OpenSSL Server-Side ChangeCipherSpec Injection Scanner

🗓️ 09 Jun 2014 22:38:11Reported by Masashi Kikuchi, Craig Young <[email protected]>, juan vazquez <[email protected]>Type

metasploit🔗 www.rapid7.com👁 124 Views

This module checks for the OpenSSL ChangeCipherSpec (CCS) Injection vulnerability. The problem exists in the handling of early CCS messages during session negotiation. If successful, an attacker can leverage this vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec between a client and server. This issue was first reported in early June, 2014

Reporter	Title	Published	Views	Family All 636
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Enterprise for UNIX affected by the following OpenSSL vulnerability (CVE-2014-0224).	18 Dec 201901:14	–	ibm
IBM Security Bulletins	Security Bulletin: Tivoli Common Reporting iFixes for multiple Security Vulnerabilities (CVE-2014-3566,CVE-2014-6145,CVE-2014-1568,CVE-2014-4263,CVE-2014-3513,CVE-2014-3567,CVE-2014-3568,CVE-2014-0107,CVE-2014-0075,CVE-2014-0096,CVE-2014-0099,CVE-2014-011	17 Jun 201814:55	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere MQ (CVE-2014-0224, CVE-2014-3470), Websphere Message Broker and IBM Integration Bus (CVE-2014-0224) shipped with Predictive Maintenance and Quality	15 Jun 201822:33	–	ibm
IBM Security Bulletins	Security Bulletins for IBM Tealeaf Customer Experience offerings	16 Jun 201819:35	–	ibm
IBM Security Bulletins	IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index	31 Jan 202100:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Systems Director is affected by vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2013-0169 and CVE-2014-3470)	31 Jan 201901:25	–	ibm
IBM Security Bulletins	Security Bulletins - IBM Planning Analytics, Cognos TM1 and Cognos Insight	18 Jul 201817:37	–	ibm
IBM Security Bulletins	Security Bulletin: Rational ClearCase is affected by OpenSSL vulnerabilities (CVE-2014-0224, CVE-2014-3470, CVE-2015-0292)	10 Jul 201808:34	–	ibm
IBM Security Bulletins	Security Bulletin:Security vulnerability has been identified in Rational Application Developer shipped with Rational Software Architect for Websphere (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470)	17 Jun 201804:55	–	ibm
IBM Security Bulletins	Security Bulletin: IBM System x Integrated Management Module (IMM) is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0076	31 Jan 201901:25	–	ibm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  CIPHER_SUITES = [
    0xc014, # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    0xc00a, # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    0xc022, # TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
    0xc021, # TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
    0x0039, # TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    0x0038, # TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    0x0088, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
    0x0087, # TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
    0x0087, # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    0xc00f, # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    0x0035, # TLS_RSA_WITH_AES_256_CBC_SHA
    0x0084, # TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
    0xc012, # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    0xc008, # TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    0xc01c, # TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
    0xc01b, # TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
    0x0016, # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    0x0013, # TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    0xc00d, # TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    0xc003, # TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    0x000a, # TLS_RSA_WITH_3DES_EDE_CBC_SHA
    0xc013, # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    0xc009, # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    0xc01f, # TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
    0xc01e, # TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
    0x0033, # TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    0x0032, # TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    0x009a, # TLS_DHE_RSA_WITH_SEED_CBC_SHA
    0x0099, # TLS_DHE_DSS_WITH_SEED_CBC_SHA
    0x0045, # TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
    0x0044, # TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
    0xc00e, # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    0xc004, # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    0x002f, # TLS_RSA_WITH_AES_128_CBC_SHA
    0x0096, # TLS_RSA_WITH_SEED_CBC_SHA
    0x0041, # TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
    0xc011, # TLS_ECDHE_RSA_WITH_RC4_128_SHA
    0xc007, # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    0xc00c, # TLS_ECDH_RSA_WITH_RC4_128_SHA
    0xc002, # TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    0x0005, # TLS_RSA_WITH_RC4_128_SHA
    0x0004, # TLS_RSA_WITH_RC4_128_MD5
    0x0015, # TLS_DHE_RSA_WITH_DES_CBC_SHA
    0x0012, # TLS_DHE_DSS_WITH_DES_CBC_SHA
    0x0009, # TLS_RSA_WITH_DES_CBC_SHA
    0x0014, # TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    0x0011, # TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    0x0008, # TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    0x0006, # TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    0x0003, # TLS_RSA_EXPORT_WITH_RC4_40_MD5
    0x00ff  # Unknown
  ]

