Archive for April, 2014

HeartBleed Vulnerability, CVE-2014-0160 Analysis

April 11, 2014 Leave a comment

Here is the packet:


so whats the issue? lets look in to the patched code:

if you look at the checks there are following checks:

1. if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */

2.if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */

3.if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;


first check make sure that it discard the packets where TLS length is less then 19 bytes. why? its because 1 byte denote msg type, 2 bytes denote length and 16 bytes is padding. so this will discard packet with 0 payload length.

second check will make sure that length of payload + header is equal to length mentioned in TLS packet.

third check will make sure that write length is not more then 16348 or 0x4000 which is SSL3_RT_MAX_PLAIN_LENGTH.


This is a quick post and hope it clarifies the things. if you have any questions feel free to mail me.


Categories: Uncategorized

CVE-2013-4232 analyis

April 5, 2014 Leave a comment

After long time i did some quick analysis. here are the details for CVE-2013-4232:


if you look at the patch here:


there is only 1 line of code added:

+ return(0);
} else {
you see the return statement above? well thats it, its a user after free vulnerability. here is the full code:
“Can’t allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s”,
(unsigned long) t2p->tiff_datasize,
t2p->t2p_error = T2P_ERR_ERROR;
return(0); – this is the fix
} else {
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
t2p_sample_realize_palette(t2p, buffer); -> if function does not return then code will use buffer var, which was already freed causing vulnerability.
that’s it.
Categories: Uncategorized Tags:
%d bloggers like this: