hey, if I can use it, it's easy). We looked at OpenSSL-Uzi during Tuesday night's security class and all agree that it's something that shouldn't be in script kiddie hands. (What legitimate reason can you have for opening a clear-text shell on a remote machine?)

On the plus side: included in the tar ball is a scanner to determine if (a|your) web server is vulnerable. You should, at least, compile that one and test your servers.

Initial impressions:

  • The exploit is targeted at various OpenSSL versions hosted on various Linux distributions
  • The exploit comes with 22 precalculated offsets for those versions
  • The README file has a basic explanation of how the exploit works.
  • The shell obtained works nicely though it takes some getting "used to" as there are no environment variables attached to the shell. (more doesn't work, vi doesn't work, etc.)
  • The entire session is clear-text so it might be detected/hijacked with the proper tools (something to look at?). (How about a Snort sig?)

Note: Since I wrote this last weekend, I've found a derivative of OpenSSL-Uzi called OpenFuck and a second version of it. Each are based on Uzi's code but include the offsets for a lot more distributions (and not only Linux!)

Anyone have anything to add?

No comments:

Post a Comment