Vulnerabilities > CVE-2005-1247 - Denial-Of-Service vulnerability in Novell Nsure Audit 1.0.1

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
novell
nessus

Summary

webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to cause a denial of service via malformed ASN.1 packets in corrupt client certificates to an SSL server, as demonstrated using an exploit for the OpenSSL ASN.1 parsing vulnerability.

Vulnerable Configurations

Part Description Count
Application
Novell
1

Nessus

NASL familyMisc.
NASL idSSLTEST.NASL
descriptionThe remote host seems to be running a version of OpenSSL that is older than 0.9.6k or 0.9.7c. There is a heap corruption bug in this version that might be exploited by an attacker to execute arbitrary code on the remote host with the privileges of the remote service.
last seen2020-03-18
modified2003-10-10
plugin id11875
published2003-10-10
reporterThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11875
titleOpenSSL ASN.1 Parser Multiple Remote DoS
code
#TRUSTED 152361311ef92c76dfe792b16fdc8198045997cb6a047ad15be00c3526b3283e5d8c89321d9ed9f7807c7af560cee5aa0b9a59b8248e3e173a881b29d4a59c5f41628ef257badd86c39e3259b5117eb2f6c035bfc65584dccb4138bc33884786234f1365e8fdce1e3d2e8459dd266479fe8978e2958de226c38906221814a0ea9d4b177730997e28f3915facfca76d84acffd44d3451adb5fe031dff0a4afd1348ce4c3280b8794ac78a4c16a1de401c8aeaf12e587dee4514671a59c2c7a384d80c0be2e23a8dbc212fb09bc98219bd0bd863fb5facc799bf34e8b2aea72fd737634e104dea15c72fba7b5511b294dc8c5108ae828e8c420b48cfbd2a2e8af062cb2a85b161347e0e0b675ac569465e63d22d4802d062f6b9ebe34d3374c41471fe8817e3d00f423afeabed988c21c44682eabc1d6122fbeb42411c52d3e407cc472c6b207384ede4b6f36cc27efcdf94ec11253621ccfe22f253084c9123b4b1cd4300e22a2f00e5b55f71feac820e0667818389f1641b8e09a59cba4e239b1c1e01049d6ba9950daadf681780449a5a72f9bbede2902a74d82b4abde082b11c7938bfb784db6e59bca73a83660f07338909109d792ec29d7162237707b63783c3dbb4b811b1ba885a60b8bb5836cf3232a8220055b3a49afb1c8656f696b345f7bd81063559b718c8fde3258c6cbb3328fccee5c3554caaa406ab85d23578
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11875);
 script_version("1.64");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 # CANs moved into CVE, moved back (bug 899) AH
 script_cve_id("CVE-2003-0543", "CVE-2003-0544", "CVE-2003-0545", "CVE-2005-1247", "CVE-2005-1730");
 script_bugtraq_id(8732, 13359);
 script_xref(name:"RHSA", value:"2003:291-01");
 script_xref(name:"SuSE", value:"SUSE-SA:2003:043");

 script_name(english:"OpenSSL ASN.1 Parser Multiple Remote DoS");
 script_summary(english:"Checks for the behavior of SSL");

 script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a heap corruption vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote host seems to be running a version of OpenSSL that is older
than 0.9.6k or 0.9.7c.

There is a heap corruption bug in this version that might be exploited
by an attacker to execute arbitrary code on the remote host with the
privileges of the remote service.");
 script_set_attribute(attribute:"solution", value:
"If you are running OpenSSL, upgrade to version 0.9.6k or 0.9.7c or
newer.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/30");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/10");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Misc.");
 script_dependencies("ssl_supported_versions.nasl");
 script_require_keys("SSL/Supported");

 exit(0);
}

include("byte_func.inc");
include("ftp_func.inc");
include("global_settings.inc");
include("kerberos_func.inc");
include("ldap_func.inc");
include("misc_func.inc");
include("nntp_func.inc");
include("smtp_func.inc");
include("ssl_funcs.inc");
include("telnet2_func.inc");

if ( get_kb_item("CVE-2003-0543") )
	exit(0);

if ( get_kb_item("global_settings/disable_ssl_cipher_neg" ) ) exit(1, "Not negotiating the SSL ciphers, per user config");


get_kb_item_or_exit("SSL/Supported");

port = get_ssl_ports(fork:TRUE);
if (isnull(port))
  exit(1, "The host does not appear to have any SSL-based services.");

# Find out if the port is open.
if (!get_port_state(port))
  exit(0, "Port " + port + " is not open.");

#####################################################################
# Microsoft spits an error on the packet below
# OpenSSL processes the packet...

