342 lines
11 KiB
Lua
342 lines
11 KiB
Lua
local nmap = require "nmap"
|
|
local shortport = require "shortport"
|
|
local table = require "table"
|
|
local tableaux = require "tableaux"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local sslcert = require "sslcert"
|
|
local sslv2 = require "sslv2"
|
|
local vulns = require "vulns"
|
|
|
|
description = [[
|
|
Determines whether the server supports SSLv2, what ciphers it supports and tests for
|
|
CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
|
|
]]
|
|
author = "Bertrand Bonnefoy-Claudet <bertrand@cryptosense.com>"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
-- We can use the set of ciphers detected by sslv2.nse to avoid 1 handshake
|
|
dependencies = {"sslv2"}
|
|
categories = {"intrusive", "vuln"}
|
|
|
|
---
|
|
-- @output
|
|
-- 443/tcp open https
|
|
-- | sslv2-drown:
|
|
-- | ciphers:
|
|
-- | SSL2_DES_192_EDE3_CBC_WITH_MD5
|
|
-- | SSL2_IDEA_128_CBC_WITH_MD5
|
|
-- | SSL2_RC2_128_CBC_WITH_MD5
|
|
-- | SSL2_RC4_128_WITH_MD5
|
|
-- | SSL2_DES_64_CBC_WITH_MD5
|
|
-- | forced_ciphers:
|
|
-- | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|
|
-- | SSL2_RC4_128_EXPORT40_WITH_MD5
|
|
-- | vulns:
|
|
-- | CVE-2016-0800:
|
|
-- | title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
|
|
-- | state: VULNERABLE
|
|
-- | ids:
|
|
-- | CVE:CVE-2016-0800
|
|
-- | description:
|
|
-- | The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
|
|
-- | other products, requires a server to send a ServerVerify message before establishing
|
|
-- | that a client possesses certain plaintext RSA data, which makes it easier for remote
|
|
-- | attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
|
|
-- | oracle, aka a "DROWN" attack.
|
|
-- |
|
|
-- | refs:
|
|
-- | https://www.openssl.org/news/secadv/20160301.txt
|
|
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
|
|
--
|
|
-- @xmloutput
|
|
-- <table key="ciphers">
|
|
-- <elem>SSL2_DES_192_EDE3_CBC_WITH_MD5</elem>
|
|
-- <elem>SSL2_IDEA_128_CBC_WITH_MD5</elem>
|
|
-- <elem>SSL2_RC2_128_CBC_WITH_MD5</elem>
|
|
-- <elem>SSL2_RC4_128_WITH_MD5</elem>
|
|
-- <elem>SSL2_DES_64_CBC_WITH_MD5</elem>
|
|
-- </table>
|
|
-- <table key="forced_ciphers">
|
|
-- <elem>SSL2_RC2_128_CBC_EXPORT40_WITH_MD5</elem>
|
|
-- <elem>SSL2_RC4_128_EXPORT40_WITH_MD5</elem>
|
|
-- </table>
|
|
-- <table key="vulns">
|
|
-- <table key="CVE-2016-0800">
|
|
-- <elem key="title">OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)</elem>
|
|
-- <elem key="state">VULNERABLE</elem>
|
|
-- <table key="ids">
|
|
-- <elem>CVE:CVE-2016-0800</elem>
|
|
-- </table>
|
|
-- <table key="description">
|
|
-- <elem>
|
|
-- The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before
|
|
-- 1.0.2g and other products, requires a server to send a ServerVerify
|
|
-- message before establishing that a client possesses certain plaintext
|
|
-- RSA data, which makes it easier for remote attackers to decrypt TLS
|
|
-- ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka
|
|
-- a "DROWN" attack.
|
|
-- </elem>
|
|
-- </table>
|
|
-- <table key="refs">
|
|
-- <elem>https://www.openssl.org/news/secadv/20160301.txt</elem>
|
|
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800</elem>
|
|
-- </table>
|
|
-- </table>
|
|
-- </table>
|
|
|
|
|
|
-- Those ciphers are weak enough to enable a "General DROWN" attack.
|
|
local GENERAL_DROWN_CIPHERS = {}
|
|
for k, v in pairs(sslv2.SSL_CIPHERS) do
|
|
-- 40 bits or less, or single-DES (56 bits)
|
|
if v.encrypted_key_length <= 5 or v.str:find("DES_64") then
|
|
GENERAL_DROWN_CIPHERS[v.str] = true
|
|
end
|
|
end
|
|
|
|
portrule = function(host, port)
|
|
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
|
|
end
|
|
|
|
-- Return whether all values of "t1" are also values in "t2".
