File: ssl-ccs-injection.nse

package info (click to toggle)
nmap 7.70%2Bdfsg1-6%2Bdeb10u2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 52,312 kB
  • sloc: cpp: 60,773; ansic: 56,414; python: 17,768; sh: 16,298; xml: 11,478; perl: 2,679; makefile: 1,211; java: 45; objc: 43; awk: 23
file content (280 lines) | stat: -rw-r--r-- 8,642 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
 
local nmap = require('nmap')
local shortport = require('shortport')
local sslcert = require('sslcert')
local stdnse = require('stdnse')
local table = require('table')
local vulns = require('vulns')
local have_tls, tls = pcall(require,'tls')

assert(have_tls,
  "This script requires tls.lua from https://nmap.org/nsedoc/lib/tls.html")

description = [[
Detects whether a server is vulnerable to the SSL/TLS "CCS Injection"
vulnerability (CVE-2014-0224), first discovered by Masashi Kikuchi.
The script is based on the ccsinjection.c code authored by Ramon de C Valle
(https://gist.github.com/rcvalle/71f4b027d61a78c42607)

In order to exploit the vulnerablity, a MITM attacker would effectively
do the following:

    o Wait for a new TLS connection, followed by the ClientHello
      ServerHello handshake messages.

    o Issue a CCS packet in both the directions, which causes the OpenSSL
      code to use a zero length pre master secret key. The packet is sent
      to both ends of the connection. Session Keys are derived using a
      zero length pre master secret key, and future session keys also
      share this weakness.

    o Renegotiate the handshake parameters.

    o The attacker is now able to decrypt or even modify the packets
      in transit.

The script works by sending a 'ChangeCipherSpec' message out of order and
checking whether the server returns an 'UNEXPECTED_MESSAGE' alert record
or not. Since a non-patched server would simply accept this message, the
CCS packet is sent twice, in order to force an alert from the server. If
the alert type is different than 'UNEXPECTED_MESSAGE', we can conclude
the server is vulnerable.
]]

---
-- @usage
-- nmap -p 443 --script ssl-ccs-injection <target>
--
-- @output
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | ssl-ccs-injection:
-- |   VULNERABLE:
-- |   SSL/TLS MITM vulnerability (CCS Injection)
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
-- |       1.0.1h does not properly restrict processing of ChangeCipherSpec
-- |       messages, which allows man-in-the-middle attackers to trigger use
-- |       of a zero-length master key in certain OpenSSL-to-OpenSSL
-- |       communications, and consequently hijack sessions or obtain
-- |       sensitive information, via a crafted TLS handshake, aka the
-- |       "CCS Injection" vulnerability.
-- |
-- |     References:
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
-- |       http://www.cvedetails.com/cve/2014-0224
-- |_      http://www.openssl.org/news/secadv_20140605.txt

author = "Claudiu Perta <claudiu.perta@gmail.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "safe" }


portrule = function(host, port)
 return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end

local Error = {
  NOT_VULNERABLE    = 0,
  CONNECT           = 1,
  PROTOCOL_MISMATCH = 2,
  SSL_HANDSHAKE     = 3,
  TIMEOUT           = 4
}

---
-- Reads an SSL/TLS record and returns true if it's a fatal,
-- 'unexpected_message' alert and false otherwise.
local function alert_unexpected_message(s)
  local status, buffer
  status, buffer = tls.record_buffer(s, buffer, 1)
  if not status then
    return false
  end

  local position, record = tls.record_read(buffer, 1)
  if record == nil then
    return false
  end

  if record.type ~= "alert" then
    -- Mark this as VULNERABLE, we expect an alert record
    return true,true
  end

  for _, body in ipairs(record.body) do
    if body.level == "fatal" and body.description == "unexpected_message" then
      return true,false
    end
  end

  return true,true
end

local function test_ccs_injection(host, port, version)
  local hello = tls.client_hello({
      ["protocol"] = version,
      -- Claim to support every cipher
      -- Doesn't work with IIS, but IIS isn't vulnerable
      ["ciphers"] = stdnse.keys(tls.CIPHERS),
      ["compressors"] = {"NULL"},
      ["extensions"] = {
        -- Claim to support common elliptic curves
        ["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](
          tls.DEFAULT_ELLIPTIC_CURVES),
      },
    })

  local status, err
  local s
  local specialized = sslcert.getPrepareTLSWithoutReconnect(port)
  if specialized then
    status, s = specialized(host, port)
    if not status then
      stdnse.debug3("Connection to server failed: %s", s)
      return false, Error.CONNECT
    end
  else
    s = nmap.new_socket()
    status, err = s:connect(host, port)
    if not status then
      stdnse.debug3("Connection to server failed: %s", err)
      return false, Error.CONNECT
    end
  end

