403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :


[ Back ]     

Current File : /usr/share/nmap/scripts/sslv2-drown.nse
local nmap = require "nmap"
local shortport = require "shortport"
local table = require "table"
local tableaux = require "tableaux"
local stdnse = require "stdnse"
local string = require "string"
local sslcert = require "sslcert"
local sslv2 = require "sslv2"
local vulns = require "vulns"

description = [[
Determines whether the server supports SSLv2, what ciphers it supports and tests for
CVE-2015-3197, CVE-2016-0703 and CVE-2016-0800 (DROWN)
]]
author = "Bertrand Bonnefoy-Claudet <bertrand@cryptosense.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
-- We can use the set of ciphers detected by sslv2.nse to avoid 1 handshake
dependencies = {"sslv2"}
categories = {"intrusive", "vuln"}

---
-- @output
-- 443/tcp open  https
-- | sslv2-drown:
-- |   ciphers:
-- |     SSL2_DES_192_EDE3_CBC_WITH_MD5
-- |     SSL2_IDEA_128_CBC_WITH_MD5
-- |     SSL2_RC2_128_CBC_WITH_MD5
-- |     SSL2_RC4_128_WITH_MD5
-- |     SSL2_DES_64_CBC_WITH_MD5
-- |   forced_ciphers:
-- |     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
-- |     SSL2_RC4_128_EXPORT40_WITH_MD5
-- |   vulns:
-- |     CVE-2016-0800:
-- |       title: OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)
-- |       state: VULNERABLE
-- |       ids:
-- |         CVE:CVE-2016-0800
-- |       description:
-- |               The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
-- |       other products, requires a server to send a ServerVerify message before establishing
-- |       that a client possesses certain plaintext RSA data, which makes it easier for remote
-- |       attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
-- |       oracle, aka a "DROWN" attack.
-- |
-- |       refs:
-- |         https://www.openssl.org/news/secadv/20160301.txt
-- |_        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
--
-- @xmloutput
-- <table key="ciphers">
--   <elem>SSL2_DES_192_EDE3_CBC_WITH_MD5</elem>
--   <elem>SSL2_IDEA_128_CBC_WITH_MD5</elem>
--   <elem>SSL2_RC2_128_CBC_WITH_MD5</elem>
--   <elem>SSL2_RC4_128_WITH_MD5</elem>
--   <elem>SSL2_DES_64_CBC_WITH_MD5</elem>
-- </table>
-- <table key="forced_ciphers">
--   <elem>SSL2_RC2_128_CBC_EXPORT40_WITH_MD5</elem>
--   <elem>SSL2_RC4_128_EXPORT40_WITH_MD5</elem>
-- </table>
-- <table key="vulns">
--   <table key="CVE-2016-0800">
--     <elem key="title">OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)</elem>
--     <elem key="state">VULNERABLE</elem>
--     <table key="ids">
--       <elem>CVE:CVE-2016-0800</elem>
--     </table>
--     <table key="description">
--       <elem>
--         The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before
--         1.0.2g and other products, requires a server to send a ServerVerify
--         message before establishing that a client possesses certain plaintext
--         RSA data, which makes it easier for remote attackers to decrypt TLS
--         ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka
--         a "DROWN" attack.
--       </elem>
--     </table>
--     <table key="refs">
--       <elem>https://www.openssl.org/news/secadv/20160301.txt</elem>
--       <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800</elem>
--     </table>
--   </table>
-- </table>


-- Those ciphers are weak enough to enable a "General DROWN" attack.
local GENERAL_DROWN_CIPHERS = {}
for k, v in pairs(sslv2.SSL_CIPHERS) do
  -- 40 bits or less, or single-DES (56 bits)
  if v.encrypted_key_length <= 5 or v.str:find("DES_64") then
    GENERAL_DROWN_CIPHERS[v.str] = true
  end
end

portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end

-- Return whether all values of "t1" are also values in "t2".
local function values_in(t1, t2)
  local set = {}
  for _, e in pairs(t2) do
    set[e] = true
  end
  for _, e in pairs(t1) do
    if not set[e] then
      return false
    end
  end
  return true
end

-- Create a socket ready to begin an SSL negotiation and send client_hello
local function do_setup(host, port)
  local timeout = stdnse.get_timeout(host, 10000, 5000)
  local status, socket, err
  local starttls = sslcert.getPrepareTLSWithoutReconnect(port)
  if starttls then
    status, socket = starttls(host, port)
    if not status then
      stdnse.debug(1, "Can't connect using STARTTLS: %s", socket)
      return nil
    end
  else
    socket = nmap.new_socket()
    socket:set_timeout(timeout)
    status, err = socket:connect(host, port)
    if not status then
      stdnse.debug(1, "Can't connect: %s", err)
      return nil
    end
  end
  socket:set_timeout(timeout)
  socket:send(sslv2.client_hello(tableaux.keys(sslv2.SSL_CIPHER_CODES)))
  local status, buffer = sslv2.record_buffer(socket)
  if not status then
    socket:close()
    return false
  end
  return socket, buffer
end

local function try_force_cipher(host, port, cipher)
  local socket, buffer = do_setup(host, port)
  if not socket then
    return false
  end

  local i, server_hello = sslv2.record_read(buffer)

  local code = sslv2.SSL_CIPHER_CODES[cipher]
  local key_length = sslv2.SSL_CIPHERS[code].key_length
  local encrypted_key_length = sslv2.SSL_CIPHERS[code].encrypted_key_length

  local dummy_key = string.rep("\0", key_length)
  local clear_key = dummy_key:sub(1, key_length - encrypted_key_length)
  local encrypted_key = dummy_key:sub(key_length - encrypted_key_length + 1)

  local dummy_client_master_key = sslv2.client_master_secret(cipher, clear_key, encrypted_key)
  socket:send(dummy_client_master_key)
  local status, buffer = sslv2.record_buffer(socket, buffer, i)
  socket:close()
  if not status then
    return false
  end
  local i, message = sslv2.record_read(buffer, i)

