Date: Wed, 13 Dec 2000 21:16:12 -0800 From: EKR <ekr@RTFM.COM> Subject: Re: format string in ssl dump To: BUGTRAQ@SECURITYFOCUS.COM > I've seen this behavior with "normal" SSL traffic as well. I believe the > author states up front on the website that the tool may have some > problems. Correct. It's beta software, after all. In any case, this isn't a string format vulnerability. It's a pointer indirection problem resulting from a bug in the handling of sequence number wraparound. I'm working on a fix for this. It's a little tricky but I expect to have it in the next week or so. >I've found SSLdump to be a lot more stable if you capture with tcpdump -w >and analyze it non real-time. Eric Rescorla's book (SSL and TLS: Designing >and Building Secure Systems) is an excellent treatment of the >topic, though.. Thanks for the kind words. If you know about anything else wrong with ssldump, I'd appreciate knowing. I like my tools to work. That said, I'm not convinced that this is much of a security problem. Essentially, it forces ssldump to treat arbitrary sections of memory as SSL records and try to display them. Since it doesn't write to memory and merely displays it in interpreted form to the user, I don't see how an attacker could do anything other than cause bogus output or force core dumps. If someone knows how to use this to produce something more dangerous than a core dump, I'd be interested to hear it. -Ekr [Eric Rescorla ekr@rtfm.com]