Triggering this requires that the client sets a very large ALPN list (several thousand bytes). This would be very unusual in a real-world application. For this reason OpenSSL does not treat this as a security vulnerability and I am inclined to agree with this decision. However, if an attacker can somehow influence the ALPN list of an OpenSSL-enabled application (perhaps through another vulnerability), the attacker can write arbitrary data past OpenSSL's heap buffer. openssl s_client -reconnect -status -alpn `python -c "import sys; sys.stdout.write('x,'*4000+'x')"` If the server sends a session ticket with a special length (16022 bytes), the client will crash. More technical details here: http://ift.tt/2dpFiYx
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment