Re: Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

[Kristian Erik Hermansen <kristian.hermansen () gmail com>]

On Wed, Apr 22, 2015 at 4:12 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
> Ah, no; this is unfortunately something that our current set of probes
> cannot handle; the "PSK" part of the ciphersuite means "pre-shared key" and
> refers to RFC 4279, which defines a non-certificate-based flavor of TLS.

Right!

> However, I think we could probably come up with a probe that gets a good
> response here; we just need to send a TLS 1.2 ClientHello with the
> TLS_PSK_WITH_AES_128_CBC_SHA ciphersuite supported. Here's a sample probe to
> test; add it to nmap-service-probes (with no match lines) and report if it
> shows a service fingerprint:

After modifying nmap-service-probes, nmap DOES NOT produce a proper
fingerprint. However, a trace does show that data is coming back for
certain probes:

"""
Service scan sending probe TLS-PSK to 1.2.3.4:27036 (tcp)
...
NSOCK INFO [6.7320s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 34 [1.2.3.4:27036] (104 bytes)
...
Service scan sending probe SSLSessionReq to 1.2.3.4:27036 (tcp)
...
NSOCK INFO [17.0990s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 258 [1.2.3.4:27036] (7 bytes): ......(
Service scan match (Probe SSLSessionReq matched with SSLSessionReq
line 11420): 1.2.3.4:27036 is ssl.  Version: |TLSv1|||
...
NSOCK INFO [17.1490s] handle_connect_result(): EID 265 reconnecting
with SSL_OP_NO_SSLv2
NSOCK INFO [17.1990s] handle_connect_result(): EID 265
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure
NSOCK INFO [17.1990s] nsock_trace_handler_callback(): Callback:
SSL-CONNECT ERROR [Input/output error (5)] for EID 265 [1.2.3.4:27036]
Got nsock CONNECT response with status ERROR - aborting this service
...
"""

However, a manual probe via netcat elicits a dynamic, but good 104
byte response (per above) that accurately identifies the steam
service.

"""
$ echo -n 
'\x16\x03\0\0\x75\x01\0\0\x71\x03\x03\x55\x38\x2a\x62\x45\x54\x58\x53\x4a\x44\x53\x5a\x4e\x48\x4d\x44\x46\x41\x4f\x4e\x44\x4b\x4a\x58\x58\x5a\x59\x5a\x48\x57\x48\x52\0\0\x30\0\x8a\0\x8b\0\x8c\0\x8d\0\x8e\0\x8f\0\x90\0\x91\0\x92\0\x93\0\x94\0\x95\0\xa8\0\xa9\0\xaa\0\xab\0\xac\0\xad\0\xae\0\xaf\0\xb2\0\xb3\0\xb6\0\xb7\x01\0\0\x18\0\x0d\0\x14\0\x12\0\x01\0\x02\0\x03\x01\x01\x01\x02\x01\x03\x02\x01\x02\x02\x02\x03'
| sed -e 's/\\0/00/g' -e 's/\\x//g' | xxd -r -p | nc -n 1.2.3.4 27036
| xxd -seek 0x5a -l 5
000005a: 7374 6561 6d                             steam
"""

> Awesome! This is the kind of script we would be interested in:
> unauthenticated information disclosure. Looking forward to working with you
> to get this included in Nmap.

Sure. But I'm hoping this thread prompts Valve to start a paid
vulnerability rewards program, rather than punishing researchers.
Until then, I suppose people will instead sell their private wares on
the dark markets for extra cash, which is probably just bad for every
end-user ultimately. Imagine millions of Steam user systems / consoles
being exploited with a single remote unauthenticated UDP packet that
is wormable. Ugg...
-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/