Nmap Development mailing list archives
Re: certificate_request not handled in tls.lua
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 2 Dec 2014 12:40:50 -0600
David, Thanks for catching this. I stopped partway through because the structure of the message has changed between TLS versions (TLS 1.2 includes information about signature algorithms), and we don't currently have a way to handle that well. I intend to separate out some of these functions and then have each TLS version represented by a table of parsers which point to each function, so when record_read gets to the TLS version, it simply retrieves the appropriate parser and continues. In the meantime, I applied your fix in r33853, since we don't currently have any code that inspects this message. Dan On Mon, Dec 1, 2014 at 10:06 PM, David Fifield <david () bamsoftware com> wrote:
ssl-enum-ciphers crashes when you scan a server that sends a certificate_request message: $ ./nmap --script +ssl-enum-ciphers tor2.bamsoftware.com -p 9001 -d NSE: ssl-enum-ciphers against tor2.bamsoftware.com (192.81.135.242:9001) threw an error! /home/david/nmap-git/nselib/tls.lua:1068: attempt to perform arithmetic on local 'low' (a nil value) stack traceback: /home/david/nmap-git/nselib/tls.lua:1068: in function 'unpack_3byte' /home/david/nmap-git/nselib/tls.lua:1138: in function 'record_read' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:153: in function 'get_next_record' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:211: in function 'try_params' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:672: in function 'compare_ciphers' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:706: in function 'find_cipher_preference' /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:780: in function </home/david/nmap-git/scripts/ssl-enum-ciphers.nse:746> It looks like the code handling certificate_request was unfinished. It doesn't consume all the bytes it's supposed to, and the next read of msg_end reads garbage from the middle of a field, making the next message look very long, and the crash happens when it runs off the end of the buffer. Just removing the handler for certificate_request was enough to make the scan finish for me. diff --git a/nselib/tls.lua b/nselib/tls.lua index ccbc169..8a9a958 100644 --- a/nselib/tls.lua +++ b/nselib/tls.lua @@ -1183,11 +1183,6 @@ function record_read(buffer, i) -- parse these with sslcert.parse_ssl_certificate table.insert(b["certificates"], cert) end - elseif b["type"] == "certificate_request" then - local num_types - j, num_types = bin.unpack("C", buffer, j) - for i = 1, num_types do - end else -- TODO: implement other handshake message types stdnse.debug2("Unknown handshake message type: %s", b["type"]) David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- certificate_request not handled in tls.lua David Fifield (Dec 01)
- Re: certificate_request not handled in tls.lua Daniel Miller (Dec 02)