Vigil@nce - OpenSSL: memory corruption via CMS
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an application uses CMS, an attacker can corrupt the memory,
in order to create a denial of service or to execute code.
Severity: 2/4
Creation date: 02/06/2010
DESCRIPTION OF THE VULNERABILITY
The CMS (Cryptographic Message Syntax) format is used to represent
a signed or encrypted document (RFC 2630, 3369, 3852, 5652). CMS
is the successor of PKCS#7 (RFC 2315).
CMS is enabled by default in OpenSSL 1.0.0. CMS is optional in
OpenSSL 0.9.8h to 0.9.8n.
The CMS OriginatorInfo field contains certificates and CRLs. Due
to a typographic error, the OriginatorInfo data is stored in
SignedData. Data are thus written at an invalid memory address, or
the memory is freed twice.
When an application uses CMS, an attacker can therefore use
OriginatorInfo, in order to create a denial of service or to
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-memory-corruption-via-CMS-9680