SSL Compression Methods Supported

2012-10-16T00:00:00
ID SSL_SUPPORTED_COMPRESSION.NASL
Type nessus
Reporter Tenable
Modified 2018-02-15T00:00:00

Description

This script detects which compression methods are supported by the remote service for SSL connections.

                                        
                                            #TRUSTED 01ae68bbe8bdd4b2877ec974e392ba9e1c30f0b96941f29ca85c6637ebd9dc6b861f326d7bd6df43b6f4e9584d712b1efc631a75051e0655ad421d23f83de8a0792e74fc64c58046ce1bb8a6b201476d2d0f0bd0bca5d15580da4beba2b0251bf7e9564bed0ee74a7547aac9f882149633d23f49385d5928a1eae1f4efaa328a4e58e88ca59b003ecdec458304867160c01351040c68fcb80f896a864053f6727b0bedfc6f8e88c15be9d94ced96a102ddac1843e409e1c20146a4ab20bfd7556ef06c513ad3c11a845f6b5dfffd4f6ebbc4b08588959ca6a539bb879986ce335d501772bc899fa07117dcd89a4b34914a76e7502a8a95c12b29dc0a83d418efd310e478da58b81f421d46aa7c59dd005f2ebce65553c142b71616299aa109f8ebf8d34e5f4196af7dde1495c2ff70335071f7d97748f07212564cb9cec96175c0702ce65b99830946a06946b84d781dcac708314bce22f8cccfef1fcfcea6e2587d05c0046fb1fdbc6f8d380c9bc3b86fa0c2cc5f243476eddbcba0d2a0c1ccc77e8105f1283da55bacf1cd9dc62b3c7264bf81cb7124b397136a3b1168801658c9e5d881e49d7678620c172f4887ef92898f6c01df1ab1c80e64aba9c9fe7234e8651f7841d2e388a712173d3e7dda75949d147a1f0926d8f017852615902be9b7323b611549476edf7f6c0b5f17813f5dbec86bf6caae97010d60550de914
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62563);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/02/15");

  script_name(english:"SSL Compression Methods Supported");
  script_summary(english:"Checks which SSL compression methods are supported");

  script_set_attribute(attribute:"synopsis", value:
"The remote service supports one or more compression methods for SSL
connections.");
  script_set_attribute(attribute:"description", value:
"This script detects which compression methods are supported by the
remote service for SSL connections.");

  script_set_attribute(attribute:"see_also", value:"http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml");
  script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/rfc3749");
  script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/rfc3943");
  script_set_attribute(attribute:"see_also", value:"https://tools.ietf.org/html/rfc5246");

  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("ssl_supported_versions.nasl");
  script_require_keys("SSL/Supported");

  exit(0);
}

include("audit.inc");
include("byte_func.inc");
include("acap_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("imap_func.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("pop3_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");
include("xmpp_func.inc");
include("rsync.inc");
include("audit.inc");

get_kb_item_or_exit("SSL/Supported");

set_byte_order(BYTE_ORDER_BIG_ENDIAN);

# Get a port to operate on, forking for each one.
port = get_ssl_ports(fork:TRUE);
if (isnull(port))
  exit(1, "The host does not appear to have any SSL-based services.");

# Find out if the port is open.
if (!get_port_state(port))
  audit(AUDIT_SOCK_FAIL, port);

# If it's encapsulated already, make sure it's a type we support.
encaps = get_kb_item("Transports/TCP/" + port);
if (encaps > ENCAPS_IP && (encaps < ENCAPS_SSLv2 || encaps > COMPAT_ENCAPS_TLSv12))
  exit(1, "Port " + port + " uses an unsupported encapsulation method.");

# Determine whether this port uses StartTLS.
starttls = get_kb_list("*/" + port + "/starttls");
starttls = (!isnull(starttls) && max_index(starttls));

# Choose which transports to test.
if (thorough_tests)
{
  versions = make_list(
    ENCAPS_SSLv2,
    ENCAPS_SSLv3,
    ENCAPS_TLSv1,
    COMPAT_ENCAPS_TLSv11,
    COMPAT_ENCAPS_TLSv12
  );
}
else
{
  versions = get_kb_list_or_exit("SSL/Transport/" + port);
}

# Determine which compressors are supported.
supported = make_array();
foreach encaps (versions)
{
  if (starttls_svc && encaps != ENCAPS_TLSv1) continue;

  if (encaps == ENCAPS_SSLv2) continue;
  else if (encaps == ENCAPS_SSLv3) ssl_ver = raw_string(0x03, 0x00);
  else if (encaps == ENCAPS_TLSv1) ssl_ver = raw_string(0x03, 0x01);
  else if (encaps == COMPAT_ENCAPS_TLSv11) ssl_ver = raw_string(0x03, 0x02);
  else if (encaps == COMPAT_ENCAPS_TLSv12) ssl_ver = raw_string(0x03, 0x03);

  # Iterate over each possible compressor.
  for (id = 1; id < 256; id++)
  {
    # Only test known compressors unless we're being thorough.
    if (!thorough_tests && isnull(compressors[id])) continue;

    # Skip compressors that we already know are supported.
    if (supported[id]) continue;

    # Note that we must always send the NULL (0x00) compressor.
    cmps = raw_string(id);
    if (id != 0x00)
      cmps += raw_string(0x00);

    exts = "";
    if (encaps >= ENCAPS_TLSv1)
    {
      host = get_host_name();
      if (host != get_host_ip() && host != NULL)
        exts += tls_ext_sni(hostname:host);

      # Include extensions for TLS 1.2 ciphers
      if (encaps == ENCAPS_TLSv1_2)
        exts += tls_ext_ec() + tls_ext_ec_pt_fmt() + tls_ext_sig_algs();
    }

    if (exts == "")
      exts = NULL;

    # Create a ClientHello record.
    helo = client_hello(
      version   : ssl_ver,
      compmeths : cmps,
      v2hello   : FALSE,
      extensions: exts
    );

    # Connect to the port, issuing the StartTLS command if necessary.
    soc = open_sock_ssl(port);
    if (!soc)
      audit(AUDIT_SOCK_FAIL, port);

    # Send the ClientHello record.
    send(socket:soc, data:helo);

    recs = recv_ssl_recs(socket:soc);

    close(soc);

    # Find and parse the ServerHello record.
    rec = ssl_find(
      blob:recs,
      "content_type", SSL3_CONTENT_TYPE_HANDSHAKE,
      "handshake_type", SSL3_HANDSHAKE_TYPE_SERVER_HELLO
    );
    if (isnull(rec)) continue;

    # Ensure that the SSL version is what we expect.
    if (rec["version"] != getword(blob:ssl_ver, pos:0)) continue;

    # Ensure that the compression method matches what we sent.
    if (rec["compression_method"] != id) continue;

    supported[id] = TRUE;
  }
}

supported = keys(supported);
if (max_index(supported) == 0)
  exit(0, "Port " + port + " does not appear to have any compressors enabled.");

# Stash the list of supported compressors in the KB for future use, and convert
# to integers.
for (i = 0; i < max_index(supported); i++)
{
  id = int(supported[i]);
  supported[i] = id;
  set_kb_item(name:"SSL/Compressors/" + port, value:id);
}

# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
  names = make_list();
  foreach id (sort(supported))
  {
    name = compressors[id];
    if (isnull(name))
    {
      if (id <= 63)
        usage = "IETF Standards Track protocols";
      else if (id <= 223)
        usage = "non-Standards Track";
      else
        usage = "private use";

      name = "Unknown, reserved for " + usage;
    }
    name += " (" + hex(id) + ")";

    names = make_list(names, name);
  }

  if (max_index(names) == 1)
    s = " is ";
  else
    s = "s are ";

  report =
    '\nNessus was able to confirm that the following compression method' + s +
    '\nsupported by the target :' +
    '\n' +
    '\n  ' + join(names, sep:'\n  ') +
    '\n';
}

security_note(port:port, extra:report);