CVE-2016-2107 PoC — OpenSSL AES-NI实现安全漏洞

Source

https://github.com/tmiklas/docker-cve-2016-2107

Associated Vulnerability

Title:OpenSSL AES-NI实现安全漏洞 (CVE-2016-2107)
Description:OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层（SSL v2/v3）和安全传输层（TLS v1）协议的通用加密库，它支持多种加密算法，包括对称密码、哈希算法、安全散列算法等。 OpenSSL 1.0.1t之前版本和1.0.2h之前1.0.2版本的AES-NI实现过程中存在安全漏洞，该漏洞源于程序在进行填充检查时没有考虑内存分配。远程攻击者可通过向AES CBC会话实施padding-oracle攻击利用该漏洞获取敏感的明文信息。（注：该漏洞源于CNNVD-201302-133补丁的不

Description

Docker container implementing tests for CVE-2016-2107 - LuckyNegative20

Readme

# docker-cve-2016-2107
Docker container implementing tests for CVE-2016-2107 - LuckyNegative20

### About

Dockerized test for CVE-2016-2107. Code written by [Filippo Valsorda](https://blog.filippo.io):

* [GitHub](https://github.com/FiloSottile/CVE-2016-2107)
* [zero to decryption](https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/) blog explaining the vulenrabiltiy
* [online CVE-2016-2107 test](https://filippo.io/CVE-2016-2107/)

**Update**

Current version is using static linking to get tiny output file and no dependencies, this way I could use `scratch` as base image (virtually zero size, just docker metadata) and single binary to produce working container. I'm surprised myself :-)

### Usage

`$ docker run -it --rm tmiklas/docker-cve-2016-2107 <hostname or hostname:port>`

File Snapshot


 [4.0K]  /data/pocs/4b57b349db5544dd1b993b9604c1c79ced3eded2
├── [3.5M]  cve_2016_2107
├── [  97]  Dockerfile
└── [ 822]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!