  HANDSHAKE_RECORD_TYPE = 0x16
  CCS_RECORD_TYPE       = 0x14
  ALERT_RECORD_TYPE     = 0x15
  TLS_VERSION = {
    'SSLv3' => 0x0300,
    '1.0'   => 0x0301,
    '1.1'   => 0x0302,
    '1.2'   => 0x0303
  }

  def initialize
    super(
      'Name'           => 'OpenSSL Server-Side ChangeCipherSpec Injection Scanner',
      'Description'    => %q{
        This module checks for the OpenSSL ChangeCipherSpec (CCS)
        Injection vulnerability. The problem exists in the handling of early
        CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts
        them, while later implementations do not. If successful, an attacker can leverage this
        vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec
        between a client and server. This issue was first reported in early June, 2014.
      },
      'Author'         => [
        'Masashi Kikuchi', # Vulnerability discovery
        'Craig Young <CYoung[at]tripwire.com>', # Original Scanner. This module is based on it.
        'juan vazquez' # Metasploit module
      ],
      'References'     =>
        [
          ['CVE', '2014-0224'],
          ['URL', 'http://ccsinjection.lepidum.co.jp/'],
          ['URL', 'http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html'],
          ['URL', 'http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/'],
          ['URL', 'https://www.imperialviolet.org/2014/06/05/earlyccs.html']
        ],
      'DisclosureDate' => 'Jun 5 2014',
      'License'        => MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(443),
        OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
        OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10])
      ])
  end

  def response_timeout
    datastore['RESPONSE_TIMEOUT']
  end

  def run_host(ip)
    ccs_injection
  end

  def ccs_injection
    connect_result = establish_connect
    return if connect_result.nil?

    vprint_status("Sending CCS...")
    sock.put(ccs)
    alert = sock.get_once(-1, response_timeout)
    if alert.blank?
      print_good("No alert after invalid CCS message, probably vulnerable")
      report
    elsif alert.unpack("C").first == ALERT_RECORD_TYPE
      vprint_error("Alert record as response to the invalid CCS Message, probably not vulnerable")
    elsif alert
      vprint_warning("Unexpected response.")
    end
  end

  def report
    report_vuln({
      :host => rhost,
      :port => rport,
      :name => self.name,
      :refs => self.references,
      :info => "Module #{self.fullname} successfully detected CCS injection"
    })
  end

  def ccs
    payload = "\x01" # Change Cipher Spec Message

    ssl_record(CCS_RECORD_TYPE, payload)
  end

  def client_hello
    # Use current day for TLS time
    time_temp = Time.now
    time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i

    hello_data = [TLS_VERSION[datastore['TLS_VERSION']]].pack("n") # Version TLS
    hello_data << [time_epoch].pack("N")    # Time in epoch format
    hello_data << Rex::Text.rand_text(28)   # Random
    hello_data << "\x00"                    # Session ID length
    hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102)
    hello_data << CIPHER_SUITES.pack("n*")  # Cipher Suites
    hello_data << "\x01"                    # Compression methods length (1)
    hello_data << "\x00"                    # Compression methods: null

    data = "\x01\x00"                      # Handshake Type: Client Hello (1)
    data << [hello_data.length].pack("n")  # Length
    data << hello_data

    ssl_record(HANDSHAKE_RECORD_TYPE, data)
  end

  def ssl_record(type, data)
    record = [type, TLS_VERSION[datastore['TLS_VERSION']], data.length].pack('Cnn')
    record << data
  end

  def establish_connect
    connect

    vprint_status("Sending Client Hello...")
    sock.put(client_hello)
    server_hello = sock.get_once(-1, response_timeout)

    unless server_hello
      vprint_error("No Server Hello after #{response_timeout} seconds...")
      disconnect
      return nil
    end

    unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE
      vprint_error("Server Hello Not Found")
      return nil
    end

    true
  end
end

24 Jul 2017 13:26Current

8.1High risk

Vulners AI Score8.1

CVSS 25.8

CVSS 3.17.4

EPSS0.95326