Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> With the proposed change, we prevent request splitting attacks based
>> on the TSL renegotiation flaw. From my point of view without
>> drawbacks, since 'pipelining' clients must handle the closing of a
>> connection after a complete response in any case.
>
> Yes, I agree, this seems very sensible, I can't see any problem with
> this.
>
> I would prefer to do it in a slightly more general way as below, which
> would catch the case where any other module's connection filter had
> buffered the data, and adds appropriate logging.
>
Ok, I agree with your approach, giving more information what happens.
(maybe having a trace with info would be enough, since it can occurr under
normal circumstances)
> (more general but which required half a day tracking down an obscure bug
> in the BIO/filters, also fixed below...)
yep, that fix is essential for the case here
>
> Testing on this version very welcome!
If have successfully tested the change with the following setup
(the one described in my initial mail):
o for the location /cert/* SSLVerifyClient require is configured
o the MTIM attacker is injecting one complete request that causes the
server to initiated the renegotiation.
And a second incomplete one for request splitting
The proposed change is dropping the second incomplete request. The file
ssldump.patched in the attachment shows the output of ssldump with the
change, the file ssldump.injected without.
Regards
Hartmut
>
> Index: ssl_engine_kernel.c
> ===================================================================
> --- ssl_engine_kernel.c (revision 882089)
> +++ ssl_engine_kernel.c (working copy)
> @@ -87,6 +87,29 @@
> return APR_SUCCESS;
> }
>
> +/* Do a non-blocking read from the connection filters to see whether
> + * there is any pending data on the connection. Return non-zero if
> + * there is, else zero. */
> +static int has_pending_data(request_rec *r)
> +{
> + apr_bucket_brigade *bb;
> + apr_off_t len;
> + apr_status_t rv;
> + int result;
> +
> + bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
> +
> + rv = ap_get_brigade(r->connection->input_filters, bb,
> AP_MODE_SPECULATIVE,
> + APR_NONBLOCK_READ, 1);
> + result = rv == APR_SUCCESS
> + && apr_brigade_length(bb, 1, &len) == APR_SUCCESS
> + && len > 0;
> +
> + apr_brigade_destroy(bb);
> +
> + return result;
> +}
> +
> /*
> * Post Read Request Handler
> */
> @@ -724,6 +747,23 @@
> else {
> request_rec *id = r->main ? r->main : r;
>
> + /* Mitigation for CVE-2009-3555: At this point, before
> + * renegotiating, an (entire) request has been read from
> + * the connection. An attacker may have sent further data
> + * to "prefix" any subsequent request by the victim's
> + * client after the renegotiation; this data may already
> + * have been read and buffered. Forcing a connection
> + * closure after the first response ensures such data will
> + * be discarded. Legimately pipelined HTTP requests will
> + * be retried anyway with this approach. */
> + if (has_pending_data(r)) {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "insecure SSL re-negotiation required, but "
> + "a pipelined request is present; keepalive "
> + "disabled");
> + r->connection->keepalive = AP_CONN_CLOSE;
> + }
> +
> /* do a full renegotiation */
> ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "Performing full renegotiation: "
> Index: ssl_engine_io.c
> ===================================================================
> --- ssl_engine_io.c (revision 882089)
> +++ ssl_engine_io.c (working copy)
> @@ -1344,9 +1344,17 @@
> }
> else {
> /* We have no idea what you are talking about, so return an error. */
> - return APR_ENOTIMPL;
> + status = APR_ENOTIMPL;
> }
>
> + /* It is possible for mod_ssl's BIO to be used outside of the
> + * direct control of mod_ssl's input or output filter -- notably,
