Merge branch '2.9dev' into generate_html
Conflicts: testssl.sh
This commit is contained in:
commit
7cbd4ade01
106
testssl.sh
106
testssl.sh
|
@ -9335,7 +9335,7 @@ run_heartbleed(){
|
||||||
local -i n ret lines_returned
|
local -i n ret lines_returned
|
||||||
local -i hb_rounds=3
|
local -i hb_rounds=3
|
||||||
local append=""
|
local append=""
|
||||||
local found_500_oops=false
|
local tls_hello_ascii=""
|
||||||
local cve="CVE-2014-0160"
|
local cve="CVE-2014-0160"
|
||||||
local cwe="CWE-119"
|
local cwe="CWE-119"
|
||||||
local hint=""
|
local hint=""
|
||||||
|
@ -9415,7 +9415,6 @@ run_heartbleed(){
|
||||||
# extension: heartbeat
|
# extension: heartbeat
|
||||||
x00, x0f, x00, x01, x01"
|
x00, x0f, x00, x01, x01"
|
||||||
|
|
||||||
for (( n=1; n <= hb_rounds; n++)); do
|
|
||||||
fd_socket 5 || return 6
|
fd_socket 5 || return 6
|
||||||
debugme out_term "\nsending client hello (TLS version $tls_hexcode)"
|
debugme out_term "\nsending client hello (TLS version $tls_hexcode)"
|
||||||
debugme outln_term " ($n of $hb_rounds)"
|
debugme outln_term " ($n of $hb_rounds)"
|
||||||
|
@ -9432,9 +9431,21 @@ run_heartbleed(){
|
||||||
|
|
||||||
socksend "$heartbleed_payload" 1
|
socksend "$heartbleed_payload" 1
|
||||||
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
|
sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
|
||||||
[[ $? -eq 3 ]] && append=", timed out"
|
if [[ $? -eq 3 ]]; then
|
||||||
|
append=", timed out"
|
||||||
|
pr_done_best "not vulnerable (OK)"; out "$append"
|
||||||
|
fileout "heartbleed" "OK" "Heartbleed: not vulnerable $append" "$cve" "$cwe"
|
||||||
|
ret=0
|
||||||
|
else
|
||||||
|
|
||||||
|
# server reply should be (>=SSLv3): 18030x in case of a heartBEAT reply -- which we take as a positive result
|
||||||
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
|
debugme echo "tls_content_type: ${tls_hello_ascii:0:2}"
|
||||||
|
debugme echo "tls_protocol: ${tls_hello_ascii:2:4}"
|
||||||
|
|
||||||
|
lines_returned=$(count_lines "$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE")")
|
||||||
|
debugme echo "lines HB reply: $lines_returned"
|
||||||
|
|
||||||
lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g')
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln_term "\nheartbleed reply: "
|
outln_term "\nheartbleed reply: "
|
||||||
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
hexdump -C "$SOCK_REPLY_FILE" | head -20
|
||||||
|
@ -9442,55 +9453,37 @@ run_heartbleed(){
|
||||||
outln_term
|
outln_term
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $lines_returned -gt 1 ]]; then
|
if [[ $lines_returned -gt 1 ]] && [[ "${tls_hello_ascii:0:4}" == "1803" ]]; then
|
||||||
if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
|
if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
|
||||||
# check possibility of weird vsftpd reply, see #426
|
# check possibility of weird vsftpd reply, see #426, despite "1803" seems very unlikely...
|
||||||
saved_sockreply[n]="$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")"
|
if grep -q '500 OOPS' "$SOCK_REPLY_FILE" ; then
|
||||||
[[ $n -eq 1 ]] && grep -q '500 OOPS' "$SOCK_REPLY_FILE" && found_500_oops=true
|
append=", successful weeded out vsftpd false positive"
|
||||||
rm "$SOCK_REPLY_FILE"
|
pr_done_best "not vulnerable (OK)"; out "$append"
|
||||||
#debugme out_term "${saved_sockreply[n]}"
|
|
||||||
#TMPFILE="${saved_sockreply[n]}"
|
|
||||||
close_socket
|
|
||||||
#tmpfile_handle "$FUNCNAME,$n.txt"
|
|
||||||
else
|
|
||||||
rm "$SOCK_REPLY_FILE"
|
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
|
||||||
fileout "heartbleed" "CRITICAL" "Heartbleed: VULNERABLE $append" "$cve" "$cwe" "$hint"
|
|
||||||
ret=1
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
rm "$SOCK_REPLY_FILE"
|
|
||||||
pr_done_best "not vulnerable (OK)"
|
|
||||||
fileout "heartbleed" "OK" "Heartbleed: not vulnerable $append" "$cve" "$cwe"
|
fileout "heartbleed" "OK" "Heartbleed: not vulnerable $append" "$cve" "$cwe"
