Skip to content

Commit 96ad6bb

Browse files
ic0nsic0ns
committed
Default performs quick scan. If the server is vulnerable a full scan is performed
1 parent 5bd1d1c commit 96ad6bb

File tree

1 file changed

+80
-24
lines changed

1 file changed

+80
-24
lines changed

src/main/java/de/rub/nds/tlsscanner/probe/PaddingOracleProbe.java

Lines changed: 80 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
import de.rub.nds.tlsattacker.attacks.exception.PaddingOracleUnstableException;
1717
import de.rub.nds.tlsattacker.attacks.impl.PaddingOracleAttacker;
1818
import de.rub.nds.tlsattacker.attacks.padding.VectorResponse;
19+
import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
1920
import de.rub.nds.tlsattacker.core.config.delegate.CiphersuiteDelegate;
2021
import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
2122
import de.rub.nds.tlsattacker.core.config.delegate.ProtocolVersionDelegate;
@@ -61,7 +62,6 @@ public ProbeResult executeTest() {
6162
CiphersuiteDelegate cipherSuiteDelegate = (CiphersuiteDelegate) paddingOracleConfig.getDelegate(CiphersuiteDelegate.class);
6263

6364
List<PaddingOracleTestResult> testResultList = new LinkedList<>();
64-
Boolean lastResult = null;
6565
PaddingRecordGeneratorType recordGeneratorType;
6666
if (scannerConfig.getScanDetail() == ScannerDetail.NORMAL) {
6767
recordGeneratorType = PaddingRecordGeneratorType.VERY_SHORT;
@@ -95,7 +95,12 @@ public ProbeResult executeTest() {
9595
}
9696
}
9797
ProtocolVersionDelegate versionDelegate = (ProtocolVersionDelegate) paddingOracleConfig.getDelegate(ProtocolVersionDelegate.class);
98+
boolean vulnerable = false;
99+
98100
for (ProtocolVersion version : versionList) {
101+
if (vulnerable) {
102+
break;
103+
}
99104
VersionSuiteListPair suitePairList = null;
100105
for (VersionSuiteListPair versionSuiteList : serverSupportedSuites) {
101106
if (versionSuiteList.getVersion() == version) {
@@ -107,44 +112,95 @@ public ProbeResult executeTest() {
107112
continue;
108113
}
109114
for (PaddingVectorGeneratorType vectorType : vectorTypeList) {
115+
if (vulnerable) {
116+
break;
117+
}
110118
Set<CipherSuite> set = new HashSet<>(suitePairList.getCiphersuiteList());
111119
filterSuite(set);
112120
for (CipherSuite suite : set) {
113121
if (suite.isCBC() && CipherSuite.getImplemented().contains(suite)) {
114-
cipherSuiteDelegate.setCipherSuites(suite);
115-
versionDelegate.setProtocolVersion(version);
116122
paddingOracleConfig.setRecordGeneratorType(recordGeneratorType);
117123
paddingOracleConfig.setVectorGeneratorType(vectorType);
118-
try {
119-
Thread.currentThread().sleep(10000);
120-
} catch (InterruptedException ex) {
121-
Logger.getLogger(PaddingOracleProbe.class.getName()).log(Level.SEVERE, null, ex);
122-
}
123-
PaddingOracleAttacker attacker = new PaddingOracleAttacker(paddingOracleConfig, scannerConfig.createConfig(), getParallelExecutor());
124-
boolean hasError = false;
125-
try {
126-
lastResult = attacker.isVulnerable();
127-
} catch (Exception E) {
128-
LOGGER.error("Encountered an exception while testing for PaddingOracles", E);
129-
lastResult = null;
130-
hasError = true;
131-
}
132-
if (attacker.isErrornousScans()) {
133-
hasError = true;
124+
cipherSuiteDelegate.setCipherSuites(suite);
125+
versionDelegate.setProtocolVersion(version);
126+
PaddingOracleTestResult result = createTestResult(version, suite, paddingOracleConfig);
127+
if (result.getVulnerable() == Boolean.TRUE) {
128+
vulnerable = true;
129+
break;
134130
}
135-
for (VectorResponse vectorResponse : attacker.getVectorResponseList()) {
136-
if (vectorResponse.isErrorDuringHandshake()) {
137-
hasError = true;
138-
}
131+
testResultList.add(result);
132+
}
133+
}
134+
}
135+
}
136+
if (vulnerable && recordGeneratorType != PaddingRecordGeneratorType.SHORT) {
137+
testResultList.clear();
138+
//Perform full scan
139+
recordGeneratorType = PaddingRecordGeneratorType.SHORT;
140+
for (ProtocolVersion version : versionList) {
141+
142+
VersionSuiteListPair suitePairList = null;
143+
for (VersionSuiteListPair versionSuiteList : serverSupportedSuites) {
144+
if (versionSuiteList.getVersion() == version) {
145+
suitePairList = versionSuiteList;
146+
break;
147+
}
148+
}
149+
if (suitePairList == null) {
150+
continue;
151+
}
152+
for (PaddingVectorGeneratorType vectorType : vectorTypeList) {
153+
Set<CipherSuite> set = new HashSet<>(suitePairList.getCiphersuiteList());
154+
for (CipherSuite suite : set) {
155+
if (suite.isCBC() && CipherSuite.getImplemented().contains(suite)) {
156+
paddingOracleConfig.setRecordGeneratorType(recordGeneratorType);
157+
paddingOracleConfig.setVectorGeneratorType(vectorType);
158+
cipherSuiteDelegate.setCipherSuites(suite);
159+
versionDelegate.setProtocolVersion(version);
160+
PaddingOracleTestResult result = createTestResult(version, suite, paddingOracleConfig);
161+
162+
testResultList.add(result);
139163
}
140-
testResultList.add(new PaddingOracleTestResult(lastResult, version, suite, paddingOracleConfig.getVectorGeneratorType(), paddingOracleConfig.getRecordGeneratorType(), attacker.getVectorResponseList(), attacker.getVectorResponseListTwo(), attacker.getVectorResponseListThree(), attacker.getEqualityError(attacker.getVectorResponseList()), attacker.isShakyScans(), hasError));
141164
}
142165
}
143166
}
144167
}
145168
return new PaddingOracleResult(testResultList);
146169
}
147170

