[Full-Disclosure] Remote detection of vulnerable OpenSSL versions

From: Florian Weimer (Weimerat_private-Stuttgart.DE)
Date: Tue Sep 17 2002 - 09:39:39 PDT

Next message: Arne Schwerdtfegger: "[VulnWatch] Fw: [ut2003bugs] remote denial of service in ut2003 demo"

Previous message: Sandu Mihai Eduard: "RE: bugtraq.c httpd apache ssl attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Remote detection of vulnerable OpenSSL versions

   RUS-CERT has developed a tool to remotely detect vulnerable OpenSSL
   implementations.

Why is such a tool required?

   While the "Slapper" worm is spreading, many system administrators ask
   themselves whether their systems are vulnerable. Even if you apply
   vendor patches regularly, there are some risks which are hard to deal
   with:

     * Vendors might use OpenSSL to implement SSL services, but do not
       publicize it. Consequently, administrators might not know that
       they need to update.
     * Human error might leave systems vulnerable (e.g. people forget to
       restart services after applying patches, or are distracted by
       phone calls and miss a machine).
     * Other SSL implementations might have similar bugs.
     * Vendor upgrades often do not alter the version number, and their
       is no easy way to check if a patched version is running.
     * Vendor patches sometimes do not eliminate the vulnerability.

   As a result, full disclosure is essential; it makes independent
   regression testing possible.

How does it work?

   It is difficult to tell OpenSSL 0.9.6e from vulnerable versions
   because the OpenSSL developers chose to terminate the process if a
   buffer overflow attempt is detected. Over the network, a crash due to
   a buffer overflow and an abrupt, but deliberate process termination
   look the same: in both cases, the TCP connection breaks down. At first
   glance, it appears that we are out of luck and cannot detect
   vulnerable versions.

   However, if we overrun the buffer by only a few bytes, the vulnerable
   version (without check) does not crash. This way, we can tell 0.9.6e
   from previous, vulnerable versions:

                             small overflow large overflow
                  pre-0.9.6e    no crash        crash
                      0.9.6e     crash          crash
                      0.9.6g     error          error

   (0.9.6g signals an SSL error over the network, as one would expect.)

   Other combinations are possible, of course, and this program tries to
   flag them in a reasonable way. (We consider malformed responses an
   indication of lack of care, and a potential security problem.)

   This program performs a third connection attempt (actually the first
   one), to test compatibility of the the SSL implementations.

Obtaining and running the tool

   You can download a copy of the C source code here:

<http://CERT.Uni-Stuttgart.DE/advisories/openssl-sslv2-master/openssl-sslv2-master.c>

   Compiling this program requires an OpenSSL development environment
   (including header files). You have to link this program with OpenSSL's
   "crypto" library (using "-lcrypto", not "-lcrypt"). On some systems,
   you have to link with "-ldl", too.

   After compilation, you can run this program using:

$ ./openssl-sslv2-master [-s] host-IP [port]

   Then a test is performed against host-IP (an IP address in dotted-quad
   notation) and the TCP service running on port (a decimal number). port
   can be omitted, then the default port 443 is assumed.

   Note: You can use this program to test any SSL Version 2.0 server, not
   just HTTPS servers. For some services, a STARTTLS message is required
   to initiate the SSL handshake (e.g. SMTP, POP3, IMAP). This message is
   sent if you supply the "-s" option.

Risks and limitations

   The server could crash (when the large buffer overflow is attempted),
   and fail to restart automatically. The program detects this, but
   obviously cannot undo any damage.

   If the server which is being tested does not support SSLv2, it often
   reacts in a strange way. The SSL protocol does not define a clear
   rejection message, so no proper diagnosis is return by the tool in
   such cases. To determine the cause of a handshake failure, you should
   use a full SSL/TLS implementation, such as "openssl s_client".

Credits

   This program was inspired by the source code of the "Slapper" worm.

   Thanks to Helmut Springer for testing and spotting a few bugs.

About RUS-CERT

   RUS-CERT <http://CERT.Uni-Stuttgart.DE/> is the Computer Emergency
   Response Team located at the Computing Center (RUS) of the
   University of Stuttgart, Germany.

URL of the current version of this document:

   <http://cert.uni-stuttgart.de/advisories/openssl-sslv2-master.php>

-- 
Florian Weimer 	                  Weimerat_private-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Arne Schwerdtfegger: "[VulnWatch] Fw: [ut2003bugs] remote denial of service in ut2003 demo"
Previous message: Sandu Mihai Eduard: "RE: bugtraq.c httpd apache ssl attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 10:23:32 PDT