> + * when mod_ssl initiates a renegotiation. Switching the BIO mode
> + * back to "blocking" here ensures such operations don't fail with
> + * SSL_ERROR_WANT_READ. */
> + inctx->block = APR_BLOCK_READ;
> +
> + /* Handle custom errors. */
> if (status != APR_SUCCESS) {
> return ssl_io_filter_error(f, bb, status);
> }
>
--
AdNovum Informatik AG
Hartmut Keil, Senior Software Engineer
Dipl. Physiker
Roentgenstrasse 22, CH-8005 Zurich
mailto:hartmut.k...@adnovum.ch
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch
AdNovum Locations: Bern, Budapest, San Mateo, Zurich (HQ)
New TCP connection #1: adnws121.zh.adnovum.ch(33856) <->
adnpool01.zh.adnovum.ch(44300)
1 1 0.0015 (0.0015) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
1 2 0.0062 (0.0047) S>C Handshake
ServerHello
Version 3.1
session_id[0]=
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0063 (0.0000) S>C Handshake
Certificate
1 4 0.0063 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0074 (0.0011) C>S Handshake
ClientKeyExchange
1 6 0.0078 (0.0003) C>S ChangeCipherSpec
1 7 0.1052 (0.0974) C>S Handshake
Finished
1 8 0.1062 (0.0010) S>C ChangeCipherSpec
1 9 0.1062 (0.0000) S>C Handshake
Finished
1 10 0.1069 (0.0006) C>S application_data
---------------------------------------------------------------
GET /cert/hacked-initiated.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch
GET /hacked/payload.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch
X-Ignore: ---------------------------------------------------------------
1 11 0.1101 (0.0032) S>C Handshake
HelloRequest
1 12 0.1101 (0.0000) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x37
Unknown value 0x36
Unknown value 0x35
Unknown value 0x33
Unknown value 0x32
Unknown value 0x31
Unknown value 0x30
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 13 0.1127 (0.0025) S>C Handshake
ServerHello
Version 3.1
session_id[0]=
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 14 0.1128 (0.0000) S>C Handshake
Certificate
1 15 0.1128 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
certificate_authority
30 81 9b 31 0b 30 09 06 03 55 04 06 13 02 43 48
31 15 30 13 06 03 55 04 07 13 0c 38 30 30 35 20
5a 75 65 72 69 63 68 31 1e 30 1c 06 03 55 04 0a
13 15 41 64 4e 6f 76 75 6d 20 49 6e 66 6f 72 6d
61 74 69 6b 20 41 47 31 20 30 1e 06 03 55 04 0b
13 17 49 6e 74 65 72 6e 65 74 20 41 64 6d 69 6e
69 73 74 72 61 74 69 6f 6e 31 1e 30 1c 06 03 55
04 03 13 15 41 64 4e 6f 76 75 6d 20 49 6e 66 6f
72 6d 61 74 69 6b 20 41 47 31 13 30 11 06 09 2a
86 48 86 f7 0d 01 09 01 16 04 74 68 69 73
ServerHelloDone
1 16 3.3352 (3.2224) C>S Handshake
Certificate
1 17 3.3352 (0.0000) C>S Handshake
ClientKeyExchange
1 18 3.3352 (0.0000) C>S Handshake
CertificateVerify
Signature[128]=
c0 8d 0c fc 57 e9 e1 c5 1a 32 07 7f 4b a3 6e 8e
05 6d b5 50 57 30 32 22 6d 6f cd b9 95 f6 2e ac
71 5f db 29 91 1f da 88 b8 76 fc f9 60 f8 9f d1
62 fa 9e ee 9b cd 8d f7 e2 c5 49 98 ba 4b 23 ed
6c 34 38 85 56 f7 ea 4e ec ed a6 40 41 e2 9e fd
fc 11 a4 b8 d3 68 9d 35 c2 47 72 81 e7 5e 11 7d
62 62 6b ba 53 0b 29 52 b2 34 97 fc 15 a6 c8 ec
43 4a c9 57 86 b0 bb 32 aa ba a2 65 18 46 ce b1
1 19 3.3352 (0.0000) C>S ChangeCipherSpec
1 20 3.3352 (0.0000) C>S Handshake
Finished
1 21 3.3773 (0.0420) S>C ChangeCipherSpec
1 22 3.3773 (0.0000) S>C Handshake
Finished
1 23 3.3802 (0.0028) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:15:03 GMT
Server: Apache
Last-Modified: Mon, 16 Nov 2009 19:22:11 GMT
ETag: "2d01bc-11d-47881ed266339"
Accept-Ranges: bytes
Content-Length: 285
Content-Type: text/html
---------------------------------------------------------------
1 24 3.3802 (0.0000) S>C application_data
---------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd";>
<HTML>
<HEAD>
<TITLE>Welcome with a cert HACKED!!!!</TITLE>
<BODY BGCOLOR="#FFFFFF">
<CENTER><H2>
Welcome to the Nevisweb Reverse Proxy HACKED!!!