|
||||||
ret=0
|
ret=0
|
||||||
break
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ $n -gt 1 ]]; then
|
|
||||||
# more than one round of heartbleed checks --> vsftpd probably.
|
|
||||||
# This is the robust approach. According to a few tests it could also suffice # to check for "500 OOPS" only.
|
|
||||||
# Checking for the same socket reply DOES NOT suffice -- server can be idle and return the same memory
|
|
||||||
if [[ "${saved_sockreply[1]}" == "${saved_sockreply[2]}" ]] && [[ "${saved_sockreply[2]}" == "${saved_sockreply[3]}" ]] \
|
|
||||||
&& "$found_500_oops"; then
|
|
||||||
pr_done_best "not vulnerable (OK)$append"
|
|
||||||
[[ $DEBUG -ge 1 ]] && out ", successful weeded out vsftpd false positive"
|
|
||||||
fileout "heartbleed" "OK" "Heartbleed: not vulnerable $append" "$cve" "$cwe"
|
|
||||||
else
|
else
|
||||||
out "likely "
|
out "likely "
|
||||||
pr_svrty_critical "VULNERABLE (NOT ok)"
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
[[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm"
|
[[ $DEBUG -lt 3 ]] && out ", use debug >=3 to confirm"
|
||||||
fileout "heartbleed" "CRITICAL" "Heartbleed: likely VULNERABLE $append" "$cve" "$cwe" "$hint"
|
fileout "heartbleed" "CRITICAL" "Heartbleed: VULNERABLE $cve" "$cwe" "$hint"
|
||||||
|
ret=1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# for the repeated tries we did that already
|
pr_svrty_critical "VULNERABLE (NOT ok)"
|
||||||
#TMPFILE="$SOCKREPLY"
|
fileout "heartbleed" "CRITICAL" "Heartbleed: VULNERABLE $cve" "$cwe" "$hint"
|
||||||
close_socket 2>/dev/null
|
ret=1
|
||||||
#tmpfile_handle $FUNCNAME.txt
|
|
||||||
fi
|
fi
|
||||||
outln "$append"
|
else
|
||||||
|
pr_done_best "not vulnerable (OK)"
|
||||||
|
fileout "heartbleed" "OK" "Heartbleed: not vulnerable $cve" "$cwe"
|
||||||
|
ret=0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
outln
|
||||||
|
|
||||||
|
TMPFILE="$SOCK_REPLY_FILE"
|
||||||
|
close_socket
|
||||||
|
tmpfile_handle $FUNCNAME.dd
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -9503,7 +9496,8 @@ ok_ids(){
|
||||||
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
|
||||||
run_ccs_injection(){
|
run_ccs_injection(){
|
||||||
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
|
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
|
||||||
local -i retval ret lines
|
local -i retval ret lines_returned
|
||||||
|
local tls_hello_ascii=""
|
||||||
local cve="CVE-2014-0224"
|
local cve="CVE-2014-0224"
|
||||||
local cwe="CWE-310"
|
local cwe="CWE-310"
|
||||||
local hint=""
|
local hint=""
|
||||||
|
@ -9593,22 +9587,27 @@ run_ccs_injection(){
|
||||||
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
sockread_serverhello 2048 $CCS_MAX_WAITSOCK
|
||||||
retval=$?
|
retval=$?
|
||||||
|
|
||||||
|
tls_hello_ascii=$(hexdump -v -e '16/1 "%02X"' "$SOCK_REPLY_FILE")
|
||||||
|
debugme echo "tls_content_type: ${tls_hello_ascii:0:2}"
|
||||||
|
debugme echo "tls_protocol: ${tls_hello_ascii:2:4}"
|
||||||
|
lines_returned=$(count_lines "$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE")")
|
||||||
|
debugme echo "lines new: $lines_returned, byte6: ${tls_hello_ascii:12:2}"
|
||||||
|
|
||||||
if [[ $DEBUG -ge 3 ]]; then
|
if [[ $DEBUG -ge 3 ]]; then
|
||||||
outln_term "\n2nd reply: "
|
outln_term "\n2nd reply: "
|
||||||
printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
|
hexdump -C "$SOCK_REPLY_FILE"
|
||||||
# not ok: 15 | 0301 | 02 | 02 | 15
|
|
||||||
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
|
||||||
# ok: 0a or nothing: ==> RST
|
|
||||||
outln_term
|
outln_term
|
||||||
fi
|
fi
|
||||||
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
|
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
|
||||||
rm "$SOCK_REPLY_FILE"
|
|
||||||
|
|
||||||
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
|
byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
|
||||||
lines=$(echo "$sockreply" | "${HEXDUMP[@]}" | count_lines )
|
debugme echo "lines: $lines_returned, byte6: $byte6"
|
||||||
debugme echo "lines: $lines, byte6: $byte6"
|
# not ok: 15 | 0301 | 02 | 02 | 15
|
||||||
|
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
|
||||||
|
#
|
||||||
|
# ok: 0a or nothing: ==> RST
|
||||||
|
|
||||||
if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then
|
if [[ "$byte6" == "0a" ]] || [[ "$lines_returned" -gt 1 ]]; then
|
||||||
pr_done_best "not vulnerable (OK)"
|
pr_done_best "not vulnerable (OK)"
|
||||||
if [[ $retval -eq 3 ]]; then
|
if [[ $retval -eq 3 ]]; then
|
||||||
fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe"
|
fileout "ccs" "OK" "CCS: not vulnerable (timed out)" "$cve" "$cwe"
|
||||||
|
@ -9628,8 +9627,9 @@ run_ccs_injection(){
|
||||||
[[ $retval -eq 3 ]] && out ", timed out"
|
[[ $retval -eq 3 ]] && out ", timed out"
|
||||||
outln
|
outln
|
||||||
|
|
||||||
|
TMPFILE="$SOCK_REPLY_FILE"
|
||||||
close_socket
|
close_socket
|
||||||
tmpfile_handle $FUNCNAME.txt
|
tmpfile_handle $FUNCNAME.dd
|
||||||
return $ret
|
return $ret
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue