Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: certificate_request not handled in tls.lua

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 2 Dec 2014 12:40:50 -0600
David,

Thanks for catching this. I stopped partway through because the structure
of the message has changed between TLS versions (TLS 1.2 includes
information about signature algorithms), and we don't currently have a way
to handle that well. I intend to separate out some of these functions and
then have each TLS version represented by a table of parsers which point to
each function, so when record_read gets to the TLS version, it simply
retrieves the appropriate parser and continues.

In the meantime, I applied your fix in r33853, since we don't currently
have any code that inspects this message.

Dan

On Mon, Dec 1, 2014 at 10:06 PM, David Fifield <david () bamsoftware com>
wrote:


ssl-enum-ciphers crashes when you scan a server that sends a
certificate_request message:

$ ./nmap --script +ssl-enum-ciphers tor2.bamsoftware.com -p 9001 -d

NSE: ssl-enum-ciphers against tor2.bamsoftware.com (192.81.135.242:9001)
threw an error!
/home/david/nmap-git/nselib/tls.lua:1068: attempt to perform arithmetic on
local 'low' (a nil value)
stack traceback:
   /home/david/nmap-git/nselib/tls.lua:1068: in function 'unpack_3byte'
   /home/david/nmap-git/nselib/tls.lua:1138: in function 'record_read'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:153: in function
'get_next_record'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:211: in function
'try_params'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:672: in function
'compare_ciphers'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:706: in function
'find_cipher_preference'
   /home/david/nmap-git/scripts/ssl-enum-ciphers.nse:780: in function
</home/david/nmap-git/scripts/ssl-enum-ciphers.nse:746>

It looks like the code handling certificate_request was unfinished. It
doesn't consume all the bytes it's supposed to, and the next read of
msg_end reads garbage from the middle of a field, making the next
message look very long, and the crash happens when it runs off the end
of the buffer.

Just removing the handler for certificate_request was enough to make the
scan finish for me.

diff --git a/nselib/tls.lua b/nselib/tls.lua
index ccbc169..8a9a958 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1183,11 +1183,6 @@ function record_read(buffer, i)
           -- parse these with sslcert.parse_ssl_certificate
           table.insert(b["certificates"], cert)
         end
-      elseif b["type"] == "certificate_request" then
-        local num_types
-        j, num_types = bin.unpack("C", buffer, j)
-        for i = 1, num_types do
-        end
       else
         -- TODO: implement other handshake message types
         stdnse.debug2("Unknown handshake message type: %s", b["type"])

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: