CVE-2016-2107 PoC — OpenSSL AES-NI实现安全漏洞

Source

https://github.com/tmiklas/docker-cve-2016-2107

Associated Vulnerability

Title:OpenSSL AES-NI实现安全漏洞 (CVE-2016-2107)
Description:The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

Description

Docker container implementing tests for CVE-2016-2107 - LuckyNegative20

Readme

# docker-cve-2016-2107
Docker container implementing tests for CVE-2016-2107 - LuckyNegative20

### About

Dockerized test for CVE-2016-2107. Code written by [Filippo Valsorda](https://blog.filippo.io):

* [GitHub](https://github.com/FiloSottile/CVE-2016-2107)
* [zero to decryption](https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/) blog explaining the vulenrabiltiy
* [online CVE-2016-2107 test](https://filippo.io/CVE-2016-2107/)

**Update**

Current version is using static linking to get tiny output file and no dependencies, this way I could use `scratch` as base image (virtually zero size, just docker metadata) and single binary to produce working container. I'm surprised myself :-)

### Usage

`$ docker run -it --rm tmiklas/docker-cve-2016-2107 <hostname or hostname:port>`

File Snapshot


 [4.0K]  /data/pocs/4b57b349db5544dd1b993b9604c1c79ced3eded2
├── [3.5M]  cve_2016_2107
├── [  97]  Dockerfile
└── [ 822]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!