Date:         Wed, 13 Dec 2000 21:16:12 -0800
From: EKR <ekr@RTFM.COM>
Subject:      Re: format string in ssl dump
To: BUGTRAQ@SECURITYFOCUS.COM

> I've seen this behavior with "normal" SSL traffic as well. I believe the
> author states up front on the website that the tool may have some
> problems.
Correct. It's beta software, after all.

In any case, this isn't a string format vulnerability. It's a
pointer indirection problem resulting from a bug in the handling
of sequence number wraparound. I'm working on a fix for this. It's
a little tricky but I expect to have it in the next week or so.

>I've found SSLdump to be a lot more stable if you capture with tcpdump -w
>and analyze it non real-time. Eric Rescorla's book (SSL and TLS: Designing
>and Building Secure Systems) is an excellent treatment of the
>topic, though..
Thanks for the kind words.

If you know about anything else wrong with ssldump, I'd appreciate
knowing. I like my tools to work.

That said, I'm not convinced that this is much of a security problem.
Essentially, it forces ssldump to treat arbitrary sections of memory
as SSL records and try to display them. Since it doesn't write to
memory and merely displays it in interpreted form to the user, I don't
see how an attacker could do anything other than cause bogus output or
force core dumps. If someone knows how to use this to produce something
more dangerous than a core dump, I'd be interested to hear it.

-Ekr

[Eric Rescorla                                   ekr@rtfm.com]