  -- Treat an error as a failure to force the cipher.
  if not message or message.message_type == sslv2.SSL_MESSAGE_TYPES.ERROR then
    return false
  end

  return true
end

local function has_extra_clear_bug(host, port, cipher)
  local socket, buffer = do_setup(host, port)
  if not socket then
    return false
  end

  local i, server_hello = sslv2.record_read(buffer)

  local code = sslv2.SSL_CIPHER_CODES[cipher]
  local key_length = sslv2.SSL_CIPHERS[code].key_length
  local encrypted_key_length = sslv2.SSL_CIPHERS[code].encrypted_key_length

  -- The length of clear_key is intentionally wrong to highlight the bug.
  local clear_key = string.rep("\0", key_length - encrypted_key_length + 1)
  local encrypted_key = string.rep("\0", encrypted_key_length)

  local dummy_client_master_key = sslv2.client_master_secret(cipher, clear_key, encrypted_key)
  socket:send(dummy_client_master_key)
  local status, buffer, err = sslv2.record_buffer(socket, buffer, i)
  socket:close()
  if not status then
    return false
  end
  local i, message = sslv2.record_read(buffer, i)

  -- Treat an error as a failure to force the cipher.
  if not message or message.message_type == sslv2.SSL_MESSAGE_TYPES.ERROR then
    return false
  end

  return true
end

local function registry_get(host, port)
  if host.registry.sslv2 then
    return host.registry.sslv2[port.number .. port.protocol]
  end
end

local function unique (t)
  local tc = {};
  for k,v in ipairs(t) do
    tc[v] = true;
  end
  return tc;
end

function action(host, port)
  local output = stdnse.output_table()
  local report = vulns.Report:new("sslv2-drown", host, port)
  local cve_2015_3197 = {
    title = "OpenSSL: SSLv2 doesn't block disabled ciphers",
    state = vulns.STATE.NOT_VULN,
    IDS = {
      CVE = 'CVE-2015-3197',
    },
    risk_factor = "Low",
    description = [[
      ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not
      prevent use of disabled ciphers, which makes it easier for man-in-the-middle
      attackers to defeat cryptographic protection mechanisms by performing computations
      on SSLv2 traffic, related to the get_client_master_key and get_client_hello
      functions.
    ]],
    references = {
      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197",
      "https://www.openssl.org/news/secadv/20160128.txt",
    },
  }
  local cve_2016_0703 = {
    title = "OpenSSL: Divide-and-conquer session key recovery in SSLv2",
    state = vulns.STATE.NOT_VULN,
    IDS = {
      CVE = 'CVE-2016-0703',
    },
    risk_factor = "High",
    description = [[
      The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in
      OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before
      1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary
      cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value
      and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a
      related issue to CVE-2016-0800.
    ]],
    references = {
      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703",
      "https://www.openssl.org/news/secadv/20160301.txt",
    },
  }
  local cve_2016_0800 = {
    title = "OpenSSL: Cross-protocol attack on TLS using SSLv2 (DROWN)",
    state = vulns.STATE.NOT_VULN,
    IDS = {
      CVE = 'CVE-2016-0800',
    },
    risk_factor = "High",
    description = [[
      The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and
      other products, requires a server to send a ServerVerify message before establishing
      that a client possesses certain plaintext RSA data, which makes it easier for remote
      attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding
      oracle, aka a "DROWN" attack.
    ]],
    references = {
      "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800",
      "https://www.openssl.org/news/secadv/20160301.txt",
    },
  }
  local offered_ciphers = registry_get(host, port) or sslv2.test_sslv2(host, port)
  if not offered_ciphers then
    output.vulns = report:make_output()
    if (#output > 0) then
      return output
    else
      return nil
    end
  end
  if next(offered_ciphers) then
    output.ciphers = offered_ciphers
  end

  -- CVE-2015-3197
  local forced_ciphers = {}
  local all_ciphers = unique(offered_ciphers)
  for cipher, code in pairs(sslv2.SSL_CIPHER_CODES) do
    if not all_ciphers[cipher] and try_force_cipher(host, port, cipher) then
      all_ciphers[cipher] = true
      table.insert(forced_ciphers, cipher)
    end
  end
  if next(forced_ciphers) then
    output.forced_ciphers = forced_ciphers
    cve_2015_3197.state = vulns.STATE.VULN
  end

  -- CVE-2016-0703
  local cipher, _ = next(all_ciphers)
  local result = has_extra_clear_bug(host, port, cipher)
  if result then
    cve_2016_0703.state = vulns.STATE.VULN
  end


  -- CVE-2016-0800
  local has_weak_ciphers = false
  for cipher, _ in pairs(all_ciphers) do
    if GENERAL_DROWN_CIPHERS[cipher] then
      has_weak_ciphers = true
      break
    end
  end
  if has_weak_ciphers or cve_2016_0703.state == vulns.STATE.VULN then
    cve_2016_0800.state = vulns.STATE.VULN
  end

  report:add_vulns(cve_2015_3197)
  report:add_vulns(cve_2016_0703)
  report:add_vulns(cve_2016_0800)

  output.vulns = report:make_output()
  if (#output > 0) then
    return output
  end
end

Youez - 2016 - github.com/yon3zu
LinuXploit