</H2></CENTER>
</BODY></HTML>
---------------------------------------------------------------
1 25 3.4752 (0.0950) C>S application_data
---------------------------------------------------------------
GET /victim HTTP/1.1
User-Agent: Opera/9.64 (X11; Linux i686; U; en) Presto/2.1.1
Host: adnpool01.zh.adnovum.ch:44300
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
If-Modified-Since: Mon, 16 Nov 2009 19:22:11 GMT
If-None-Match: "2d01bc-11d-47881ed266339"
Cookie:
Navajo=RBBJKBGXeEs5//O88j0aYDWMmqZxh6bi4/BR4nJuRd4R2KrsXsUp2/qeHljJdPDYSQ8TWUO3VAk-;
IW4Login=login
Cookie2: $Version=1
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
---------------------------------------------------------------
1 26 3.4827 (0.0074) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:15:06 GMT
Server: Apache
Last-Modified: Mon, 16 Nov 2009 19:21:58 GMT
ETag: "2d01bd-11f-47881ec64adc9"
Accept-Ranges: bytes
Content-Length: 287
Keep-Alive: timeout=5, max=9
Connection: Keep-Alive
Content-Type: text/html
---------------------------------------------------------------
1 27 3.4827 (0.0000) S>C application_data
---------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd";>
<HTML>
<HEAD>
<TITLE>Welcome with a cert INJECTED!!</TITLE>
<BODY BGCOLOR="#FFFFFF">
<CENTER><H2>
Welcome to the Nevisweb Reverse Proxy INJECTED!!!!
</H2></CENTER>
</BODY></HTML>
---------------------------------------------------------------
1 3.5833 (0.1005) C>S TCP FIN
1 28 3.5839 (0.0006) S>C Alert
level warning
value close_notify
New TCP connection #1: adnws121.zh.adnovum.ch(39573) <->
adnpool01.zh.adnovum.ch(44300)
1 1 0.0015 (0.0015) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
SSL2_CK_RC4
1 2 0.0043 (0.0027) S>C Handshake
ServerHello
Version 3.1
session_id[0]=
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0043 (0.0000) S>C Handshake
Certificate
1 4 0.0043 (0.0000) S>C Handshake
ServerHelloDone
1 5 0.0055 (0.0011) C>S Handshake
ClientKeyExchange
1 6 0.0058 (0.0003) C>S ChangeCipherSpec
1 7 0.1004 (0.0946) C>S Handshake
Finished
1 8 0.1019 (0.0014) S>C ChangeCipherSpec
1 9 0.1019 (0.0000) S>C Handshake
Finished
1 10 0.1025 (0.0006) C>S application_data
---------------------------------------------------------------
GET /cert/hacked-initiated.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch
GET /hacked/payload.html HTTP/1.1
Host: adnpool01.zh.adnovum.ch
X-Ignore: ---------------------------------------------------------------
1 11 0.1118 (0.0093) S>C Handshake
HelloRequest
1 12 0.1119 (0.0000) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0x39
Unknown value 0x38
Unknown value 0x37
Unknown value 0x36
Unknown value 0x35
Unknown value 0x33
Unknown value 0x32
Unknown value 0x31
Unknown value 0x30
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 13 0.1146 (0.0027) S>C Handshake
ServerHello
Version 3.1
session_id[0]=