myversion = raw_string(0x03,0x35);
mycipherspec = raw_string(0x00,0x00,0x62,0x04,0x00,0x80,0x00,0x00,0x63,0xa0,0x00,0xe9,0xda,0x00,0x64,0x02,0x00,0x80);
mychallenge =  raw_string(0x4E,0x45,0x53,0x53,0x55,0x53,0x4E,0x45,0x53,0x53,0x55,0x53,0x4E,0x9F,0x53,0x53);

req=client_hello(version:myversion, cipherspec:mycipherspec, challenge:mychallenge);

# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
  exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

send (socket:soc, data:req);
r = recv(socket:soc, length:800);

if (strlen(r) == 7)
	exit(0);

close(soc);

# some *other* SSL servers (not OpenSSL) respond to the nudge below
# we'll wean them out of the check

mymlen = 0;
mymtype = 0;
myversion = raw_string(0x31,0x35);
req=client_hello(mlen:mymlen, mtype:mymtype, version:myversion);

# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
  exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

send (socket:soc, data:req);
r = recv(socket:soc, length:65535);
if (r)
	exit(0);
close(soc);
#####################################################################


req = client_hello();

# Connect to the port, issuing the StartTLS command if necessary.
soc = open_sock_ssl(port);
if (!soc)
  exit(1, "open_sock_ssl() returned NULL for port " + port + ".");

send (socket:soc, data:req);
r = recv(socket:soc, length:65535);
if (r)
{
        # Thanks to Brad Hazledine for submitting report that:
        #> By removing weak ciphers from the SSLCipherSuite on Apache 1.3.29/mod_ssl
        #> 2.8.16/Openssl 0.9.7c it reports a false (vulnerable) version of openssl.
        # So, We'll look for error message 0x02 0x28 which denotes a failed handshake

    if ( (ord(r[5]) == 0x02) && (ord(r[6]) == 0x28) )
	exit(0);

        # Thanks to Steve (ssg4605 [at] yahoo.com)
        # for reporting anomalous behavior from apple xserve
    if ( (ord(r[1]) != 22) && (ord(r[1]) != 3) )
	exit(0);

    localcert = hex2raw(s: tolower("03CB0003C8308203C43082032DA003020102020100300D06092A864886F70D01010405003081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D301E170D3033313031303031313433395A170D3033313130393031313433395A3081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100DCA93F62D5088026DBBAD24A551F136289E39CA34AD9C0EEE0493A7E3103884572ADE53ACE68416FAB0CE44F3291A71A7FA3B89E6490E622F61B71140FCA37F2C5C8AD0D96CF1DEC454960B70582918BE96C5DEEC5B2E2A58CC8506FEAE7941C5DA8AF2EF6225F903350AB54743F48FE3322D7383FD6B2B619D2045476C7C6550203010001A382010430820100301D0603551D0E04160414FA4DD1D034857B04784BCAA4A708E004F2DFCD063081D00603551D230481C83081C58014FA4DD1D034857B04784BCAA4A708E004F2DFCD06A181A9A481A63081A3310B30090603550406130255533112301006035504081309536F6D6553544154453111300F06035504071308536F6D654349545931173015060355040A130E4E6573737573205363616E6E6572311C301A060355040B1313536563757269747920436F6D706C69616E6365311430120603550403130B4E657373757320557365723120301E06092A864886F70D01090116116E6F6F6E65406E6F77686572652E636F6D820100300C0603551D13040530030101FF300D06092A864886F70D0101040500038181001214A295E71DAF8EEAB4A9E19499B98D766A02A1F62B1F388C635A8D2A08B3F678CF952ACE0D57F8C4510C2F22C3CB3EBAFEBBE8E3DAF83183898EAA27858D0CFB1B4121C3FE750EEC740FFF46452B90D5473200B7121343990B185CF8698A2115B62D57CFD9C9EA220054EF4CF49513C25B63B07C38D126F4CAF98B37EAB0EC"));

    req2 = client_send_cert(certificate:localcert);
    send (socket:soc, data:req2);
    r2 = recv(socket:soc, length:65535);
    if (r2) {
        if ( ord(r2[6]) == 0x0A || ord(r2[6]) == 0x2a  || ord(r2[6]) == 0x2f)
	{               # the 7th byte must == 0x0A which is an error
           exit(0);                                      		# message stating "Unexpected message"
        } else {
           security_hole(port);
        }
    }
    # MA 2008-11-16: otherwise, the server abruptly closed the connection
    # after we sent the cert. Nothing proves this is a security bug, and
    # we do not report unknown problems without patch or workaround.
}
exit(0);