Welcome!

Server Monitoring Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Carmen Gonzalez, Ken Schwaber

Blog Feed Post

Verifying CRIME, SSLv2 and Plain Text TLS Injection with OpenSSL

If you are a system administrator or penetration tester, you need to be able to check for common vulnerabilities. When configured incorrectly, SSL/TLS has many. There are tons of SSL auditing tools out there, some with more functionality than others, but why add more tools when you can do it yourself?

So this is a tutorial on how to install Openssl from source on a Debain system with a few easy modifications so that you will be able to test for CRIME, SSL version 2 and TLS plain text injection.

First, you’ll need to make sure you have these programs installed:

$ sudo apt-get update && sudo apt-get install build-essential 	devscripts m4 quilt debhelper

Next, you’ll need the source code to OpenSSL. After this is downloaded, you’ll need to move into the openssl directory:

$ apt-get source openssl
	$ cd openssl-*/

SSLv2

SSL version two is an outdated SSL protocol that is filled with problems. For this reason, Debian and other Linux distributions disable SSLv2 in openssl by default. While this is a nice gesture to prevent users from making insecure ciphers, there are those of us that need to be able to check for said ciphers. So we’ll be adding the support back in.

First, from the openssl directory, remove all patches:

$ quilt pop -a

Now we need to remove where the no-sslv2 patch is mentioned inside of the files debian/patches/series and debian/rules.

In debian/patches/series, just take out the entire line where no-sslv2 is mentioned. In my case the file originally looked like:

33 default_bits.patch 
	34 ssltest_no_sslv2.patch 
	35 cpuid.patch

and after the change it became:

33 default_bits.patch 
	34 cpuid.patch 
	35 aesni-mac.patch

Also remove just the no-ssl2 from one line in debian/rules:

Original line:

22 CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl –libdir=lib/$	(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib  enable-tlsext no-ssl2

After removal:

22 CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$	(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib  enable-tlsext

Now that all instances of the no-sslv2 patch have been removed, we can put the remaining patches back into place:

$ quilt push -a

If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:

$ openssl s_client -ssl2 -connect

If the connection is made, the server is configured to use SSL version 2.


TLS Plain Text Injection

TLS plain text injection is a vulnerability where if a command is injected in plain text before an encrypted authenticated session begins, the command is run after the encrypted session has started. Wietse Venema,describes it in detail here: http://www.postfix.org/CVE-2011-0411.html and gives a quick way to modify the openssl source to check for this issue. At this link, you can find out how to replace the -starttls smtp flag to test for TLS plain text injection. However by following that guide, you’ll be losing the previous functionality. So instead, I’ll be showing you how to add a few new commands: -starttls smtpi and -starttls ftpi that will add the a TLS injection check without losing any of the old openssl functionality.
Open apps/s_client.c in your favorite text editor (I’m rather partial to VIM). We are pretty much going to change the source of this file anywhere PROTO_FTP or PROTO_SMTP are used. So in vim I searched for PROTO_SMTP\|PROTO_FTP to highlight those areas and make them easy to find.

We need to add in the variables PROTO_SMTPI and PROTO_FTPI, just yank and put (copy / paste) the PROTO_SMTP and PROTO_FTP lines, stealing their format, and add the “I” to the end of them. Here is what it looks like on my screen (lines 550 and 554). The top part of the split screen is the original, the bottom is after the modification.

terminal_first

The next occurrence of our search term is where it checks what command line argument you passed to -starttls. We just need to copy the same format again and add options for smtpi and ftpi. Make sure to make the smtpi an else if, since there can only be one if. The following is what it should look like after you are done (new lines: 911, 912, 919, 920 )

terminal_second

Next up is a list of if statements to check which protocol you are using for -starttls so we can send the appropriate message to the server. This section is a bit more complicated, so play close attention to the code. For smtp the code looks like:

terminal_third

This means the same code will execute for smtp or smtpi. Now we just need to change the way the code in this if statement works:

terminal_fourth

So now, if starttls_proto==PROTO_SMTPI is given, it will append the harmless plain text command RSET to the STARTTLS command. By adding this, we will not lose our normal -starttls smtp functionality.

Nearly the same thing is done for the PROTO_FTP else if section, only instead of RSET you will use a NOOP command for no-operation.

termail_fifth

and

terimal_sixth

Go ahead and save the file. If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:

$openssl s_client -starttls ftpi -connect

Upon making the connection, openssl will print out information on the cipher. There will be a line that is just two dashes (“–”) and then a 220 response. The 220 response is saying the server connected to you and is happy. Now if there is another line that says “220 Command okay.” that means it also revived and executed your NOOP command which was sent in plain text, and thus the server is vulnerable.

CRIME

CRIME is a vulnerability in SSL compression. If a web server supports SSL compression then it is vulnerable to the CRIME attack. If you just do an apt-get install openssl you probably don’t have zlib enabled, so openssl will not try to use compression while connecting to a server. To make sure you have zlib, just configure with the the parameter “zlib” and “zlib-dynamic” as so:

$ ./config zlib zlib-dynamic

Now if you were to install at this point, whenever you use s_client to connect to a server, openssl will automatically try to use compression. If you see “Compression: gzip” then the server supports SSL compression and is vulnerable to CRIME. However, if you see “Compression: None” it is not vulnerable.

Installing
Run the following commands to install your changes. From the openssl directory do the following.

Update the source:

$ dch -n 'sslv2, tls injection and zilb'

Record the changes in the source tree:
 $ dpkg-source –commit

Build the package:


$ debuild -uc -us

Install:
$ cd ../
 $ sudo dpkg -i *ssl*.deb

That’s it! Now openssl can test for SSLv2, CRIME, SMTP TLS plain text injection, and FTP TLS plain text injection, all without breaking the other wonderful things we love about openssl (such as testing expired certificates, self-signed certificates, weak ciphers and more). One tool to rule them all.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.

@ThingsExpo Stories
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
"We are a well-established player in the application life cycle management market and we also have a very strong version control product," stated Flint Brenton, CEO of CollabNet,, in this SYS-CON.tv interview at 18th Cloud Expo at the Javits Center in New York City, NY.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
Most people haven’t heard the word, “gamification,” even though they probably, and perhaps unwittingly, participate in it every day. Gamification is “the process of adding games or game-like elements to something (as a task) so as to encourage participation.” Further, gamification is about bringing game mechanics – rules, constructs, processes, and methods – into the real world in an effort to engage people. In his session at @ThingsExpo, Robert Endo, owner and engagement manager of Intrepid D...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abilit...
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...