Lucene search

K
hackeroneH3r0esH1:318594
HistoryFeb 22, 2018 - 4:43 p.m.

Semrush: SSLv3 Poodle Attack on Ip Of semrush

2018-02-2216:43:36
h3r0es
hackerone.com
217

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

Summary:
POODLE SSLv3 bug on multiple servers

Description:
CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.

Steps To Reproduce:

  1. Create .txt file include this ip : ( 54.230.149.17 & 54.230.149.158 ) ex: ip.txt
  2. nmap -sV --version-light -Pn --script ssl-poodle -p 443 -iL ip.txt

Supporting Material/References:

root@jancok:~# nmap -sV --version-light -Pn --script ssl-poodle -p 443 -iL ip.txt

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2018-02-22 23:40 EST
Nmap scan report for server-54-230-149-17.sin2.r.cloudfront.net (54.230.149.17)
Host is up (0.029s latency).
PORT    STATE SERVICE    VERSION
443/tcp open  ssl/https?
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  OSVDB:113251  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
|           other products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://vulners.com/cve/CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      http://osvdb.org/113251
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.25BETA1%T=SSL%I=2%D=2/22%Time=5A8F9B45%P=x86_64-pc-linu
SF:x-gnu%r(GetRequest,36B,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x
SF:20CloudFront\r\nDate:\x20Thu,\x2022\x20Feb\x202018\x2016:40:40\x20GMT\r
SF:\nContent-Type:\x20text/html\r\nContent-Length:\x20551\r\nConnection:\x
SF:20close\r\nX-Cache:\x20Error\x20from\x20cloudfront\r\nVia:\x201\.1\x209
SF:f6b01a312a31ea74b95b305e8d62497\.cloudfront\.net\x20\(CloudFront\)\r\nX
SF:-Amz-Cf-Id:\x20wTZjtVmAWgTRJcBZoY1eKmML1MIGDjqyL8HHIbcopGOT3RptvM0oAw==
SF:\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x
SF:20Transitional//EN\"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\">\n<
SF:HTML><HEAD><META\x20HTTP-EQUIV=\"Content-Type\"\x20CONTENT=\"text/html;
SF:\x20charset=iso-8859-1\">\n<TITLE>ERROR:\x20The\x20request\x20could\x20
SF:not\x20be\x20satisfied&lt;/TITLE&gt;\n&lt;/HEAD&gt;&lt;BODY&gt;\n<h1>ERROR</h1>\n<h2>The\
SF:x20request\x20could\x20not\x20be\x20satisfied\.</h2>\n&lt;HR\x20noshade\x2
SF:0size=\"1px\"&gt;\nBad\x20request\.\n&lt;BR\x20clear=\"all\"&gt;\n&lt;HR\x20noshade
SF:\x20size=\"1px\"&gt;\n<pre>\nGenerated\x20by\x20cloudfront\x20\(CloudFront
SF:\)\nRequest\x20ID:\x20wTZjtVmAWgTRJcBZoY1eKmML1MIGDjqyL8HHIbcopGOT3Rptv
SF:M0oAw==\n</pre>\n<address>\n</address>\n&lt;/BODY&gt;&lt;/HTML&gt;")%r(HTTPOptions,
SF:36B,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudFront\r\nDat
SF:e:\x20Thu,\x2022\x20Feb\x202018\x2016:40:40\x20GMT\r\nContent-Type:\x20
SF:text/html\r\nContent-Length:\x20551\r\nConnection:\x20close\r\nX-Cache:
SF:\x20Error\x20from\x20cloudfront\r\nVia:\x201\.1\x20c811a11df2d0d24d49e3
SF:cdf48257de21\.cloudfront\.net\x20\(CloudFront\)\r\nX-Amz-Cf-Id:\x20dUUs
SF:gtWLhorBbOSJMk6AESCL5MYIhEXtXdoSrTQ5pa0vKwxzKOa_0Q==\r\n\r\n&lt;!DOCTYPE\x
SF:20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\
SF:"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\"&gt;\n&lt;HTML&gt;&lt;HEAD&gt;&lt;META\x2
SF:0HTTP-EQUIV=\"Content-Type\"\x20CONTENT=\"text/html;\x20charset=iso-885
SF:9-1\"&gt;\n&lt;TITLE&gt;ERROR:\x20The\x20request\x20could\x20not\x20be\x20satisf
SF:ied&lt;/TITLE&gt;\n&lt;/HEAD&gt;&lt;BODY&gt;\n<h1>ERROR</h1>\n<h2>The\x20request\x20could
SF:\x20not\x20be\x20satisfied\.</h2>\n&lt;HR\x20noshade\x20size=\"1px\"&gt;\nBad
SF:\x20request\.\n&lt;BR\x20clear=\"all\"&gt;\n&lt;HR\x20noshade\x20size=\"1px\"&gt;\n
SF:<pre>\nGenerated\x20by\x20cloudfront\x20\(CloudFront\)\nRequest\x20ID:\
SF:x20dUUsgtWLhorBbOSJMk6AESCL5MYIhEXtXdoSrTQ5pa0vKwxzKOa_0Q==\n</pre>\n<a>\n</address>\n&lt;/BODY&gt;&lt;/HTML&gt;");

Nmap scan report for server-54-230-149-158.sin2.r.cloudfront.net (54.230.149.158)
Host is up (0.028s latency).
PORT    STATE SERVICE    VERSION
443/tcp open  ssl/https?
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: LIKELY VULNERABLE
|     IDs:  OSVDB:113251  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and
|           other products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_FALLBACK_SCSV properly implemented
|     References:
|       https://vulners.com/cve/CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      http://osvdb.org/113251
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.25BETA1%T=SSL%I=2%D=2/22%Time=5A8F9B45%P=x86_64-pc-linu
SF:x-gnu%r(GetRequest,36B,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x
SF:20CloudFront\r\nDate:\x20Thu,\x2022\x20Feb\x202018\x2016:40:40\x20GMT\r
SF:\nContent-Type:\x20text/html\r\nContent-Length:\x20551\r\nConnection:\x
SF:20close\r\nX-Cache:\x20Error\x20from\x20cloudfront\r\nVia:\x201\.1\x209
SF:80b603eea89acb9f5bc806e2efdf82c\.cloudfront\.net\x20\(CloudFront\)\r\nX
SF:-Amz-Cf-Id:\x200GA88OFJqyG4qDARfjyQ1jGVyWfzjEnIf0PKUOQI1r6-AuHswKbacw==
SF:\r\n\r\n&lt;!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x
SF:20Transitional//EN\"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\"&gt;\n&lt;
SF:HTML&gt;&lt;HEAD&gt;&lt;META\x20HTTP-EQUIV=\"Content-Type\"\x20CONTENT=\"text/html;
SF:\x20charset=iso-8859-1\"&gt;\n&lt;TITLE&gt;ERROR:\x20The\x20request\x20could\x20
SF:not\x20be\x20satisfied&lt;/TITLE&gt;\n&lt;/HEAD&gt;&lt;BODY&gt;\n<h1>ERROR</h1>\n<h2>The\
SF:x20request\x20could\x20not\x20be\x20satisfied\.</h2>\n&lt;HR\x20noshade\x2
SF:0size=\"1px\"&gt;\nBad\x20request\.\n&lt;BR\x20clear=\"all\"&gt;\n&lt;HR\x20noshade
SF:\x20size=\"1px\"&gt;\n<pre>\nGenerated\x20by\x20cloudfront\x20\(CloudFront
SF:\)\nRequest\x20ID:\x200GA88OFJqyG4qDARfjyQ1jGVyWfzjEnIf0PKUOQI1r6-AuHsw
SF:Kbacw==\n</pre>\n<address>\n</address>\n&lt;/BODY&gt;&lt;/HTML&gt;")%r(HTTPOptions,
SF:36B,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nServer:\x20CloudFront\r\nDat
SF:e:\x20Thu,\x2022\x20Feb\x202018\x2016:40:40\x20GMT\r\nContent-Type:\x20
SF:text/html\r\nContent-Length:\x20551\r\nConnection:\x20close\r\nX-Cache:
SF:\x20Error\x20from\x20cloudfront\r\nVia:\x201\.1\x20e14935429e8b5cfb258b
SF:503fe0233feb\.cloudfront\.net\x20\(CloudFront\)\r\nX-Amz-Cf-Id:\x20s4YG
SF:LwviLFSBvGk8WD5Z0N2LIqbeVPqlxi2Y6JXysX-6zPgTxSvnSg==\r\n\r\n&lt;!DOCTYPE\x
SF:20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\
SF:"\x20\"http://www\.w3\.org/TR/html4/loose\.dtd\"&gt;\n&lt;HTML&gt;&lt;HEAD&gt;&lt;META\x2
SF:0HTTP-EQUIV=\"Content-Type\"\x20CONTENT=\"text/html;\x20charset=iso-885
SF:9-1\"&gt;\n&lt;TITLE&gt;ERROR:\x20The\x20request\x20could\x20not\x20be\x20satisf
SF:ied&lt;/TITLE&gt;\n&lt;/HEAD&gt;&lt;BODY&gt;\n<h1>ERROR</h1>\n<h2>The\x20request\x20could
SF:\x20not\x20be\x20satisfied\.</h2>\n&lt;HR\x20noshade\x20size=\"1px\"&gt;\nBad
SF:\x20request\.\n&lt;BR\x20clear=\"all\"&gt;\n&lt;HR\x20noshade\x20size=\"1px\"&gt;\n
SF:<pre>\nGenerated\x20by\x20cloudfront\x20\(CloudFront\)\nRequest\x20ID:\
SF:x20s4YGLwviLFSBvGk8WD5Z0N2LIqbeVPqlxi2Y6JXysX-6zPgTxSvnSg==\n</pre>\n<a>\n</address>\n&lt;/BODY&gt;&lt;/HTML&gt;");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 27.51 seconds

Impact

its vulnerable CVE-2014-3566

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%