Lucene search
HistoryFeb 09, 2017 - 9:30 p.m.
tls-ticketbleed NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
For additional information:
- <https://filippo.io/Ticketbleed/>
- <https://blog.filippo.io/finding-ticketbleed/>
- <https://support.f5.com/csp/article/K05121675>
Script Arguments
tls-ticketbleed.protocols
(default tries all) TLSv1.0, TLSv1.1, or TLSv1.2
tls.servername
See the documentation for the tls library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
smtp.domain
See the documentation for the smtp library.
randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
nmap -p 443 --script tls-ticketbleed <target>
Script Output
| tls-ticketbleed:
| VULNERABLE:
| Ticketbleed is a serious issue in products manufactured by F5, a popular
vendor of TLS load-balancers. The issue allows for stealing information from
the load balancer
| State: VULNERABLE (Exploitable)
| Risk factor: High
| Ticketbleed is vulnerability in the implementation of the TLS
SessionTicket extension found in some F5 products. It allows the leakage
("bleeding") of up to 31 bytes of data from uninitialized memory. This is
caused by the TLS stack padding a Session ID, passed from the client, with
data to make it 32-bits long.
| Exploit results:
| 2ab2ea6a4c167fbe8bf0b36c7d9ed6d3
| *..jL......l}...
| References:
| https://filippo.io/Ticketbleed/
| https://blog.filippo.io/finding-ticketbleed/
|_ https://support.f5.com/csp/article/K05121675
Requires
local nmap = require("nmap")
local packet = require "packet"
local shortport = require("shortport")
local sslcert = require("sslcert")
local stdnse = require("stdnse")
local table = require("table")
local tableaux = require "tableaux"
local tls = require "tls"
local vulns = require("vulns")
local rand = require "rand"
description = [[
Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).
For additional information:
* https://filippo.io/Ticketbleed/
* https://blog.filippo.io/finding-ticketbleed/
* https://support.f5.com/csp/article/K05121675
]]
---
-- @usage
-- nmap -p 443 --script tls-ticketbleed <target>
--
-- @output
-- | tls-ticketbleed:
-- | VULNERABLE:
-- | Ticketbleed is a serious issue in products manufactured by F5, a popular
-- vendor of TLS load-balancers. The issue allows for stealing information from
-- the load balancer
-- | State: VULNERABLE (Exploitable)
-- | Risk factor: High
-- | Ticketbleed is vulnerability in the implementation of the TLS
-- SessionTicket extension found in some F5 products. It allows the leakage
-- ("bleeding") of up to 31 bytes of data from uninitialized memory. This is
-- caused by the TLS stack padding a Session ID, passed from the client, with
-- data to make it 32-bits long.
-- | Exploit results:
-- | 2ab2ea6a4c167fbe8bf0b36c7d9ed6d3
-- | *..jL......l}...
-- | References:
-- | https://filippo.io/Ticketbleed/
-- | https://blog.filippo.io/finding-ticketbleed/
-- |_ https://support.f5.com/csp/article/K05121675
--
-- @args tls-ticketbleed.protocols (default tries all) TLSv1.0, TLSv1.1, or TLSv1.2
author = "Mak Kolybabi <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
dependencies = {"https-redirect"}
portrule = function(host, port)
if not tls.handshake_parse.NewSessionTicket then
stdnse.verbose1("Not running: incompatible tls.lua. Get the latest from https://nmap.org/nsedoc/lib/tls.html")
return false
end
-- Ensure we have the privileges necessary to run the PCAP operations this
-- script depends upon.
if not nmap.is_privileged() then
nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {}
if not nmap.registry[SCRIPT_NAME].rootfail then
stdnse.verbose1("Not running due to lack of privileges.")
end
nmap.registry[SCRIPT_NAME].rootfail = true
return false
end
return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)
end
local function is_vuln(host, port, version)
-- Checking a host requires a valid TLS Session Ticket. The Nmap API
-- does not expose that information to us, but it is sent
-- unencrypted near the end of the TLS handshake.
--
-- First we must create a socket that is ready to start a TLS
-- connection, so that we may find the local port from which it is
-- sending, and can use that information to filter the PCAP.
