fix for empty/malformed socket replies

During protocol check if a sever answered unexpected with
closing the conenction or another malformed reply the
output was not ok as DETECTED_TLS_VERSION was empty.

This fixes it by filling the variable with a string in ``parse_tls_serverhello()``
and then check in higher level (``run_protocols()``) the content.

Also it seems that I forgot in the commit from yesterday one ``&&`` to
commit in ``run_breach()``
This commit is contained in:
Dirk 2017-09-01 16:13:32 +02:00
parent ee8c5e51a1
commit 50287ef2c4

View File

@ -3951,8 +3951,13 @@ run_protocols() {
prln_svrty_critical "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" prln_svrty_critical "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client" fileout "sslv3" "CRITICAL" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client"
else else
if [[ ${#DETECTED_TLS_VERSION} -eq 4 ]]; then
prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "sslv3" "CRITICAL" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
else
prln_svrty_medium "strange, server ${DETECTED_TLS_VERSION}"
fileout "sslv3" "MEDIUM" "SSLv3: strange, server ${DETECTED_TLS_VERSION}"
fi
fi fi
;; ;;
5) pr_svrty_high "$supported_no_ciph2" 5) pr_svrty_high "$supported_no_ciph2"
@ -3997,8 +4002,13 @@ run_protocols() {
prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client"
fileout "tls1" "CRITICAL" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client" fileout "tls1" "CRITICAL" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client"
else else
prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" if [[ ${#DETECTED_TLS_VERSION} -eq 4 ]]; then
prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1" "CRITICAL" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
else
prln_svrty_medium " -- strange, server ${DETECTED_TLS_VERSION}"
fileout "tls1" "MEDIUM" "TLSv1.0: server ${DETECTED_TLS_VERSION}"
fi
fi fi
;; ;;
5) outln "$supported_no_ciph1" # protocol ok, but no cipher 5) outln "$supported_no_ciph1" # protocol ok, but no cipher
@ -4045,8 +4055,13 @@ run_protocols() {
prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)"
fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client" fileout "tls1_1" "CRITICAL" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client"
else else
prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" if [[ ${#DETECTED_TLS_VERSION} -eq 4 ]]; then
prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
fileout "tls1_1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1_1" "CRITICAL" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
else
prln_svrty_medium " -- strange, server ${DETECTED_TLS_VERSION}"
fileout "tls1_1" "MEDIUM" "TLSv1.1: server ${DETECTED_TLS_VERSION}"
fi
fi fi
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
@ -4104,8 +4119,13 @@ run_protocols() {
prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client" prln_svrty_critical " -- server responded with higher version number ($detected_version_string) than requested by client"
fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client" fileout "tls1_2" "CRITICAL" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client"
else else
prln_svrty_critical " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" if [[ ${#DETECTED_TLS_VERSION} -eq 4 ]]; then
prln_svrty_critical "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)"
fileout "tls1_2" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" fileout "tls1_2" "CRITICAL" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}"
else
prln_svrty_medium " -- strange, server ${DETECTED_TLS_VERSION}"
fileout "tls1_2" "MEDIUM" "TLSv1.2: server ${DETECTED_TLS_VERSION}"
fi
fi fi
;; ;;
5) outln "$supported_no_ciph1" 5) outln "$supported_no_ciph1"
@ -8089,13 +8109,16 @@ parse_tls_serverhello() {
if [[ $tls_serverhello_ascii_len -eq 0 ]]; then if [[ $tls_serverhello_ascii_len -eq 0 ]]; then
debugme echo "server hello empty, TCP connection closed" debugme echo "server hello empty, TCP connection closed"
DETECTED_TLS_VERSION="closed TCP connection "
tmpfile_handle $FUNCNAME.txt tmpfile_handle $FUNCNAME.txt
return 1 # no server hello received return 1 # no server hello received
elif [[ $tls_serverhello_ascii_len -lt 76 ]]; then elif [[ $tls_serverhello_ascii_len -lt 76 ]]; then
DETECTED_TLS_VERSION="reply malformed"
debugme echo "Malformed response" debugme echo "Malformed response"
return 1 return 1
elif [[ "${tls_handshake_ascii:0:2}" != "02" ]]; then elif [[ "${tls_handshake_ascii:0:2}" != "02" ]]; then
# the ServerHello MUST be the first handshake message # the ServerHello MUST be the first handshake message
DETECTED_TLS_VERSION="reply contained no ServerHello"
debugme tmln_warning "The first handshake protocol message is not a ServerHello." debugme tmln_warning "The first handshake protocol message is not a ServerHello."
return 1 return 1
fi fi
@ -9903,7 +9926,7 @@ run_breach() {
local cwe="CWE-310" local cwe="CWE-310"
local hint="" local hint=""
[[ $SERVICE != "HTTP" ]] && ! "$CLIENT_AUTH" return 7 [[ $SERVICE != "HTTP" ]] && ! "$CLIENT_AUTH" && return 7
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for BREACH (HTTP compression) vulnerability " && outln
pr_bold " BREACH"; out " ($cve) " pr_bold " BREACH"; out " ($cve) "