Merge branch 'dcooper16-remove_sockread' into 2.9dev

This commit is contained in:
Dirk 2016-09-27 22:33:53 +02:00
commit c028ec4ed6

View File

@ -203,7 +203,6 @@ TLS_EXTENSIONS=""
GOST_STATUS_PROBLEM=false GOST_STATUS_PROBLEM=false
DETECTED_TLS_VERSION="" DETECTED_TLS_VERSION=""
PATTERN2SHOW="" PATTERN2SHOW=""
SOCKREPLY=""
SOCK_REPLY_FILE="" SOCK_REPLY_FILE=""
HEXC="" HEXC=""
NW_STR="" NW_STR=""
@ -260,7 +259,6 @@ TLS_LOW_BYTE=""
HEX_CIPHER="" HEX_CIPHER=""
# The various hexdump commands we need to replace xxd (BSD compatibility) # The various hexdump commands we need to replace xxd (BSD compatibility)
HEXDUMPVIEW=(hexdump -C) # This is used in verbose mode to see what's going on
HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply HEXDUMP=(hexdump -ve '16/1 "%02x " " \n"') # This is used to analyze the reply
HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]' HEXDUMPPLAIN=(hexdump -ve '1/1 "%.2x"') # Replaces both xxd -p and tr -cd '[:print:]'
@ -1500,23 +1498,6 @@ socksend() {
sleep $2 sleep $2
} }
#FIXME: This is only for HB and CCS, others use still sockread_serverhello()
sockread() {
local -i ret=0
local ddreply
[[ "x$2" == "x" ]] && maxsleep=$MAX_WAITSOCK || maxsleep=$2
ddreply=$(mktemp $TEMPDIR/ddreply.XXXXXX) || return 7
dd bs=$1 of=$ddreply count=1 <&5 2>/dev/null &
wait_kill $! $maxsleep
ret=$?
SOCKREPLY=$(cat $ddreply 2>/dev/null)
rm $ddreply
return $ret
}
#FIXME: fill the following two: #FIXME: fill the following two:
openssl2rfc() { openssl2rfc() {
: :
@ -6078,9 +6059,10 @@ tls_sockets() {
run_heartbleed(){ run_heartbleed(){
local tls_proto_offered tls_hexcode local tls_proto_offered tls_hexcode
local heartbleed_payload client_hello local heartbleed_payload client_hello
local -i n ret local -i n ret lines_returned
local -i hb_rounds=3 local -i hb_rounds=3
local append="" local append=""
local found_500_oops=false
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln
pr_bold " Heartbleed"; out " (CVE-2014-0160) " pr_bold " Heartbleed"; out " (CVE-2014-0160) "
@ -6164,39 +6146,45 @@ run_heartbleed(){
socksend "$client_hello" 1 socksend "$client_hello" 1
debugme outln "\nreading server hello" debugme outln "\nreading server hello"
sockread 32768 sockread_serverhello 32768
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
outln "[...]" outln "[...]"
outln "\nsending payload with TLS version $tls_hexcode:" outln "\nsending payload with TLS version $tls_hexcode:"
fi fi
rm "$SOCK_REPLY_FILE"
socksend "$heartbleed_payload" 1 socksend "$heartbleed_payload" 1
sockread 16384 $HEARTBLEED_MAX_WAITSOCK sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK
[[ $? -eq 3 ]] && append=", timed out" [[ $? -eq 3 ]] && append=", timed out"
lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g')
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\nheartbleed reply: " outln "\nheartbleed reply: "
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" hexdump -C "$SOCK_REPLY_FILE" | head -20
[[ $lines_returned -gt 20 ]] && outln "[...]"
outln outln
fi fi
lines_returned=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | wc -l | sed 's/ //g')
if [[ $lines_returned -gt 1 ]]; then if [[ $lines_returned -gt 1 ]]; then
if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then
# check possibility of weird vsftpd reply, see #426 # check possibility of weird vsftpd reply, see #426
saved_sockreply[n]=$SOCKREPLY saved_sockreply[n]="$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")"
debugme out "${saved_sockreply[n]}" [[ $n -eq 1 ]] && grep -q '500 OOPS' "$SOCK_REPLY_FILE" && found_500_oops=true
rm "$SOCK_REPLY_FILE"
#debugme out "${saved_sockreply[n]}"
#TMPFILE="${saved_sockreply[n]}" #TMPFILE="${saved_sockreply[n]}"
close_socket close_socket
tmpfile_handle "$FUNCNAME,$n.txt" #tmpfile_handle "$FUNCNAME,$n.txt"
else else
rm "$SOCK_REPLY_FILE"
pr_svrty_critical "VULNERABLE (NOT ok)" pr_svrty_critical "VULNERABLE (NOT ok)"
fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append" fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append"
ret=1 ret=1
break break
fi fi
else else
rm "$SOCK_REPLY_FILE"
pr_done_best "not vulnerable (OK)" pr_done_best "not vulnerable (OK)"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append"
ret=0 ret=0
@ -6209,7 +6197,7 @@ run_heartbleed(){