--
-- We should have a way to specify version here, but we don't.
local socket
local starttls = sslcert.getPrepareTLSWithoutReconnect(port)
if starttls then
local status
status, socket = starttls(host, port)
if not status then
stdnse.debug3("StartTLS connection to server failed: %s", socket)
return
end
else
socket = nmap.new_socket()
local status, err = socket:connect(host, port, "tcp")
if not status then
stdnse.debug3("Connection to server failed: %s", err)
return
end
end
socket:set_timeout(5000)
-- Find out the port we'll be using in our TLS negotiation.
local status, _, lport = socket:get_info()
if( not(status) ) then
stdnse.debug3("Failed to retrieve local port used by socket.")
return
end
-- We are only interested in capturing the TLS responses from the
-- server, not our traffic. We need to set the snaplen to be fairly
-- large to accommodate packets with many or large certificates.
local filter = ("src host %s and tcp and src port %d and dst port %d"):format(host.ip, port.number, lport)
local pcap = nmap.new_socket()
pcap:set_timeout(5)
pcap:pcap_open(host.interface, 4096, false, filter)
-- Initiate the TLS negotiation on the already-connected socket, and
-- then immediately close the socket.
local status, err = socket:reconnect_ssl()
if not status then
stdnse.debug1("Can't connect with TLS: %s", err)
return
end
socket:close()
-- Repeatedly read previously-captured packets and add them to a
-- buffer.
local buf = {}
while true do
local status, _, _, layer3, _ = pcap:pcap_receive()
if not status then
break
end
-- Parse captured packet and extract data.
local pkt = packet.Packet:new(layer3, #layer3)
if not pkt then
stdnse.debug3("Failed to create packet from captured data.")
return
end
if not pkt:tcp_parse() then
stdnse.debug3("Failed to parse captured packet.")
return
end
local tls_data = pkt:raw(pkt.tcp_data_offset)
table.insert(buf, tls_data)
end
buf = table.concat(buf, "")
pcap:pcap_close()
pcap:close()
-- Attempt to find the NewSessionTicket record in the captured
-- packets.
local pos, ticket
repeat
-- Attempt to parse the buffer.
local record
pos, record = tls.record_read(buf, pos)
if not record then
break
end
if record.type ~= "handshake" then
break
end
-- Search for the NewSessionTicket record, which contains the
-- Session Ticket we need.
for _, body in ipairs(record.body) do
stdnse.debug1("Captured %s record.", body.type)
if body.type == "NewSessionTicket" then
if body.ticket then
ticket = body.ticket
else
-- If someone downloaded this script separately from Nmap,
-- they are likely to be missing the parsing changes to the
-- TLS library. Try parsing the body inline.
if #body.data <= 4 then
stdnse.debug1("NewSessionTicket's body was too short to parse: %d bytes", #body.data)
return
end
_, ticket = (">I4 s2"):unpack(body.data)
end
break
end
end
until ticket or pos > #buf
if not ticket then
stdnse.debug1("Server did not send a NewSessionTicket record.")
return
end
-- Create the ClientHello record that triggers the behaviour in
-- affected systems. The record must include both a Session ID and a
-- TLS Session Ticket extension.
--
-- Setting the Session ID to a 16 bytes allows for the remaining 16
-- bytes of the field to be filled with uninitialized memory when it
-- is echoed back in the ServerHelloDone record. Using 16 bytes
-- reduces the chance of a false positive caused by the server
-- issuing us a new, valid session ID that just happens to match the
-- random one we provided.
local sid_old = rand.random_string(16)
local hello = tls.client_hello({
["protocol"] = version,
["session_id"] = sid_old,
-- Claim to support every cipher
-- Doesn't work with IIS, but only F5 products should be affected
["ciphers"] = tableaux.keys(tls.CIPHERS),
["compressors"] = {"NULL"},
["extensions"] = {
-- Claim to support common elliptic curves
["elliptic_curves"] = tls.EXTENSION_HELPERS["elliptic_curves"](tls.DEFAULT_ELLIPTIC_CURVES),
["SessionTicket TLS"] = ticket,
},
})
-- Connect the socket so that it is ready to start a TLS session.