  -- Set a sufficiently large timeout
  s:set_timeout(10000)

  -- Send Client Hello to the target server
  status, err = s:send(hello)
  if not status then
    stdnse.debug1("Couldn't send Client Hello: %s", err)
    s:close()
    return false, Error.CONNECT
  end

  -- Read response
  local done = false
  local i = 1
  local response
  repeat
    status, response, err = tls.record_buffer(s, response, i)
    if err == "TIMEOUT" or not status then
      stdnse.verbose1("No response from server: %s", err)
      s:close()
      return false, Error.TIMEOUT
    end

    local record
    i, record = tls.record_read(response, i)
    if record == nil then
      stdnse.debug1("Unknown response from server")
      s:close()
      return false, Error.NOT_VULNERABLE
    elseif record.protocol ~= version then
      stdnse.debug1("Protocol version mismatch (%s)", version)
      s:close()
      return false, Error.PROTOCOL_MISMATCH
    end

    if record.type == "handshake" then
      for _, body in ipairs(record.body) do
        if body.type == "server_hello_done" then
          stdnse.debug1("Handshake completed (%s)", version)
          done = true
        end
      end
    end
  until done

  -- Send the change_cipher_spec message twice to
  -- force an alert in the case the server is not
  -- patched.

  -- change_cipher_spec message
  local ccs = tls.record_write(
    "change_cipher_spec", version, "\x01")

  -- Send the first ccs message
  status, err = s:send(ccs)
  if not status then
    stdnse.debug1("Couldn't send first ccs message: %s", err)
    s:close()
    return false, Error.SSL_HANDSHAKE
  end

  -- Send the second ccs message
  status, err = s:send(ccs)
  if not status then
    stdnse.debug1("Couldn't send second ccs message: %s", err)
    s:close()
    return false, Error.SSL_HANDSHAKE
  end

  -- Read the alert message
  local vulnerable
  status,vulnerable = alert_unexpected_message(s)

  -- Leave the target not vulnerable in case of an error. This could occur
  -- when running against a different TLS/SSL implementations (e.g., GnuTLS)
  if not status then
    stdnse.debug1("Couldn't get reply from the server (probably not OpenSSL)")
    s:close()
    return false, Error.SSL_HANDSHAKE
  end

  if not vulnerable then
    stdnse.debug1("Server returned UNEXPECTED_MESSAGE alert, not vulnerable")
    s:close()
    return false, Error.NOT_VULNERABLE
  else
    stdnse.debug1("Vulnerable - alert is not UNEXPECTED_MESSAGE")
    s:close()
    return true
  end
end

action = function(host, port)
  local vuln_table = {
    title = "SSL/TLS MITM vulnerability (CCS Injection)",
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
does not properly restrict processing of ChangeCipherSpec messages,
which allows man-in-the-middle attackers to trigger use of a zero
length master key in certain OpenSSL-to-OpenSSL communications, and
consequently hijack sessions or obtain sensitive information, via
a crafted TLS handshake, aka the "CCS Injection" vulnerability.
    ]],
    references = {
      'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224',
      'http://www.cvedetails.com/cve/2014-0224',
      'http://www.openssl.org/news/secadv_20140605.txt'
    }
  }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  -- Iterate over tls.PROTOCOLS
  for tls_version, _ in pairs(tls.PROTOCOLS) do
    local vulnerable, err = test_ccs_injection(host, port, tls_version)

    -- Return an explicit message in case of a TIMEOUT,
    -- to avoid considering this as not vulnerable.
    if err == Error.TIMEOUT then
      return "No reply from server (TIMEOUT)"
    end

    if err ~= Error.PROTOCOL_MISMATCH then
      if vulnerable then
        vuln_table.state = vulns.STATE.VULN
      end
      break
    end
  end

  return report:make_output(vuln_table)
end