Merge pull request #836 from drwetter/bigip

F5 cookie detection
2025-01-03 23:39:45 +01:00 · 2017-09-25 20:02:03 +02:00 · 2017-09-25 20:02:03 +02:00 · 2c76025ade
commit 2c76025ade
parent f6cf96d916 dbab397645
1 changed files with 205 additions and 101 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -547,6 +547,7 @@ pr_boldurl() { tm_bold "$1"; html_out "<a href="$1" style=\"font-weight:bold;col

 ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
 ###                          http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html
+### no ouput support for HTML!
 set_color_functions() {
     local ncurses_tput=true

@ -612,6 +613,8 @@ set_color_functions() {
               reverse=$(tput mr)
               off=$(tput me)
          fi
+     # italic doesn't work under Linux, FreeBSD (9). But both work under OpenBSD.
+     # alternatively we could use escape codes
     fi
 }

@ -1098,6 +1101,52 @@ is_ipv6addr() {
     return 0
 }

+# now some function for the integrated BIGIP F5 Cookie detector (see https://github.com/drwetter/F5-BIGIP-Decoder)
+
+f5_hex2ip() {
+     debugme echo "$1"
+     echo $((16#${1:0:2})).$((16#${1:2:2})).$((16#${1:4:2})).$((16#${1:6:2}))
+}
+f5_hex2ip6() {
+     debugme echo "$1"
+     echo "[${1:0:4}:${1:4:4}:${1:8:4}:${1:12:4}.${1:16:4}:${1:20:4}:${1:24:4}:${1:28:4}]"
+}
+
+f5_determine_routeddomain() {
+     local tmp
+     tmp="${1%%o*}"
+     echo "${tmp/rd/}"
+}
+
+f5_ip_oldstyle() {
+     local tmp
+     local a b c d
+
+     tmp="${1/%.*}"                     # until first dot
+     tmp="$(printf "%x8" "$tmp")"       # convert the whole thing to hex, now back to ip (reversed notation:
+     tmp="$(f5_hex2ip $tmp)"               # transform to ip with reversed notation
+     IFS="." read -r a b c d <<< "$tmp" # reverse it
+     echo $d.$c.$b.$a
+}
+
+f5_port_decode() {
+     local tmp
+
+     tmp="$(strip_lf "$1")"             # remove lf if there is one
+     tmp="${tmp/.0000/}"                # to be sure remove trailing zeros with a dot
+     tmp="${tmp#*.}"                    # get the port
+     tmp="$(printf "%04x" "${tmp}")"    # to hex
+     if [[ ${#tmp} -eq 4 ]]; then
+          :
+     elif [[ ${#tmp} -eq 3 ]]; then          # fill it up with leading zeros if needed
+          tmp=0{$tmp}
+     elif [[ ${#tmp} -eq 2 ]]; then
+          tmp=00{$tmp}
+     fi
+     echo $((16#${tmp:2:2}${tmp:0:2}))  # reverse order and convert it from hex to dec
+}
+
+

 ###### END helper function definitions ######

@ -1513,9 +1562,9 @@ detect_ipv4() {
                    else
                         first=false
                    fi
-                    pr_svrty_high "$result"
+                    pr_svrty_medium "$result"
                    outln "\n$spaces$your_ip_msg"
-                    fileout "ip_in_header_$count" "HIGH" "IPv4 address in header  $result $your_ip_msg"
+                    fileout "ip_in_header_$count" "MEDIUM" "IPv4 address in header  $result $your_ip_msg"
               fi
               count=$count+1
          done < $HEADERFILE
@ -2094,11 +2143,65 @@ run_application_banner() {
     return 0
 }