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 14 0.1146 (0.0000) S>C Handshake
Certificate
1 15 0.1146 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
certificate_authority
30 81 9b 31 0b 30 09 06 03 55 04 06 13 02 43 48
31 15 30 13 06 03 55 04 07 13 0c 38 30 30 35 20
5a 75 65 72 69 63 68 31 1e 30 1c 06 03 55 04 0a
13 15 41 64 4e 6f 76 75 6d 20 49 6e 66 6f 72 6d
61 74 69 6b 20 41 47 31 20 30 1e 06 03 55 04 0b
13 17 49 6e 74 65 72 6e 65 74 20 41 64 6d 69 6e
69 73 74 72 61 74 69 6f 6e 31 1e 30 1c 06 03 55
04 03 13 15 41 64 4e 6f 76 75 6d 20 49 6e 66 6f
72 6d 61 74 69 6b 20 41 47 31 13 30 11 06 09 2a
86 48 86 f7 0d 01 09 01 16 04 74 68 69 73
ServerHelloDone
1 16 10.3004 (10.1857) C>S Handshake
Certificate
1 17 10.3004 (0.0000) C>S Handshake
ClientKeyExchange
1 18 10.3004 (0.0000) C>S Handshake
CertificateVerify
Signature[128]=
d1 2a df f5 9c d6 ae 12 d8 84 08 31 28 b4 c3 01
0d 6d d2 be c1 84 7a 84 64 80 47 bd f7 2f df 72
34 15 9c 20 59 3a cd 49 97 ef 7f f3 e4 2e 1d 26
3f 73 80 29 35 3b e3 00 3f 65 3b 61 58 d7 66 d5
38 43 d0 11 f1 7f ef a6 ad 52 77 05 42 21 13 22
01 52 a9 b0 69 b6 e2 88 ca 43 7b 4d 55 3e 29 24
c6 e3 14 8f 90 5d fc 94 d6 db fb f4 12 9e 32 86
b8 97 5f a5 2c 99 d8 f7 35 ef 18 48 f3 08 3a 6f
1 19 10.3004 (0.0000) C>S ChangeCipherSpec
1 20 10.3004 (0.0000) C>S Handshake
Finished
1 21 10.3398 (0.0393) S>C ChangeCipherSpec
1 22 10.3398 (0.0000) S>C Handshake
Finished
1 23 10.3425 (0.0027) S>C application_data
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Fri, 20 Nov 2009 12:13:31 GMT
Server: Apache
Last-Modified: Mon, 16 Nov 2009 19:22:11 GMT
ETag: "2d01bc-11d-47881ed266339"
Accept-Ranges: bytes
Content-Length: 285
Connection: close
Content-Type: text/html
---------------------------------------------------------------
1 24 10.3425 (0.0000) S>C application_data
---------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd";>
<HTML>
<HEAD>
<TITLE>Welcome with a cert HACKED!!!!</TITLE>
<BODY BGCOLOR="#FFFFFF">
<CENTER><H2>
Welcome to the Nevisweb Reverse Proxy HACKED!!!
</H2></CENTER>
</BODY></HTML>
---------------------------------------------------------------
1 25 10.3429 (0.0003) S>C Alert
level warning
value close_notify
1 26 10.3429 (0.0000) C>S application_data
---------------------------------------------------------------
GET /victim HTTP/1.1
User-Agent: Opera/9.64 (X11; Linux i686; U; en) Presto/2.1.1
Host: adnpool01.zh.adnovum.ch:44300
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
If-Modified-Since: Mon, 16 Nov 2009 19:22:11 GMT
If-None-Match: "2d01bc-11d-47881ed266339"
Cookie:
Navajo=RBBJKBGXeEs5//O88j0aYDWMmqZxh6bi4/BR4nJuRd4R2KrsXsUp2/qeHljJdPDYSQ8TWUO3VAk-;
IW4Login=login
Cookie2: $Version=1
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
---------------------------------------------------------------
1 10.3431 (0.0001) C>S TCP FIN
1 10.3434 (0.0002) S>C TCP FIN
