Archive | February, 2014
Image

goto Fail screenshots for iPhone

At the end of last week, Apple pushed iOS 7.0.6, updating a “data security” problem.

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID CVE-2014-1266

goto-fail-01

goto-fail-02

goto-fail-03

goto-fail-04

goto-fail-05

goto-fail-06

goto-fail-07

$ diff -urN <(curl -s http://opensource.apple.com/source/Security/Security-55179.13/libsecurity_ssl/lib/sslKeyExchange.c\?txt) \
    <(curl -s http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c\?txt) \
    | grep -A 7 627,6
@@ -627,6 +628,7 @@
         goto fail;
     if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
         goto fail;
+        goto fail;
     if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
         goto fail;