if starttls then
local status
status, socket = starttls(host, port)
if not status then
stdnse.debug3("StartTLS connection to server failed: %s", socket)
return
end
else
socket = nmap.new_socket()
local status, err = socket:connect(host, port, "tcp")
if not status then
stdnse.debug3("Connection to server failed: %s", err)
return
end
end
-- Send Client Hello to the target server.
local status, err = socket:send(hello)
if not status then
stdnse.debug1("Couldn't send Client Hello: %s", err)
socket:close()
return
end
-- Read responses from server.
local status, response, err = tls.record_buffer(socket)
socket:close()
if err == "TIMEOUT" then
stdnse.debug1("Timeout exceeded waiting for Server Hello Done.")
return
end
if not status then
stdnse.debug1("Couldn't receive: %s", err)
socket:close()
return
end
-- Attempt to parse the response.
local _, record = tls.record_read(response)
if record == nil then
stdnse.debug1("Unrecognized response from server.")
return
end
if record.protocol ~= version then
stdnse.debug1("Server responded with a different protocol than we requested: %s", record.protocol)
return
end
if record.type ~= "handshake" then
stdnse.debug1("Server failed to respond with a handshake record: %s", record.type)
return
end
-- Search for the ServerHello record, which contains the Session ID
-- we want.
local sid_new
for _, body in ipairs(record.body) do
if body.type == "server_hello" then
sid_new = body.session_id
end
end
if not sid_new then
stdnse.debug1("Failed to receive a Server Hello record.")
return
end
if sid_new == "" then
stdnse.debug1("Server did not respond with a session ID.")
return
end
-- Check whether the Session ID matches what we originally sent,
-- which should be the case for a properly-functioning TLS stacks.
if sid_new == sid_old then
stdnse.debug1("Server properly echoed our short, random session ID.")
return
end
-- If the system is unaffected, it should provide a new session ID
-- unrelated to the one we provided. Check for the new session ID
-- being prefixed by the one we sent, indicating an affected system.
if sid_new:sub(1, #sid_old) ~= sid_old then
stdnse.debug1("Server responded with a new, unrelated session ID.")
stdnse.debug1("Original session ID: %s", stdnse.tohex(sid_old, {separator = ":"}))
stdnse.debug1("Received session ID: %s", stdnse.tohex(sid_new, {separator = ":"}))
return
end
return sid_new
end
action = function(host, port)
local vuln_table = {
title = "Ticketbleed is a serious issue in products manufactured by F5, a popular vendor of TLS load-balancers. The issue allows for stealing information from the load balancer",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
Ticketbleed is vulnerability in the implementation of the TLS SessionTicket extension found in some F5 products. It allows the leakage ("bleeding") of up to 31 bytes of data from uninitialized memory. This is caused by the TLS stack padding a Session ID, passed from the client, with data to make it 32-bits long.
]],
references = {
"https://filippo.io/Ticketbleed/",
"https://blog.filippo.io/finding-ticketbleed/",
"https://support.f5.com/csp/article/K05121675"
}
}
-- Accept user-specified protocols.
local vers = stdnse.get_script_args(SCRIPT_NAME .. ".protocols") or {"TLSv1.0", "TLSv1.1", "TLSv1.2"}
if type(vers) == "string" then
vers = {vers}
end
for _, ver in ipairs(vers) do
-- Ensure the protocol version is supported.
if nil == tls.PROTOCOLS[ver] then
return "\n Unsupported protocol version: " .. ver
end
-- Check for the presence of the vulnerability.
local sid = is_vuln(host, port, ver)
if sid then
vuln_table.state = vulns.STATE.EXPLOIT
vuln_table.exploit_results = {
stdnse.tohex(sid:sub(17)),
(sid:sub(17):gsub("[^%g ]", "."))
}
break
end
end
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
end
Related
nmap
nmap
stuxnet-detect NSE Script
2010-12-12 22:40:42
http-svn-enum NSE Script
2015-07-25 09:56:07
ventrilo-info NSE Script
2013-01-16 00:29:05
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:TLS-TICKETBLEED.NSE