# This is the robust approach. According to a few tests it could also suffice # to check for "500 OOPS" only. # This is the robust approach. According to a few tests it could also suffice # to check for "500 OOPS" only.
# Checking for the same socket reply DOES NOT suffice -- server can be idle and return the same memory # Checking for the same socket reply DOES NOT suffice -- server can be idle and return the same memory
if [[ "${saved_sockreply[1]}" == "${saved_sockreply[2]}" ]] && [[ "${saved_sockreply[2]}" == "${saved_sockreply[3]}" ]] \ if [[ "${saved_sockreply[1]}" == "${saved_sockreply[2]}" ]] && [[ "${saved_sockreply[2]}" == "${saved_sockreply[3]}" ]] \
&& echo "${saved_sockreply[1]}" | grep -q '500 OOPS'; then && "$found_500_oops"; then
pr_done_best "not vulnerable (OK)$append" pr_done_best "not vulnerable (OK)$append"
[[ $DEBUG -ge 1 ]] && out ", successful weeded out vsftpd false positive" [[ $DEBUG -ge 1 ]] && out ", successful weeded out vsftpd false positive"
fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append" fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append"
@ -6223,7 +6211,7 @@ run_heartbleed(){
# for the repeated tries we did that already # for the repeated tries we did that already
#TMPFILE="$SOCKREPLY" #TMPFILE="$SOCKREPLY"
close_socket 2>/dev/null close_socket 2>/dev/null
tmpfile_handle $FUNCNAME.txt #tmpfile_handle $FUNCNAME.txt
fi fi
outln "$append" outln "$append"
@ -6238,6 +6226,9 @@ ok_ids(){
#FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets #FIXME: At a certain point heartbleed and ccs needs to be changed and make use of code2network using a file, then tls_sockets
run_ccs_injection(){ run_ccs_injection(){
local tls_proto_offered tls_hexcode ccs_message client_hello byte6 sockreply
local -i retval ret lines
# see https://www.openssl.org/news/secadv_20140605.txt # see https://www.openssl.org/news/secadv_20140605.txt
# mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607 # mainly adapted from Ramon de C Valle's C code from https://gist.github.com/rcvalle/71f4b027d61a78c42607
[[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for CCS injection vulnerability " && outln
@ -6297,41 +6288,45 @@ run_ccs_injection(){
socksend "$client_hello" 1 socksend "$client_hello" 1
debugme outln "\nreading server hello" debugme outln "\nreading server hello"
sockread 32768 sockread_serverhello 32768
if [[ $DEBUG -ge 4 ]]; then if [[ $DEBUG -ge 4 ]]; then
echo "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
outln "[...]" outln "[...]"
outln "\npayload #1 with TLS version $tls_hexcode:" outln "\npayload #1 with TLS version $tls_hexcode:"
fi fi
rm "$SOCK_REPLY_FILE"
# ... and then send the a change cipher spec message # ... and then send the a change cipher spec message
socksend "$ccs_message" 1 || ok_ids socksend "$ccs_message" 1 || ok_ids
sockread 2048 $CCS_MAX_WAITSOCK sockread_serverhello 2048 $CCS_MAX_WAITSOCK
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\n1st reply: " outln "\n1st reply: "
out "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" | head -20 hexdump -C "$SOCK_REPLY_FILE" | head -20
# ok: 15 | 0301 | 02 | 02 | 0a # ok: 15 | 0301 | 02 | 02 | 0a
# ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a) # ALERT | TLS 1.0 | Length=2 | Unexpected Message (0a)
# or just timed out # or just timed out
outln outln
outln "payload #2 with TLS version $tls_hexcode:" outln "payload #2 with TLS version $tls_hexcode:"
fi fi
rm "$SOCK_REPLY_FILE"
socksend "$ccs_message" 2 || ok_ids socksend "$ccs_message" 2 || ok_ids
sockread 2048 $CCS_MAX_WAITSOCK sockread_serverhello 2048 $CCS_MAX_WAITSOCK
retval=$? retval=$?
if [[ $DEBUG -ge 3 ]]; then if [[ $DEBUG -ge 3 ]]; then
outln "\n2nd reply: " outln "\n2nd reply: "
printf -- "$SOCKREPLY" | "${HEXDUMPVIEW[@]}" printf -- "$(hexdump -C "$SOCK_REPLY_FILE")"
# not ok: 15 | 0301 | 02 | 02 | 15 # not ok: 15 | 0301 | 02 | 02 | 15
# ALERT | TLS 1.0 | Length=2 | Decryption failed (21) # ALERT | TLS 1.0 | Length=2 | Decryption failed (21)
# ok: 0a or nothing: ==> RST # ok: 0a or nothing: ==> RST
outln outln
fi fi
sockreply=$(cat "$SOCK_REPLY_FILE" 2>/dev/null)
rm "$SOCK_REPLY_FILE"
byte6=$(echo "$SOCKREPLY" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//') byte6=$(echo "$sockreply" | "${HEXDUMPPLAIN[@]}" | sed 's/^..........//')
lines=$(echo "$SOCKREPLY" | "${HEXDUMP[@]}" | count_lines ) lines=$(echo "$sockreply" | "${HEXDUMP[@]}" | count_lines )
debugme echo "lines: $lines, byte6: $byte6" debugme echo "lines: $lines, byte6: $byte6"
if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then if [[ "$byte6" == "0a" ]] || [[ "$lines" -gt 1 ]]; then