Haroon Meer wrote: > Hi guys.. > > We recently started picking up false positives with the ssltest.nasl > (OpenSSL overflow via invalid certificate passing) (script_id(11875)) > against IIS servers. > > The nasl _does_ do a check for IIS, Netware etc prior to testing by > sending a client_hello(mymlen:0, mymtype:0, myversion:15) and checking > for a response. > > A response (according to the script) indicates an > IIS/Netware/Non-OpenSSL implementation and the test exits there.. > > This used to work ferpectly : (ssltest.nasl renamed ssltest2 with more > displays()'s) > > -snip- > [root@intercrastic plugins]# nasl -t IIS_Server.local ssltest2.nasl > > Made the connect! > Sent the client_hello(mymlen:0, mymtype:0, myversion:15) > > got stuff back > Exiting > -snip- > > An OpenSSL server used to return : > > -snip- > [root@intercrastic plugins]# nasl -t OpenSSL.local ssltest2.nasl > > Made the connect! > Sent the client_hello(mymlen:0, mymtype:0, myversion:15) > Got nothing back, moving on with the test > ... > -snip- > > It appears though that at some point ssl_funcs.inc changed and currently > setting myversion:15 returns nothing from both IIS and OpenSSL > > -snip- > [root@intercrastic plugins]# nasl -t IIS_SERVER.local ssltest2.nasl > > Made the connect! > Sent the client_hello(mymlen:0, mymtype:0, myversion:15) > Got nothing back, moving on with the test > [3547](ssltest2.nasl) No such arg 'port' for function 'client_hello' - > ignored > Success > -snip- I just threw a couple of display() calls into the latest version of ssltest.nasl and ran test against some IIS Servers. As you reported, no response from IIS servers (where there used to be a response) on the bogus SSL version nums. [jwlampe@f00dikator jwlampe]$ nasl -t some.iis.server ssltest.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root no response from the SSL server...moving on with test I have an old copy of ssl_funcs.inc and ssltest.nasl...so, I figured I would try those as well. [root@f00dikator root]# nasl -t some.iss.server ssltest.nasl we got no response from bogus client_hello we recvd a response form the valid client_hello we did not receive a response from the server after sending the unrequested cert Success So, without going into the new ssl_funcs.inc, I'm inclined to think that something has changed on IIS as both the new and old scripts are generating false positives against some IIS servers. I also ran both the new and old ssltest.nasl (with corresponding ssl_funcs.inc) against some other webservers, and they still respond to the bogus version (0x3135 or '15'). > > (the port error can be fixed by adding port as an argument to > client_hello in ssl_funcs.inc) which nasl and/or .inc is calling client_hello() with a port parameter? In CVS, I tried: [jwlampe@f00dikator scripts]$ grep client_hello ssl* | grep port and don't see any. I'd be interested in any further feedback. Of course, we need to figure out a way to fingerprint the newer version of IIS (if that is indeed the problem). John Lampe Tenable Network Security http://www.tenablesecurity.com _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Tue Dec 21 2004 - 19:12:25 PST