Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

certificate_request not handled in tls.lua

From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Dec 2014 20:06:29 -0800
ssl-enum-ciphers crashes when you scan a server that sends a
certificate_request message:

$ ./nmap --script +ssl-enum-ciphers tor2.bamsoftware.com -p 9001 -d

NSE: ssl-enum-ciphers against tor2.bamsoftware.com (192.81.135.242:9001) threw an error!
/home/david/nmap-git/nselib/tls.lua:1068: attempt to perform arithmetic on local 'low' (a nil value)
stack traceback:
   /home/david/nmap-git/nselib/tls.lua:1068: in function 'unpack_3byte'
   /home/david/nmap-git/nselib/tls.lua:1138: in function 'record_read'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:153: in function 'get_next_record'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:211: in function 'try_params'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:672: in function 'compare_ciphers'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:706: in function 'find_cipher_preference'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:780: in function 
</home/david/nmap-git/scripts/ssl-enum-ciphers.nse:746>

It looks like the code handling certificate_request was unfinished. It
doesn't consume all the bytes it's supposed to, and the next read of
msg_end reads garbage from the middle of a field, making the next
message look very long, and the crash happens when it runs off the end
of the buffer.

Just removing the handler for certificate_request was enough to make the
scan finish for me.

diff --git a/nselib/tls.lua b/nselib/tls.lua
index ccbc169..8a9a958 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1183,11 +1183,6 @@ function record_read(buffer, i)
           -- parse these with sslcert.parse_ssl_certificate
           table.insert(b["certificates"], cert)
         end
-      elseif b["type"] == "certificate_request" then
-        local num_types
-        j, num_types = bin.unpack("C", buffer, j)
-        for i = 1, num_types do
-        end
       else
         -- TODO: implement other handshake message types
         stdnse.debug2("Unknown handshake message type: %s", b["type"])

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: