Mikina | 31.172.30.* | 4.7.2014 21:14 |
| Zdravím,
již opravdu nevím jak dále opravit SSL na serveru, nic moc mě nenapadá při nálezu této zranitelnosti, právě jsem kompiloval OpenSSL na zaplatovanou verzi OpenSSL 1.0.1h a ta chyba CVE 2014-224 se opakuje. Chyba CVE 2014-160 (Heartbleed) se po krátkých testech s pomocí scriptu neukázala.
Použivám v podstatě vlastní certifikát, generovaný dle návodu vna stránkách pro Lighttpd server, kterému se tím pádem otevřel SSL port a tak k němu šifrovaný přístup. Jedná se pouze o jednoduchý kapesní web umístěný v SD kartě telefonu. Ale říkám si, že OpenSSL, by mohlo být méně zranitelné :)
Reporty:
--Test SSL server 127.0.0.1 on port 443
Supported Server Cipher(s):
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DHE-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits DHE-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA
Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA
-- Test - CVE-2014-0224
python ./OSSL_CCS_InjectTest.py 127.0.0.1 443
***CVE-2014-0224 Detection Tool v0.2***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] 127.0.0.1:443 rejected early CCS
[TLSv1.1] 127.0.0.1:443 rejected early CCS
[TLSv1] 127.0.0.1:443 allows early CCS
[SSLv3] 127.0.0.1:443 allows early CCS
***This System Exhibits Potentially Vulnerable Behavior***
--Test pro SSL heartbeat zranitelnost (CVE-2014-0160)
python ./ssltest-tsl.py 127.0.0.1
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 53
... received message: type = 22, ver = 0301, length = 890
... received message: type = 22, ver = 0301, length = 652
... received message: type = 22, ver = 0301, length = 4
Sending heartbeat request...
... received message: type = 21, ver = 0302, length = 2
Received alert:
0000: 02 46 .F
Server returned error, likely not vulnerable
--Konfigurace pro spuštění make
./Configure linux-generic32 --prefix=/usr --openssldir=/etc/ssl --libdir=lib shared zlib-dynamic -DOPENSSL_NO_HEARTBEATS
--openssl version
OpenSSL 1.0.1h 5 Jun 2014
/opt/source# openssl version -a
OpenSSL 1.0.1h 5 Jun 2014
built on: Fri Jul 4 02:08:20 CEST 2014
platform: linux-generic32
options: bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -DTERMIO -O3 -fomit-frame-pointer -Wall
OPENSSLDIR: "/etc/ssl"
Také jsem nalezl web, kde je vše pro CVE 2014-224 v pořádku, ale web má tím pádem placený certifikát, tak nevím nakolik to s OpenSSL souvisí...
/opt/source# proxychains4 python ./OSSL_CCS_InjectTest.py 162.159.246.246 443
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.so
[proxychains] DLL init
***CVE-2014-0224 Detection Tool v0.2***
Brought to you by Tripwire VERT (@TripwireVERT)
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK
[TLSv1.2] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK
[TLSv1.1] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK
[TLSv1] 162.159.246.246:443 rejected early CCS
[proxychains] Strict chain ... 127.0.0.1:9050 ... 162.159.246.246:443 ... OK
[SSLv3] 162.159.246.246:443 rejected early CCS
No need to patch.
-------------
/opt/pentest/sslscan# ./sslscan --bugs --no-failed 162.159.246.246:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
[link]
Copyright Ian Ventura-Whiting 2009
Testing SSL server 162.159.246.246 on port 443
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Prefered Server Cipher(s):
SSLv3 128 bits AES128-SHA
TLSv1 128 bits ECDHE-RSA-AES128-SHA
SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
Not valid before: Jul 3 14:30:07 2014 GMT
Not valid after: Jan 28 17:43:27 2019 GMT
Subject: /C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=ssl6784.cloudflare.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Public-Key: (2048 bit)
Modulus:
00:bc:30:8a:b1:39:f3:71:f0:1b:37:c2:bd:e2:88:
ce:4a:1b:9f:79:9a:5d:e1:e2:f5:b8:3d:cd:e4:34:
6f:4a:ac:2e:6a:0b:58:a1:98:7a:64:da:dc:11:23:
76:59:be:f8:02:74:01:9e:3c:7e:63:9f:56:df:24:
0e:8b:7a:56:b1:8c:4e:6e:66:b8:d7:f6:51:82:32:
2e:29:8c:ba:0a:a0:c1:9a:8f:ee:84:b1:39:ba:10:
dd:ad:f4:11:a3:e7:dc:09:28:bf:c2:bd:36:77:54:
d7:23:92:e3:6d:ca:54:0f:fe:48:c3:93:55:66:0a:
62:70:d2:76:27:f7:b6:c2:08:82:bc:be:ae:c0:e7:
30:0a:86:3a:09:5c:b3:9d:57:07:f0:96:20:1e:bc:
0a:3b:a8:6c:05:ed:dd:27:6a:02:cc:9d:25:21:dc:
ab:9e:c2:c4:c6:d0:73:1a:16:37:84:1a:ef:2c:0c:
08:c9:d3:28:ed:a6:f3:bc:90:95:d6:20:c1:10:62:
76:9e:5a:c8:ff:90:08:a9:fc:a8:b2:ec:e4:78:50:
2e:ee:21:f3:5d:fb:f3:82:bb:b9:0b:e8:50:c6:8a:
b4:07:52:49:11:1b:63:f6:ff:de:61:a6:cd:bc:2a:
f6:d5:b9:16:16:19:c4:f2:56:fa:53:01:93:35:ea:
92:43
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: [link]
X509v3 Subject Alternative Name:
DNS:ssl6784.cloudflare.com, DNS:filmdikizle.com, DNS:jav188.com, DNS:*.lanhdiamu.vn, DNS:*.kiosbalita.com, DNS:*.pronon.se, DNS:*.teachingtheart.com, DNS:catalyst.org, DNS:filippo.io, DNS:pronon.se, DNS:teachingtheart.com, DNS:*.toptentalk.com, DNS:toptentalk.com, DNS:*.socialjew.com, DNS:socialjew.com, DNS:*.atamba.de, DNS:atamba.de, DNS:*.libres-et-heureux.com, DNS:*.proquro.eu, DNS:*.facebooker.dk, DNS:*.hoobly.com, DNS:dvs.vn, DNS:toptenarticle.com, DNS:proquro.eu, DNS:*.dvs.vn, DNS:hoobly.com, DNS:*.jav188.com, DNS:kiosbalita.com, DNS:*.photoboothdallas.org, DNS:photoboothdallas.org, DNS:afinadoronline.com.br, DNS:*.catalyst.org, DNS:*.trademarks.directory, DNS:lanhdiamu.vn, DNS:facebooker.dk, DNS:*.filmdikizle.com, DNS:dubaipearl.com, DNS:libres-et-heureux.com, DNS:*.filippo.io, DNS:*.toptenarticle.com, DNS:*.dubaipearl.com, DNS:*.afinadoronline.com.br, DNS:trademarks.directory
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:[link]
Authority Information Access:
CA Issuers - URI:[link]
OCSP - URI:[link]
X509v3 Subject Key Identifier:
8A:37:60:80:69:A8:C9:88:04:2F:71:A1:70:9E:85:DD:9B:64:FA:31
X509v3 Authority Key Identifier:
keyid:5D:46:B2:8D:C4:4B:74:1C:BB:ED:F5:73:B6:3A:B7:38:8F:75:9E:7E
Verify Certificate:
unable to get local issuer certificate
|
|