|
|
local function values_in(t1, t2)
|
|
local set = {}
|
|
for _, e in pairs(t2) do
|
|
set[e] = true
|
|
end
|
|
for _, e in pairs(t1) do
|
|
if not set[e] then
|
|
return false
|
|
end
|
|
end
|
|
return true
|
|
end
|
|
|
|
-- Create a socket ready to begin an SSL negotiation and send client_hello
|
|
local function do_setup(host, port)
|
|
local timeout = stdnse.get_timeout(host, 10000, 5000)
|
|
local status, socket, err
|
|
local starttls = sslcert.getPrepareTLSWithoutReconnect(port)
|
|
if starttls then
|
|
status, socket = starttls(host, port)
|
|
if not status then
|
|
stdnse.debug(1, "Can't connect using STARTTLS: %s", socket)
|
|
return nil
|
|
end
|
|
else
|
|
socket = nmap.new_socket()
|
|
socket:set_timeout(timeout)
|
|
status, err = socket:connect(host, port)
|
|
if not status then
|
|
stdnse.debug(1, "Can't connect: %s", err)
|
|
return nil
|
|
end
|
|
end
|
|
socket:set_timeout(timeout)
|
|
socket:send(sslv2.client_hello(tableaux.keys(sslv2.SSL_CIPHER_CODES)))
|
|
local status, buffer = sslv2.record_buffer(socket)
|
|
if not status then
|
|
socket:close()
|
|
return false
|
|
end
|
|
return socket, buffer
|
|
end
|
|
|
|
local function try_force_cipher(host, port, cipher)
|
|
local socket, buffer = do_setup(host, port)
|
|
if not socket then
|
|
return false
|
|
end
|
|
|
|
local i, server_hello = sslv2.record_read(buffer)
|
|
|
|
local code = sslv2.SSL_CIPHER_CODES[cipher]
|
|
local key_length = sslv2.SSL_CIPHERS[code].key_length
|
|
local encrypted_key_length = sslv2.SSL_CIPHERS[code].encrypted_key_length
|
|
|
|
local dummy_key = string.rep("\0", key_length)
|
|
local clear_key = dummy_key:sub(1, key_length - encrypted_key_length)
|
|
local encrypted_key = dummy_key:sub(key_length - encrypted_key_length + 1)
|
|
|
|
local dummy_client_master_key = sslv2.client_master_secret(cipher, clear_key, encrypted_key)
|
|
socket:send(dummy_client_master_key)
|
|
local status, buffer = sslv2.record_buffer(socket, buffer, i)
|
|
socket:close()
|
|
if not status then
|
|
return false
|
|
end
|
|
local i, message = sslv2.record_read(buffer, i)
|
|
|
|
-- Treat an error as a failure to force the cipher.
|
|
if not message or message.message_type == sslv2.SSL_MESSAGE_TYPES.ERROR then
|
|
return false
|
|
end
|
|
|
|
return true
|
|
end
|
|
|
|
local function has_extra_clear_bug(host, port, cipher)
|
|
local socket, buffer = do_setup(host, port)
|
|
if not socket then
|
|
return false
|
|
end
|
|
|
|
local i, server_hello = sslv2.record_read(buffer)
|
|
|
|
local code = sslv2.SSL_CIPHER_CODES[cipher]
|
|
local key_length = sslv2.SSL_CIPHERS[code].key_length
|
|
local encrypted_key_length = sslv2.SSL_CIPHERS[code].encrypted_key_length
|
|
|
|
-- The length of clear_key is intentionally wrong to highlight the bug.
|
|
local clear_key = string.rep("\0", key_length - encrypted_key_length + 1)
|
|
local encrypted_key = string.rep("\0", encrypted_key_length)
|
|
|
|
local dummy_client_master_key = sslv2.client_master_secret(cipher, clear_key, encrypted_key)
|
|
socket:send(dummy_client_master_key)
|
|
local status, buffer, err = sslv2.record_buffer(socket, buffer, i)
|
|
socket:close()
|
|
if not status then
|
|
return false
|
|
end
|
|
local i, message = sslv2.record_read(buffer, i)
|
|
|
|
-- Treat an error as a failure to force the cipher.
