mirror of
				https://github.com/drwetter/testssl.sh.git
				synced 2025-10-26 13:30:58 +01:00 
			
		
		
		
	Merge branch 'master' into remove_sockread
Conflicts: testssl.sh
This commit is contained in:
		
						commit
						3b3d16849d
					
				
							
								
								
									
										136
									
								
								testssl.sh
									
									
									
									
									
								
							
							
						
						
									
										136
									
								
								testssl.sh
									
									
									
									
									
								
							| @ -4187,7 +4187,11 @@ certificate_info() { | |||||||
|      out "$indent" ; pr_bold " Signature Algorithm          " |      out "$indent" ; pr_bold " Signature Algorithm          " | ||||||
|      case $cert_sig_algo in |      case $cert_sig_algo in | ||||||
|           sha1WithRSAEncryption) |           sha1WithRSAEncryption) | ||||||
|                pr_svrty_mediumln "SHA1 with RSA" |                pr_svrty_medium "SHA1 with RSA" | ||||||
|  |                if [[ "$SERVICE" == HTTP ]]; then | ||||||
|  |                     out " -- besides: users will receive a strong browser warning" | ||||||
|  |                fi | ||||||
|  |                outln | ||||||
|                fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)" |                fileout "${json_prefix}algorithm" "MEDIUM" "Signature Algorithm: SHA1 with RSA (warning)" | ||||||
|                ;; |                ;; | ||||||
|           sha224WithRSAEncryption) |           sha224WithRSAEncryption) | ||||||
| @ -6008,8 +6012,12 @@ tls_sockets() { | |||||||
| 
 | 
 | ||||||
| # mainly adapted from https://gist.github.com/takeshixx/10107280 | # mainly adapted from https://gist.github.com/takeshixx/10107280 | ||||||
| run_heartbleed(){ | run_heartbleed(){ | ||||||
|      local tls_proto_offered tls_hexcode heartbleed_payload client_hello |      local tls_proto_offered tls_hexcode | ||||||
|      local -i retval ret lines_returned bytes_returned |      local heartbleed_payload client_hello  | ||||||
|  |      local -i n ret lines_returned | ||||||
|  |      local -i hb_rounds=3 | ||||||
|  |      local append="" | ||||||
|  |      local found_500_oops=false | ||||||
| 
 | 
 | ||||||
|      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln |      [[ $VULN_COUNT -le $VULN_THRESHLD ]] && outln && pr_headlineln " Testing for heartbleed vulnerability " && outln | ||||||
|      pr_bold " Heartbleed"; out " (CVE-2014-0160)                " |      pr_bold " Heartbleed"; out " (CVE-2014-0160)                " | ||||||
| @ -6017,8 +6025,8 @@ run_heartbleed(){ | |||||||
|      [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions |      [[ -z "$TLS_EXTENSIONS" ]] && determine_tls_extensions | ||||||
|      if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then |      if ! grep -q heartbeat <<< "$TLS_EXTENSIONS"; then | ||||||
|           pr_done_best "not vulnerable (OK)" |           pr_done_best "not vulnerable (OK)" | ||||||
|           outln " (no heartbeat extension)" |           outln ", no heartbeat extension" | ||||||
|           fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (no heartbeat extension)" |           fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK), no heartbeat extension" | ||||||
|           return 0 |           return 0 | ||||||
|      fi |      fi | ||||||
| 
 | 
 | ||||||
| @ -6086,56 +6094,82 @@ run_heartbleed(){ | |||||||
|      # extension: heartbeat |      # extension: heartbeat | ||||||
|      x00, x0f, x00, x01, x01" |      x00, x0f, x00, x01, x01" | ||||||
| 
 | 
 | ||||||
|      fd_socket 5 || return 6 |      for (( n=1; n <= hb_rounds; n++)); do | ||||||
|  |           fd_socket 5 || return 6 | ||||||
|  |           debugme out "\nsending client hello (TLS version $tls_hexcode)" | ||||||
|  |           debugme outln " ($n of $hb_rounds)" | ||||||
|  |           socksend "$client_hello" 1 | ||||||
| 
 | 
 | ||||||
|      debugme outln "\nsending client hello (TLS version $tls_hexcode)" |           debugme outln "\nreading server hello" | ||||||
|      socksend "$client_hello" 1 |           sockread_serverhello 32768 | ||||||
| 
 |           if [[ $DEBUG -ge 4 ]]; then | ||||||
|      debugme outln "\nreading server hello" |                hexdump -C "$SOCK_REPLY_FILE" | head -20 | ||||||
|      sockread_serverhello 32768 |                outln "[...]" | ||||||
|      if [[ $DEBUG -ge 4 ]]; then |                outln "\nsending payload with TLS version $tls_hexcode:" | ||||||
|           hexdump -C "$SOCK_REPLY_FILE" | head -20 |           fi | ||||||
|           outln "[...]" |           rm "$SOCK_REPLY_FILE" | ||||||
|           outln "\nsending payload with TLS version $tls_hexcode:" | 
 | ||||||
|      fi |           socksend "$heartbleed_payload" 1 | ||||||
|      rm "$SOCK_REPLY_FILE" |           sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK | ||||||
| 
 |           [[ $? -eq 3 ]] && append=", timed out" | ||||||
|      socksend "$heartbleed_payload" 1 | 
 | ||||||
|      sockread_serverhello 16384 $HEARTBLEED_MAX_WAITSOCK |           lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g') | ||||||
