Autor
Tengo muchas dudas sobre el mundillo de los exploits, por lo que he podido leer hasta ahora los exploits suelen venir con un "how to use.." pues bien.. es MENTIRA xD.. yo programo solo en VB, PHP y algo en JS pero a estos niveles me pierdo, se supone que este exploit debo compilarlo en C por ejemplo con Dev c++ y luego ejecutarlo? buala? sitio defaced? no lo entiendo muy bien...
un saludo.
Código:
=============================================================
OpenSSL < 0.9.8l and previous versions Multiple Vulnerability
=============================================================
SecurityRisk : High Security Risk High (About)
Arrow Remote Exploit : Yes
Arrow Local Exploit : No
Arrow Victim interaction required : No
Arrow Exploit Available : Yes
Arrow Credit : Bodo Moeller
Arrow Published : 09.03.2010
Arrow Affected Software : openssl:openssl:0.9.8l and previous versions
openssl:openssl:0.9.8k
openssl:openssl:0.9.8j
openssl:openssl:0.9.8i
openssl:openssl:0.9.8h
openssl:openssl:0.9.8g
openssl:openssl:0.9.8f
openssl:openssl:0.9.8e
openssl:openssl:0.9.8d
openssl:openssl:0.9.8c
openssl:openssl:0.9.8b
openssl:openssl:0.9.8a
openssl:openssl:0.9.8
OpenSSL CVS Repository
http://cvs.openssl.org/
___________________________________________________________________________
_
Server: cvs.openssl.org Name: Bodo Moeller
Root: /v/openssl/cvs Email: bodo@openssl.org
Module: openssl Date: 23-Feb-2010 11:36:41
Branch: OpenSSL_0_9_8-stable Handle: 2010022310363902
Modified files: (Branch: OpenSSL_0_9_8-stable)
openssl CHANGES
openssl/crypto/bn bn_div.c bn_gf2m.c
openssl/crypto/ec ec2_smpl.c
openssl/engines e_ubsec.c
Log:
Always check bn_wexpend() return values for failure (CVE-2009-3245).
(The CHANGES entry covers the change from PR #2111 as well, submitted
by
Martin Olsson.)
Submitted by: Neel Mehta
Summary:
Revision Changes Path
1.1238.2.189+3 -0 openssl/CHANGES
1.37.2.9 +1 -1 openssl/crypto/bn/bn_div.c
1.18.2.3 +2 -1 openssl/crypto/bn/bn_gf2m.c
1.14.2.2 +6 -4 openssl/crypto/ec/ec2_smpl.c
1.13.2.4 +2 -2 openssl/engines/e_ubsec.c
___________________________________________________________________________
_
patch -p0 <<'@@ .'
Index: openssl/CHANGES
===========================================================================
=
$ cvs diff -u -r1.1238.2.188 -r1.1238.2.189 CHANGES
--- openssl/CHANGES 19 Feb 2010 18:25:37 -0000 1.1238.2.188
+++ openssl/CHANGES 23 Feb 2010 10:36:39 -0000 1.1238.2.189
@@ -4,6 +4,9 @@
Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
+ *) Always check bn_wexpend() return values for failure.
(CVE-2009-3245)
+ [Martin Olsson, Neel Mehta]
+
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to
accommodate for stack sorting, always a write lock!).
[Bodo Moeller]
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/bn/bn_div.c
===========================================================================
=
$ cvs diff -u -r1.37.2.8 -r1.37.2.9 bn_div.c
--- openssl/crypto/bn/bn_div.c 17 Jun 2009 11:26:39 -0000 1.37.2.8
+++ openssl/crypto/bn/bn_div.c 23 Feb 2010 10:36:41 -0000 1.37.2.9
@@ -102,7 +102,7 @@
/* The next 2 are needed so we can do a dv->d<A NAME="-0"></A>[0]|=1
later
* since BN_lshift1 will only work once there is a value :-) */
BN_zero(dv);
- bn_wexpand(dv,1);
+ if(bn_wexpand(dv,1) == NULL) goto end;
dv->top=1;
if (!BN_lshift(D,D,nm-nd)) goto end;
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/bn/bn_gf2m.c
===========================================================================
=
$ cvs diff -u -r1.18.2.2 -r1.18.2.3 bn_gf2m.c
--- openssl/crypto/bn/bn_gf2m.c 23 Jun 2008 20:46:28 -0000 1.18.2.2
+++ openssl/crypto/bn/bn_gf2m.c 23 Feb 2010 10:36:41 -0000 1.18.2.3
@@ -294,7 +294,8 @@
if (a->top < b->top) { at = b; bt = a; }
else { at = a; bt = b; }
- bn_wexpand(r, at->top);
+ if(bn_wexpand(r, at->top) == NULL)
+ return 0;
for (i = 0; i < bt->top; i++)
{
@@ .
patch -p0 <<'@@ .'
Index: openssl/crypto/ec/ec2_smpl.c
===========================================================================
=
$ cvs diff -u -r1.14.2.1 -r1.14.2.2 ec2_smpl.c
--- openssl/crypto/ec/ec2_smpl.c 13 Mar 2006 23:12:07 -0000 1.14.2.1
+++ openssl/crypto/ec/ec2_smpl.c 23 Feb 2010 10:36:41 -0000 1.14.2.2
@@ -174,8 +174,10 @@
dest->poly<A NAME="-2"></A>[2] = src->poly[2];
dest->poly<A NAME="-3"></A>[3] = src->poly[3];
dest->poly<A NAME="-4"></A>[4] = src->poly[4];
- bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
- bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+ if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2)
== NULL)
+ return 0;
+ if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2)
== NULL)
+ return 0;
for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
return 1;
@@ -199,12 +201,12 @@
/* group->a */
if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
- bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2);
+ if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2) == NULL) goto err;
for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
/* group->b */
if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
- bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2);
+ if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) /
BN_BITS2) == NULL) goto err;
for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
ret = 1;
@@ .
patch -p0 <<'@@ .'
Index: openssl/engines/e_ubsec.c
===========================================================================
=
$ cvs diff -u -r1.13.2.3 -r1.13.2.4 e_ubsec.c
--- openssl/engines/e_ubsec.c 6 Sep 2007 12:43:53 -0000 1.13.2.3
+++ openssl/engines/e_ubsec.c 23 Feb 2010 10:36:41 -0000 1.13.2.4
@@ -934,7 +934,7 @@
priv_key = BN_new();
if (priv_key == NULL) goto err;
priv_key_len = BN_num_bits(dh->p);
- bn_wexpand(priv_key, dh->p->top);
+ if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
do
if (!BN_rand_range(priv_key, dh->p)) goto err;
while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@
{
pub_key = BN_new();
pub_key_len = BN_num_bits(dh->p);
- bn_wexpand(pub_key, dh->p->top);
+ if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
if(pub_key == NULL) goto err;
}
else
@@ .
En línea
