I modified openssl_generic_test.nasl to something more aggressive when
the safe checks are disabled. It should not produce any false positive
any more, but I'd be interested in everyone's results against
non-openssl (but SSL-enabled) services.
The logic is :
- Send a 9 chars key argument. If the server closes the
connection, then OpenSSL is not vulnerable
- If the server replies something and if safe checks are
enabled, issue a warning.
- If the server replies something and the safe checks are
disabled, then re-establish the connection and send a ~ 350
chars key argument. If the server does not reply anything it's
vulnerable to the OpenSSL flaw (and some daemons may crash)
-- Renaud
the safe checks are disabled. It should not produce any false positive
any more, but I'd be interested in everyone's results against
non-openssl (but SSL-enabled) services.
The logic is :
- Send a 9 chars key argument. If the server closes the
connection, then OpenSSL is not vulnerable
- If the server replies something and if safe checks are
enabled, issue a warning.
- If the server replies something and the safe checks are
disabled, then re-establish the connection and send a ~ 350
chars key argument. If the server does not reply anything it's
vulnerable to the OpenSSL flaw (and some daemons may crash)
-- Renaud
Attached Files:
-
openssl_overflow_generic_test.nasl (6.36 KB)