|      retval=$? |           if [[ $DEBUG -ge 3 ]]; then | ||||||
| 
 |                outln "\nheartbleed reply: " | ||||||
|      if [[ $DEBUG -ge 3 ]]; then |                hexdump -C "$SOCK_REPLY_FILE" | head -20 | ||||||
|           outln "\nheartbleed reply: " |                [[ $lines_returned -gt 20 ]] && outln "[...]" | ||||||
|           hexdump -C "$SOCK_REPLY_FILE" | head -20 |                outln | ||||||
|           bytes_returned="$(wc -c "$SOCK_REPLY_FILE" | awk '{ print $1 }')" |           fi | ||||||
|           [[ $bytes_returned -gt 320 ]] && outln "[...]" | 
 | ||||||
|           outln |           if [[ $lines_returned -gt 1 ]]; then | ||||||
|      fi |                if [[ "$STARTTLS_PROTOCOL" == "ftp" ]] || [[ "$STARTTLS_PROTOCOL" == "ftps" ]]; then | ||||||
| 
 |                     # check possibility of weird vsftpd reply, see #426 | ||||||
|      lines_returned=$(hexdump -ve '16/1 "%02x " " \n"' "$SOCK_REPLY_FILE" | wc -l | sed 's/ //g') |                     saved_sockreply[n]="$(hexdump -ve '1/1 "%.2x"' "$SOCK_REPLY_FILE")" | ||||||
|      rm "$SOCK_REPLY_FILE" |                     [[ $n -eq 1 ]] && grep -q '500 OOPS' "$SOCK_REPLY_FILE" && found_500_oops=true | ||||||
|      if [[ $lines_returned -gt 1 ]]; then |                     rm "$SOCK_REPLY_FILE" | ||||||
|           pr_svrty_critical "VULNERABLE (NOT ok)" |                     #debugme out "${saved_sockreply[n]}" | ||||||
|           if [[ $retval -eq 3 ]]; then |                     #TMPFILE="${saved_sockreply[n]}" | ||||||
|                fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok) (timed out)" |                     close_socket | ||||||
|           else |                     #tmpfile_handle "$FUNCNAME,$n.txt" | ||||||
|                fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)" |                else | ||||||
|  |                     rm "$SOCK_REPLY_FILE" | ||||||
|  |                     pr_svrty_critical "VULNERABLE (NOT ok)" | ||||||
|  |                     fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): VULNERABLE (NOT ok)$append" | ||||||
|  |                     ret=1 | ||||||
|  |                     break | ||||||
|  |                fi | ||||||
|  |           else | ||||||
|  |                rm "$SOCK_REPLY_FILE" | ||||||
|  |                pr_done_best "not vulnerable (OK)" | ||||||
|  |                fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append" | ||||||
|  |                ret=0 | ||||||
|  |                break | ||||||
|  |           fi | ||||||
|  |      done | ||||||
|  | 
 | ||||||
|  |      if [[ $n -gt 1 ]]; then | ||||||
|  |           # more than one round of heartbleed checks --> vsftpd probably. | ||||||
|  |           # This is the robust approach. According to a few tests it could also suffice # to check for "500 OOPS" only. | ||||||
|  |           # Checking for the same socket reply DOES NOT suffice -- server can be idle and return the same memory | ||||||
|  |           if [[ "${saved_sockreply[1]}" == "${saved_sockreply[2]}" ]] && [[ "${saved_sockreply[2]}" == "${saved_sockreply[3]}" ]] \ | ||||||
|  |                && "$found_500_oops"; then | ||||||
|  |                pr_done_best "not vulnerable (OK)$append" | ||||||
|  |                [[ $DEBUG -ge 1 ]] && out ", successful weeded out vsftpd false positive" | ||||||
|  |                fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)$append" | ||||||
|  |           else | ||||||
|  |                out "likely " | ||||||
|  |                pr_svrty_critical "VULNERABLE (NOT ok)" | ||||||
|  |                [[ $DEBUG -ge 1 ]] && out " use debug >=2 to confirm" | ||||||
|  |                fileout "heartbleed" "NOT ok" "Heartbleed (CVE-2014-0160): likely VULNERABLE (NOT ok)$append" | ||||||
|           fi |           fi | ||||||
|           ret=1 |  | ||||||
|      else |      else | ||||||
|           pr_done_best "not vulnerable (OK)" |           # for the repeated tries we did that already | ||||||
|           if [[ $retval -eq 3 ]]; then |           #TMPFILE="$SOCKREPLY" | ||||||
|                fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK) (timed out)" |           close_socket 2>/dev/null | ||||||
|           else |           #tmpfile_handle $FUNCNAME.txt | ||||||
|                fileout "heartbleed" "OK" "Heartbleed (CVE-2014-0160): not vulnerable (OK)" |  | ||||||
|           fi |  | ||||||
|           ret=0 |  | ||||||
|      fi |      fi | ||||||
|      [[ $retval -eq 3 ]] && out " (timed out)" |      outln "$append" | ||||||
|      outln |  | ||||||
| 
 | 
 | ||||||
|      close_socket |  | ||||||
|      tmpfile_handle $FUNCNAME.txt |  | ||||||
|      return $ret |      return $ret | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| @ -8751,4 +8785,4 @@ fi | |||||||
| exit $? | exit $? | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| #  $Id: testssl.sh,v 1.537 2016/09/01 17:09:11 dirkw Exp $ | #  $Id: testssl.sh,v 1.540 2016/09/06 06:32:04 dirkw Exp $ | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user