|
|
if not message or message.message_type == sslv2.SSL_MESSAGE_TYPES.ERROR then
|
|
return false
|
|
end
|
|
|
|
return true
|
|
end
|
|
|
|
local function registry_get(host, port)
|
|
if host.registry.sslv2 then
|
|
return host.registry.sslv2[port.number .. port.protocol]
|
|
end
|
|
end
|
|
|
|
local function unique (t)
|
|
local tc = {};
|
|
for k,v in ipairs(t) do
|
|
tc[v] = true;
|
|
end
|
|
return tc;
|
|
end
|
|
|
|
function action(host, port)
|
|
local output = stdnse.output_table()
|
|
local report = vulns.Report:new("sslv2-drown", host, port)
|
|
local cve_2015_3197 = {
|
|
title = "OpenSSL: SSLv2 doesn't block disabled ciphers",
|
|
state = vulns.STATE.NOT_VULN,
|
|
IDS = {
|
|
CVE = 'CVE-2015-3197',
|
|
},
|
|
risk_factor = "Low",
|
|
description = [[
|
|
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not
|
|
prevent use of disabled ciphers, which makes it easier for man-in-the-middle
|
|
attackers to defeat cryptographic protection mechanisms by performing computations
|
|
on SSLv2 traffic, related to the get_client_master_key and get_client_hello
|
|
functions.
|
|
]],
|
|
references = {
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197",
|
|
"https://www.openssl.org/news/secadv/20160128.txt",
|
|
},
|
|
}
|
|
local cve_2016_0703 = {
|
|
title = "OpenSSL: Divide-and-conquer session key recovery in SSLv2",
|
|
state = vulns.STATE.NOT_VULN,
|
|
IDS = {
|
|
CVE = 'CVE-2016-0703',
|
|
},
|
|
risk_factor = "High",
|
|
description = [[
|
|
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in
|
|
OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
|
|
1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary
|
|
cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value
|
|
and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a
|
|
related issue to CVE-2016-0800.
|
|
]],
|
|
references = {
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703",
|
|
"https://www.openssl.org/news/secadv/20160301.txt",
|
|
},
|
|
}
|
|
local cve_2016_0800 = {
|
|
title = "OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)",
|
|
state = vulns.STATE.NOT_VULN,
|
|
IDS = {
|
|
CVE = 'CVE-2016-0800',
|
|
},
|
|
risk_factor = "High",
|
|
description = [[
|
|
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
|
|
other products, requires a server to send a ServerVerify message before establishing
|
|
that a client possesses certain plaintext RSA data, which makes it easier for remote
|
|
attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
|
|
oracle, aka a "DROWN" attack.
|
|
]],
|
|
references = {
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800",
|
|
"https://www.openssl.org/news/secadv/20160301.txt",
|
|
},
|
|
}
|
|
local offered_ciphers = registry_get(host, port) or sslv2.test_sslv2(host, port)
|
|
if not offered_ciphers then
|
|
output.vulns = report:make_output()
|
|
if (#output > 0) then
|
|
return output
|
|
else
|
|
return nil
|
|
end
|
|
end
|
|
if next(offered_ciphers) then
|
|
output.ciphers = offered_ciphers
|
|
end
|
|
|
|
-- CVE-2015-3197
|
|
local forced_ciphers = {}
|
|
local all_ciphers = unique(offered_ciphers)
|
|
for cipher, code in pairs(sslv2.SSL_CIPHER_CODES) do
|
|
if not all_ciphers[cipher] and try_force_cipher(host, port, cipher) then
|
|
all_ciphers[cipher] = true
|
|
table.insert(forced_ciphers, cipher)
|
|
end
|
|
end
|
|
if next(forced_ciphers) then
|
|
output.forced_ciphers = forced_ciphers
|
|
cve_2015_3197.state = vulns.STATE.VULN
|
|
end
|
|
|
|
-- CVE-2016-0703
|
|
local cipher, _ = next(all_ciphers)
|
|
local result = has_extra_clear_bug(host, port, cipher)
|
|
if result then
|
|
cve_2016_0703.state = vulns.STATE.VULN
|
|
end
|
|
|
|
|
|
-- CVE-2016-0800
|
|
local has_weak_ciphers = false
|
|
for cipher, _ in pairs(all_ciphers) do
|
|
if GENERAL_DROWN_CIPHERS[cipher] then
|
|
has_weak_ciphers = true
|
|
break
|
|
end
|
|
end
|
|
if has_weak_ciphers or cve_2016_0703.state == vulns.STATE.VULN then
|
|
cve_2016_0800.state = vulns.STATE.VULN
|
|
end
|
|
|
|
report:add_vulns(cve_2015_3197)
|
|
report:add_vulns(cve_2016_0703)
|
|
report:add_vulns(cve_2016_0800)
|
|
|
|
output.vulns = report:make_output()
|
|
if (#output > 0) then
|
|
return output
|
|
end
|
|
end
|