Nmap Development mailing list archives
certificate_request not handled in tls.lua
From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Dec 2014 20:06:29 -0800
ssl-enum-ciphers crashes when you scan a server that sends a certificate_request message: $ ./nmap --script +ssl-enum-ciphers tor2.bamsoftware.com -p 9001 -d NSE: ssl-enum-ciphers against tor2.bamsoftware.com (192.81.135.242:9001) threw an error! /home/david/nmap-git/nselib/tls.lua:1068: attempt to perform arithmetic on local 'low' (a nil value) stack traceback: /home/david/nmap-git/nselib/tls.lua:1068: in function 'unpack_3byte' /home/david/nmap-git/nselib/tls.lua:1138: in function 'record_read' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:153: in function 'get_next_record' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:211: in function 'try_params' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:672: in function 'compare_ciphers' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:706: in function 'find_cipher_preference' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:780: in function </home/david/nmap-git/scripts/ssl-enum-ciphers.nse:746> It looks like the code handling certificate_request was unfinished. It doesn't consume all the bytes it's supposed to, and the next read of msg_end reads garbage from the middle of a field, making the next message look very long, and the crash happens when it runs off the end of the buffer. Just removing the handler for certificate_request was enough to make the scan finish for me. diff --git a/nselib/tls.lua b/nselib/tls.lua index ccbc169..8a9a958 100644 --- a/nselib/tls.lua +++ b/nselib/tls.lua @@ -1183,11 +1183,6 @@ function record_read(buffer, i) -- parse these with sslcert.parse_ssl_certificate table.insert(b["certificates"], cert) end - elseif b["type"] == "certificate_request" then - local num_types - j, num_types = bin.unpack("C", buffer, j) - for i = 1, num_types do - end else -- TODO: implement other handshake message types stdnse.debug2("Unknown handshake message type: %s", b["type"]) David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- certificate_request not handled in tls.lua David Fifield (Dec 01)
- Re: certificate_request not handled in tls.lua Daniel Miller (Dec 02)