Detect DROWN with NSE script sslv2-drown #365
Conversation
|
Thanks for this good work! I like the idea of specific checks for the 3 SSLv2-related vulnerabilities, but I have 2 concerns with including them in the
I would like to see how this PR would look with the following changes:
|
|
@bbc2 Be sure to let us know when you think this is ready for review again. |
|
OK! It's not ready yet. |
This fixes the XML output but leaves the human-readable output unchanged.
This is important if more than one SSL record is to be read, which will be the case later.
A draft of SSL 2 is available at the following address: https://tools.ietf.org/html/draft-hickman-netscape-ssl-00
This improves sslv2 with new data structures to make it easier to extend. sslv2-drown is a new script copied from sslv2 and which is aimed at finding DROWN-related vulnerabilities. See CVE-2015-3197 and [1] for more information about the one detected with this commit. [1]: https://www.openssl.org/news/secadv/20160128.txt
If not available, do the sslv2 test anyway. It's required to check for CVE-2015-3197.
|
@dmiller-nmap It's ready for review. Thank you for your help! I've hopefully addressed all your concerns. I don't know what is the best practice for NSE libraries but we could win a lot on code deduplication if the two scripts shared common SSLv2 structures and functions. |
bbc2
changed the title
|
Working on integrating this. Partially applied changes to sslv2.nse, along with some of my own improvements. Expect to have your DROWN script and possibly a sslv2 library committed in the next few days. Thanks so much for this great work! |
|
@bbc2 You list these ciphers as "weak enough to enable" DROWN: -- Those ciphers are weak enough to enable a "General DROWN" attack.
local GENERAL_DROWN_CIPHERS = {
[SSL_CK.RC2_128_CBC_EXPORT40_WITH_MD5] = true,
[SSL_CK.RC4_128_EXPORT40_WITH_MD5] = true,
[SSL_CK.DES_64_CBC_WITH_MD5] = true,
}Why these and not SSL2_RC4_64_WITH_MD5? It also has an encrypted-key length of 8 (64 bits) like SSL2_DES_64_CBC_WITH_MD5. On the other hand, the DROWN paper only mentions EXPORT ciphers (40 bits) as being vulnerable, so should SSL2_DES_64_CBC_WITH_MD5 be removed from the list? |
|
|
||
| -- CVE-2016-0703 | ||
| for _, cipher in pairs(forced_ciphers) do | ||
| local result = has_extra_clear_bug(host, port, cipher) |
There was a problem hiding this comment.
@bbc2 Do we really need to try this for every discovered cipher? If the bug is there, it should show up no matter what the cipher we choose. I'll test it myself if you don't have further insight.
There was a problem hiding this comment.
That's right, if the bug is there, it will stop at the first cipher suite with which it detected it (see the break below). However, it will try all cipher suites until it detects it, which might be unnecessary. I tried to remember why it does it like that but can't. It should be enough to only test the first cipher we get and determine whether the bug is there or not.
|
I took the list of weak enough ciphers from an early version of the DROWN paper which listed them explicitly. In the published version it's less obvious but please see the last paragraph of section 4.1 (The SSLv2 export padding oracle):
Even though DES requires 64-bit keys, it only uses 56 bits from them, making it a lot weaker against bruteforce than other ciphers with 64-bit keys. |
|
Thanks for the review and the integration, it's awesome! |
git-svn-id: https://svn.nmap.org/nmap@35939 e0a8ed71-7df4-0310-8962-fdc924857419
git-svn-id: https://svn.nmap.org/nmap@35965 e0a8ed71-7df4-0310-8962-fdc924857419
This adds the detection of severe SSLv2 vulnerabilities in OpenSSL (CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800, also known as DROWN). The three CVEs are related and the result of the test should give an idea of how vulnerable the tested server is. I've tested the script with real servers from https://test.drownattack.com/ and relevant versions of OpenSSL
s_server). Because they can be intrusive, those tests are only performed if thesslv2.extended-testscript-arg is given. The default behavior of the script is mostly the same as before.To deal with more than SSLv2 hello packets, I've had to refine the decoding and encoding of packets and I followed the draft spec for that. For instance, this should make record length computing a lot clearer. The script should also be easier to extend in the future.
I've mentioned this work on the mailing-list some time ago: http://seclists.org/nmap-dev/2016/q1/259 and as said there, I'd be happy to get feedback on this new version.