Open Source Cloud Authors: Liz McMillan, Elizabeth White, Flint Brenton, Jason Bloomberg, Yeshim Deniz

Blog Feed Post

Verifying CRIME, SSLv2 and Plain Text TLS Injection with OpenSSL

If you are a system administrator or penetration tester, you need to be able to check for common vulnerabilities. When configured incorrectly, SSL/TLS has many. There are tons of SSL auditing tools out there, some with more functionality than others, but why add more tools when you can do it yourself?

So this is a tutorial on how to install Openssl from source on a Debain system with a few easy modifications so that you will be able to test for CRIME, SSL version 2 and TLS plain text injection.

First, you’ll need to make sure you have these programs installed:

$ sudo apt-get update && sudo apt-get install build-essential 	devscripts m4 quilt debhelper

Next, you’ll need the source code to OpenSSL. After this is downloaded, you’ll need to move into the openssl directory:

$ apt-get source openssl
	$ cd openssl-*/


SSL version two is an outdated SSL protocol that is filled with problems. For this reason, Debian and other Linux distributions disable SSLv2 in openssl by default. While this is a nice gesture to prevent users from making insecure ciphers, there are those of us that need to be able to check for said ciphers. So we’ll be adding the support back in.

First, from the openssl directory, remove all patches:

$ quilt pop -a

Now we need to remove where the no-sslv2 patch is mentioned inside of the files debian/patches/series and debian/rules.

In debian/patches/series, just take out the entire line where no-sslv2 is mentioned. In my case the file originally looked like:

33 default_bits.patch 
	34 ssltest_no_sslv2.patch 
	35 cpuid.patch

and after the change it became:

33 default_bits.patch 
	34 cpuid.patch 
	35 aesni-mac.patch

Also remove just the no-ssl2 from one line in debian/rules:

Original line:

22 CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl –libdir=lib/$	(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib  enable-tlsext no-ssl2

After removal:

22 CONFARGS  = --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/$	(DEB_HOST_MULTIARCH) no-idea no-mdc2 no-rc5 zlib  enable-tlsext

Now that all instances of the no-sslv2 patch have been removed, we can put the remaining patches back into place:

$ quilt push -a

If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:

$ openssl s_client -ssl2 -connect

If the connection is made, the server is configured to use SSL version 2.

TLS Plain Text Injection

TLS plain text injection is a vulnerability where if a command is injected in plain text before an encrypted authenticated session begins, the command is run after the encrypted session has started. Wietse Venema,describes it in detail here: http://www.postfix.org/CVE-2011-0411.html and gives a quick way to modify the openssl source to check for this issue. At this link, you can find out how to replace the -starttls smtp flag to test for TLS plain text injection. However by following that guide, you’ll be losing the previous functionality. So instead, I’ll be showing you how to add a few new commands: -starttls smtpi and -starttls ftpi that will add the a TLS injection check without losing any of the old openssl functionality.
Open apps/s_client.c in your favorite text editor (I’m rather partial to VIM). We are pretty much going to change the source of this file anywhere PROTO_FTP or PROTO_SMTP are used. So in vim I searched for PROTO_SMTP\|PROTO_FTP to highlight those areas and make them easy to find.

We need to add in the variables PROTO_SMTPI and PROTO_FTPI, just yank and put (copy / paste) the PROTO_SMTP and PROTO_FTP lines, stealing their format, and add the “I” to the end of them. Here is what it looks like on my screen (lines 550 and 554). The top part of the split screen is the original, the bottom is after the modification.


The next occurrence of our search term is where it checks what command line argument you passed to -starttls. We just need to copy the same format again and add options for smtpi and ftpi. Make sure to make the smtpi an else if, since there can only be one if. The following is what it should look like after you are done (new lines: 911, 912, 919, 920 )


Next up is a list of if statements to check which protocol you are using for -starttls so we can send the appropriate message to the server. This section is a bit more complicated, so play close attention to the code. For smtp the code looks like:


This means the same code will execute for smtp or smtpi. Now we just need to change the way the code in this if statement works:


So now, if starttls_proto==PROTO_SMTPI is given, it will append the harmless plain text command RSET to the STARTTLS command. By adding this, we will not lose our normal -starttls smtp functionality.

Nearly the same thing is done for the PROTO_FTP else if section, only instead of RSET you will use a NOOP command for no-operation.




Go ahead and save the file. If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:

$openssl s_client -starttls ftpi -connect

Upon making the connection, openssl will print out information on the cipher. There will be a line that is just two dashes (“–”) and then a 220 response. The 220 response is saying the server connected to you and is happy. Now if there is another line that says “220 Command okay.” that means it also revived and executed your NOOP command which was sent in plain text, and thus the server is vulnerable.


CRIME is a vulnerability in SSL compression. If a web server supports SSL compression then it is vulnerable to the CRIME attack. If you just do an apt-get install openssl you probably don’t have zlib enabled, so openssl will not try to use compression while connecting to a server. To make sure you have zlib, just configure with the the parameter “zlib” and “zlib-dynamic” as so:

$ ./config zlib zlib-dynamic

Now if you were to install at this point, whenever you use s_client to connect to a server, openssl will automatically try to use compression. If you see “Compression: gzip” then the server supports SSL compression and is vulnerable to CRIME. However, if you see “Compression: None” it is not vulnerable.

Run the following commands to install your changes. From the openssl directory do the following.

Update the source:

$ dch -n 'sslv2, tls injection and zilb'

Record the changes in the source tree:
 $ dpkg-source –commit

Build the package:

$ debuild -uc -us

$ cd ../
 $ sudo dpkg -i *ssl*.deb

That’s it! Now openssl can test for SSLv2, CRIME, SMTP TLS plain text injection, and FTP TLS plain text injection, all without breaking the other wonderful things we love about openssl (such as testing expired certificates, self-signed certificates, weak ciphers and more). One tool to rule them all.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.

@ThingsExpo Stories
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Rodrigo Coutinho is part of OutSystems' founders' team and currently the Head of Product Design. He provides a cross-functional role where he supports Product Management in defining the positioning and direction of the Agile Platform, while at the same time promoting model-based development and new techniques to deliver applications in the cloud.
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.