Re: POODLE vulnerability in TLS not just SSL

[Mariusz Ziulek <mzet () owasp org>]

On Tue, Dec 09, 2014 at 10:53:18AM -0600, Daniel Miller wrote:
> Copy-pasting from my comment on Reddit:
>
> [ssl-poodle only tests] for the known-bad condition of SSLv3 with CBC
> cipher support. The article is saying that even TLSv1.0 and higher can be
> vulnerable if the implementation is not strict enough.
>
> I considered how to write an Nmap script for this new condition, but
> there's not really a good way to do it, since it has to modify the way that
> data is sent post-handshake (by using random padding instead of PKCS #7
> padding), which OpenSSL doesn't let you do. The only alternative I can see
> at the moment is implementing a full TLS client in Lua, or at least most of
> one and binding the core crypto stuff to OpenSSL.
>
>
> Dan

Hi,

It would be great to have in Nmap capability to detect POODLE affected TLS implementations. Here's 
(https://www.fireeye.com/content/fireeye-www/global/en/www/blog/threat-research/2014/12/is_poodle_back_fora.html) 
interesting (and simple) approach to detecting vulnerable implementations.

Idea is to simply increment second byte of padding during the TLS session. TLS
conformant implementations should reject this and vulnerable implementations
would not care and will return HTTP 200.

I'm wondering how hard it would be to implement this in Nmap - as Daniel has written it not possible to do it using 
standard openssl API but I think that it could be implemented using raw sockets & openssl's BIO interface. However it 
seems that BIO interface isn't exposed to for Lua scripting currently.

Maybe other approach is needed. Guys, any thoughts on this?
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/