RSAREF 缓存溢出漏洞
发布日期:1999-12-01
更新日期:1999-12-02
受影响系统:RSA Security RSAREF 2.0
+ SSH Communications Security SSH 1.2.x
描述:
RSAREF密码库存在缓存溢出漏洞。
漏洞存在于rsa.c的四个函数中。
int RSAPublicEncrypt()
int RSAPrivateEncrypt()
int RSAPublicDecrypt()
int RSAPrivateDecrypt()
这些函数都定义了一个128字节长、叫做pkcsBlock局部变量,溢出由此产生,造成可以执
行任意代码。
建议:
RSA Security is no longer support the RSAREF library.
CORE SDI has developed the following fix for RSAREF. Copy this patch to a file named rsaref.patch in rsaref2/source, and apply with ''patch
- --- rsa.original.c Wed Dec 1 11:29:57 1999
+++ rsa.c Wed Dec 1 11:45:51 1999
@@ -33,6 +33,8 @@
unsigned char byte, pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen;
+ if (inputLen+3>MAX_RSA_MODULUS_LEN) return (RE_LEN);
+
modulusLen = (publicKey->bits + 7) / 8;
if (inputLen + 11 > modulusLen)
return (RE_LEN);
@@ -78,6 +80,8 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen, pkcsBlockLen;
+ if (inputLen>MAX_RSA_MODULUS_LEN) return (RE_LEN);
+
modulusLen = (publicKey->bits + 7) / 8;
if (inputLen > modulusLen)
return (RE_LEN);
@@ -129,6 +133,8 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen;
+ if (inputLen+3>MAX_RSA_MODULUS_LEN) return (RE_LEN);
+
modulusLen = (privateKey->bits + 7) / 8;
if (inputLen + 11 > modulusLen)
return (RE_LEN);
@@ -168,6 +174,8 @@
unsigned char pkcsBlock[MAX_RSA_MODULUS_LEN];
unsigned int i, modulusLen, pkcsBlockLen;
+ if (inputLen>MAX_RSA_MODULUS_LEN) return (RE_LEN);
+
modulusLen = (privateKey->bits + 7) / 8;
if (inputLen > modulusLen)
return (RE_LEN);
浏览次数:9297
严重程度:0(网友投票)