+
+
+# arg1: multiline string w cookies
+f5_bigip_check() {
+     local allcookies="$1"
+     local ip port cookievalue cookiename
+     local routed_domain offset
+     local savedcookies=""
+     local spaces="$2"
+
+     # taken from https://github.com/drwetter/F5-BIGIP-Decoder, more details see there
+
+     debugme echo -e "all cookies: >> $allcookies <<\n"
+     while true; do IFS='=' read cookiename cookievalue
+          [[ -z "$cookievalue" ]] && break
+          cookievalue=${cookievalue/;/}
+          debugme echo $cookiename : $cookievalue
+          if grep -q -E '[0-9]{9,10}\.[0-9]{3,5}\.0000' <<< "$cookievalue"; then
+               ip="$(f5_ip_oldstyle "$cookievalue")"
+               port="$(f5_port_decode $cookievalue)"
+               out "${spaces}F5 cookie (default IPv4 pool member): "; pr_italic "$cookiename "; prln_svrty_medium "${ip}:${port}"
+               fileout "cookie_bigip_f5" "MEDIUM" "Information leakage: F5 cookie $cookiename $cookievalue is default IPv4 pool member ${ip}:${port}"
+          elif grep -q -E '^rd[0-9]{1,2}o0{20}f{4}[a-f0-9]{8}o[0-9]{1,5}' <<< "$cookievalue"; then
+               routed_domain="$(f5_determine_routeddomain "$cookievalue")"
+               offset=$(( 2 + ${#routed_domain} + 1 + 24))
+               port="${cookievalue##*o}"
+               ip="$(f5_hex2ip "${cookievalue:$offset:8}")"
+               out "${spaces}F5 cookie (IPv4 pool in routed domain "; pr_svrty_medium "$routed_domain"; out "): "; pr_italic "$cookiename "; prln_svrty_medium "${ip}:${port}"
+               fileout "cookie_bigip_f5" "MEDIUM" "Information leakage: F5 cookie $cookiename $cookievalue is IPv4 pool member in routed domain $routed_domain ${ip}:${port}"
+          elif grep -q -E '^vi[a-f0-9]{32}\.[0-9]{1,5}' <<< "$cookievalue"; then
+               ip="$(f5_hex2ip6 ${cookievalue:2:32})"
+               port="${cookievalue##*.}"
+               port=$(f5_port_decode "$port")
+               out "${spaces}F5 cookie (default IPv6 pool member): "; pr_italic "$cookiename "; prln_svrty_medium "${ip}:${port}"
+               fileout "cookie_bigip_f5" "MEDIUM" "Information leakage: F5 cookie $cookiename $cookievalue is default IPv6 pool member ${ip}:${port}"
+          elif grep -q -E '^rd[0-9]{1,2}o[a-f0-9]{32}o[0-9]{1,5}' <<< "$cookievalue"; then
+               routed_domain="$(f5_determine_routeddomain "$cookievalue")"
+               offset=$(( 2 + ${#routed_domain} + 1 ))
+               port="${cookievalue##*o}"
+               ip="$(f5_hex2ip6 ${cookievalue:$offset:32})"
+               out "${spaces}F5 cookie (IPv6 pool in routed domain "; pr_svrty_medium "$routed_domain"; out "): "; pr_italic "$cookiename "; prln_svrty_medium "${ip}:${port}"
+               fileout "cookie_bigip_f5" "MEDIUM" "Information leakage: F5 cookie $cookiename $cookievalue is IPv6 pool member in routed domain $routed_domain ${ip}:${port}"
+          elif grep -q -E '^\!.*=$' <<< "$cookievalue"; then
+               if [[ "${#cookievalue}" -eq 81 ]] ; then
+                    savedcookies="${savedcookies}     ${cookiename}=${cookievalue:1:79}"
+                    out "${spaces}Encrypted F5 cookie named "; pr_italic "${cookiename}"; outln " detected"
+                    fileout "cookie_bigip_f5" "INFO" "encrypted F5 cookie named ${cookiename} detected"
+               fi
+          fi
+     done <<< "$allcookies"
+}
+
+
 run_cookie_flags() {     # ARG1: Path
     local -i nr_cookies
     local -i nr_httponly nr_secure
     local negative_word
     local msg302="" msg302_=""
+     local spaces="                              "

     if [[ ! -s $HEADERFILE ]]; then
          run_http_header "$1" || return 3
@ -2116,7 +2219,10 @@ run_cookie_flags() {     # ARG1: Path

     pr_bold " Cookie(s)                    "
     grep -ai '^Set-Cookie' $HEADERFILE >$TMPFILE
-     if [[ $? -eq 0 ]]; then
+     if [[ $? -ne 0 ]]; then
+          outln "(none issued at \"$1\")$msg302"
+          fileout "cookie_count" "INFO" "No cookies issued at \"$1\"$msg302_"
+     else
          nr_cookies=$(count_lines "$(cat $TMPFILE)")
          out "$nr_cookies issued: "
          fileout "cookie_count" "INFO" "$nr_cookies cookie(s) issued at \"$1\"$msg302_"
@ -2147,12 +2253,10 @@ run_cookie_flags() {     # ARG1: Path
          else
               fileout "cookie_httponly" "INFO" "$nr_secure/$nr_cookies cookie(s) issued at \"$1\" marked as HttpOnly$msg302_"
          fi
-          out "$msg302"
-     else
-          out "(none issued at \"$1\")$msg302"
-          fileout "cookie_count" "INFO" "No cookies issued at \"$1\"$msg302_"
+          outln "$msg302"
+          allcookies="$(awk '/[Ss][Ee][Tt]-[Cc][Oo][Oo][Kk][Ii][Ee]:/ { print $2 }' "$TMPFILE")"
+          f5_bigip_check "$allcookies" "$spaces"
     fi
-     outln

     tmpfile_handle $FUNCNAME.txt
     return 0