CCS injection: better handling of TLS alert protocols

In certain situations while testting for CCS injection it could have happened
that an error code was sent which was not interpreted properly by testssl.sh.
(https://tools.ietf.org/html/rfc5246#section-7.2)

This has now been fixed and thus addresses #906. Also it has been made sure
that other error codes are reported appropiately.

The case where this test failed before was a non-patched Ubuntu 12.04
with openssl/postfix on port 25.
This commit is contained in:
Dirk 2018-04-20 11:31:05 +02:00
parent 39647d1703
commit 8149c2d5cf
1 changed files with 23 additions and 6 deletions

View File

@ -12156,17 +12156,34 @@ run_ccs_injection(){
else
fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe"
fi
elif [[ "$byte6" == "15" ]] && [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
# decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then
if [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then
pr_warning "test failed "
out "no proper TLS repy (debug info: protocol sent: 1503${tlshexcode#x03, x}, reply: ${tls_hello_ascii:0:14}"
fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"
ret=1
elif [[ "$byte6" == "15" ]]; then
# decryption failed received
pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "$jsonID" "CRITICAL" "VULNERABLE" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "0A" ]] || [[ "$byte6" == "28" ]]; then
# Unexpected message / Handshake failure received
pr_warning "likely "
out "not vulnerable (OK)"
out " - alert description type: $byte6"
fileout "$jsonID" "WARN" "probably not vulnerable but received 0x${byte6} instead of 0x15" "$cve" "$cwe" "$hint"
elif [[ "$byte6" == "14" ]]; then
# bad_record_mac -- this is not "not vulnerable"
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious \"bad_record_mac\" ($byte6)"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE" "$cve" "$cwe" "$hint"
else
# other errors, see https://tools.ietf.org/html/rfc5246#section-7.2
out "likely "
pr_svrty_critical "VULNERABLE (NOT ok)"
out ", suspicious error code \"$byte6\" returned. Please report"
fileout "$jsonID" "CRITICAL" "likely VULNERABLE with $byte6" "$cve" "$cwe" "$hint"
fi
elif [[ $STARTTLS_PROTOCOL == "mysql" ]] && [[ "${tls_hello_ascii:14:12}" == "233038533031" ]]; then
# MySQL community edition (yaSSL) returns a MySQL error instead of a TLS Alert
@ -12187,7 +12204,7 @@ run_ccs_injection(){
fi
outln
tmpfile_handle $FUNCNAME.dd $SOCK_REPLY_FILE
tmpfile_handle ${FUNCNAME[0]}.dd $SOCK_REPLY_FILE
close_socket
return $ret
}