171+
private PaddingOracleTestResult createTestResult(ProtocolVersion version, CipherSuite suite, PaddingOracleCommandConfig paddingOracleConfig) {
172+
173+
Boolean result;
174+
try {
175+
Thread.currentThread().sleep(10000);
176+
} catch (InterruptedException ex) {
177+
Logger.getLogger(PaddingOracleProbe.class.getName()).log(Level.SEVERE, null, ex);
178+
}
179+
PaddingOracleAttacker attacker = new PaddingOracleAttacker(paddingOracleConfig, scannerConfig.createConfig(), getParallelExecutor());
180+
boolean hasError = false;
181+
try {
182+
result = attacker.isVulnerable();
183+
184+
} catch (Exception E) {
185+
LOGGER.error("Encountered an exception while testing for PaddingOracles", E);
186+
result = null;
187+
hasError = true;
188+
}
189+
if (attacker.isErrornousScans()) {
190+
hasError = true;
191+
}
192+
for (VectorResponse vectorResponse : attacker.getVectorResponseList()) {
193+
if (vectorResponse.isErrorDuringHandshake()) {
194+
hasError = true;
195+
}
196+
}
197+
EqualityError equalityError = null;
198+
if (hasError == false) {
199+
equalityError = attacker.getEqualityError(attacker.getVectorResponseList());
200+
}
201+
return new PaddingOracleTestResult(result, version, suite, paddingOracleConfig.getVectorGeneratorType(), paddingOracleConfig.getRecordGeneratorType(), attacker.getVectorResponseList(), attacker.getVectorResponseListTwo(), attacker.getVectorResponseListThree(), equalityError, attacker.isShakyScans(), hasError);
202+
}
203+
148204
@Override
149205
public boolean shouldBeExecuted(SiteReport report) {
150206
if (!(report.getSupportsTls10() == Boolean.TRUE) && !(report.getSupportsTls11() == Boolean.TRUE) && !(report.getSupportsTls12() == Boolean.TRUE)) {

0 commit comments

Comments
 (0)