Issue 158 in shellinabox: Invalid characters in SNI hostname are replaced with uninitialized memory (possible privilege escalation vulnerability)

[shell...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 158 by anders.kaseorg: Invalid characters in SNI hostname are
replaced with uninitialized memory (possible privilege escalation
vulnerability)
http://code.google.com/p/shellinabox/issues/detail?id=158

sslSNICallback has a loop to skip over copying invalid characters from the
client-provided hostname. However, nothing else initializes those
characters if they are skipped. So it could still be possible for a
sufficiently clever attacker who understands how malloc() lays out the heap
to insert malicious characters into the hostname string.

This hostname string is later passed to system() without further filtering,
so this vulnerability could be used to execute arbitrary shell code.

I’ve attached a patch to ignore hostnames containing invalid characters,
and another patch to invoke openssl directly with fork+exec to avoid the
possibility of shell code injection in the filename.

Attachments:
0001-sslSNICallback-Properly-disallow-invalid-characters.patch 1.3 KB
0002-sslGenerateCertificate-Don-t-use-the-shell.patch 2.5 KB

[shell...@googlecode.com]

Comment #1 on issue 158 by Jayschwa: Invalid characters in SNI hostname are

replaced with uninitialized memory (possible privilege escalation
vulnerability)
http://code.google.com/p/shellinabox/issues/detail?id=158

Thanks for the patches.

https://github.com/jayschwa/shellinabox/commit/8059075f63135f58127349ce6a12678e52ab1fda

https://github.com/jayschwa/shellinabox/commit/38388d326cf9de9e80082e827bdfeef6a4055d04

[shell...@googlecode.com]

Updates:
Status: Fixed

Comment #2 on issue 158 by beewoo...@gmail.com: Invalid characters in SNI

hostname are replaced with uninitialized memory (possible privilege
escalation vulnerability)
http://code.google.com/p/shellinabox/issues/detail?id=158

Applied for 2.11.