Re: Nmap 6.45 Informal Release

[Patrik Karlsson <patrik () cqure net>]

Dan,

The issue Brendan was having disappeared when trying to read a smaller
response than requested, I believe.
That's why I initially went down the path of splitting the receiving
functions and allowed for an len argument.
I was having success with 0x0fe9 to a large extent as well in the request
until the emails yesterday where it was pointed out that it didn't work
against the CloudFlare challenge. I tried my initial commit and it did work
up until the 0x4000 was replaced.

Personally, I'm less concerned about IDS detection than false negatives. We
could make the default 0x4000 and allow changing it with an argument?

-Patrik


On Sun, Apr 13, 2014 at 7:55 AM, Daniel Miller <bonsaiviking () gmail com>wrote:

> Patrik,
>
> I saw that commit, but I was confused: Won't this reintroduce the problem
> Brendan was having with large heartbeat responses? I specifically chose
> 0x0fe9 as the smallest request that would reliably get a response from the
> openssl s_server tool, but I'm open to correction if you have evidence of
> better support for a different size.
>
> I don't know if IDS detection would be a concern, but using 0x4000 makes
> us send the exact probe that everyone is matching against. Also of note,
> apparently changing the heartbeat payload size is a way for an attacker to
> select memory from a different area, since the OpenSSL allocator reuses
> chunks of memory by size.
>
> Dan
>
>
> On Sun, Apr 13, 2014 at 6:21 AM, Patrik Karlsson <patrik () cqure net> wrote:
>
> > Fyodor,
> >
> > I think the change to the requested size that I committed as r32828 fixes
> > an important bug and should probably make it into the release unless
> > someone disagrees.
> >
> > Thanks,
> > Patrik
> >
> >
> > On Sat, Apr 12, 2014 at 4:54 PM, Fyodor <fyodor () nmap org> wrote:
> >
> > > Hi Folks!  Late last night we posted Nmap version 6.45 to the web site.
> >  It
> > > includes Patrik's excellent ssl-heartbleed script for detecting
> > vulnerable
> > > SSL servers (http://nmap.org/nsedoc/scripts/ssl-heartbleed.html) and
> > also
> > > Rob Nicholls' super quick update of our Windows OpenSSL binaries to help
> > > keep Nmap users safe from the same issue.  We never shipped vulnerable
> > > OpenSSL libraries with our Linux or Mac packages, and our new 6.45
> > Windows
> > > packages are now linked to a secure version (1.0.1g).
> > >
> > > This release also includes tons of other major improvements we made over
> > > the last 8 months since the 6.40 release.  Some of the improvements can
> > be
> > > found in the raw-format CHANGELOG (http://nmap.org/changelog.html) and
> > I'm
> > > working on cleaned up release notes now.
> > >
> > > Please give it a try and let me know if you find any problems.  If all
> > > seems well, I'll announce the release more prominently early next week.
> > >
> > > Cheers,
> > > Fyodor
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > http://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
> >
> >
> >
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://twitter.com/nevdull77
> > http://www.linkedin.com/in/nevdull77
> > _______________________________________________
> > Sent through the dev mailing list
> > http://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/


-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
http://www.linkedin.com/in/nevdull77
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/