MS SSL vulnerable

Discussion in 'NZ Computing' started by Roger_Nickel, Feb 10, 2004.

  1. Roger_Nickel

    Roger_Nickel Guest

    The encryption library stores incoming data as fragments with a type
    description including an integer value for data length. A large value
    can wrap an integer pointer around and zero the memory heap size while
    allowing the original large value to be passed to the memcpy instruction
    and the heap is overwritten with arbitrary data. Microsoft have been
    sitting on this for six months. There is a thread on Slashdot.
     
    Roger_Nickel, Feb 10, 2004
    #1
    1. Advertising

  2. Roger_Nickel wrote:
    > The encryption library stores incoming data as fragments with a type
    > description including an integer value for data length. A large value
    > can wrap an integer pointer around and zero the memory heap size while
    > allowing the original large value to be passed to the memcpy


    Wrap around an integer!? You mean a fragment with a size greater than
    2147483647 bytes? (2gb)

    Cheers,
    Nicholas Sherlock
     
    Nicholas Sherlock, Feb 11, 2004
    #2
    1. Advertising

  3. Roger_Nickel

    Roger_Nickel Guest

    Nicholas Sherlock wrote:
    > Roger_Nickel wrote:
    >
    >>The encryption library stores incoming data as fragments with a type
    >>description including an integer value for data length. A large value
    >>can wrap an integer pointer around and zero the memory heap size while
    >>allowing the original large value to be passed to the memcpy

    >
    >
    > Wrap around an integer!? You mean a fragment with a size greater than
    > 2147483647 bytes? (2gb)
    >
    > Cheers,
    > Nicholas Sherlock
    >
    >

    Maybe not, my reading is that an integer pointer contained in the data
    header and representing the data length is wrapped around when
    incremented by the library but that the original (non-incremented)
    value passed to memcpy keeps its original value. It may be that the
    encryption library program does not even bother to check that the size
    claimed in the header matches the size of the data fragment. Either way
    it seems a stupid mistake, and in the encryption/authentication library
    at that.
     
    Roger_Nickel, Feb 11, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hugo Drax
    Replies:
    0
    Views:
    370
    Hugo Drax
    Jul 21, 2003
  2. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,763
    Olivier PELERIN
    Aug 30, 2004
  3. hugh jass
    Replies:
    1
    Views:
    500
    William Poaster
    Sep 26, 2003
  4. TechNews

    Fully Patched IE Still Vulnerable

    TechNews, Jun 14, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    455
    Duane Arnold
    Jun 14, 2004
  5. jenny
    Replies:
    0
    Views:
    958
    jenny
    Nov 30, 2006
Loading...

Share This Page