xorl %eax, %eax

CVE-2009-1386: OpenSSL DTLS ChangeCipherSpec NULL Pointer Dereference

with 2 comments

This vulnerability was reported by Alex Lam on 23 May 2008. The bug affects OpenSSL 0.9.8 release up to 0.9.8i where it was fixed. Here is the buggy routine from 0.9.8h release:

int ssl3_do_change_cipher_spec(SSL *s)
        int i;
        const char *sender;
        int slen;
if (s->state & SSL_ST_ACCEPT)

        if (s->s3->tmp.key_block == NULL)
                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);

If this function gets called from dtls1_read_bytes() with argument SSL_F_DTLS1_READ_BYTES, it will result in a pointer dereference when it attempts to execute:

s->session->cipher = s->s3->tmp.new_cipher;

This will happen because s->session will not be set (it will be NULL) since SSL_F_DTLS1_READ_BYTES is not defined in ssl3_do_change_cipher_spec. To fix this, they applied the following patch:

     if (s->s3->tmp.key_block == NULL)
+        if (s->session == NULL)
+            {
+            /* might happen if dtls1_read_bytes() calls this */
+            return (0);
+            }
         if (!s->method->ssl3_enc->setup_key_block(s)) return(0);

Written by xorl

June 3, 2009 at 13:59

Posted in vulnerabilities

2 Responses

Subscribe to comments with RSS.

  1. the code is much more readable now =) thx


    June 3, 2009 at 20:26

  2. This one’s easy to trigger, just send the following datagram to the target:


    Jon Oberheide

    June 3, 2009 at 21:31

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s