-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heartbleed test vsftp with STARTTLS false positive #426
Comments
Hi Thomas, I don't think testssl.sh can ever have the intelligence to tell this apart, unless somebody volunteers to implement KI in bash (btw: do I also see hands rising for ASN1 parser in bash ;-) ) Remarkable though that testssl.sh caused an oops in the very secure ftpd... Cheers , Dirk |
I misunderstood this, sorry. vsftpd's standard behavior is "oops" if a setting is during runtime not compatible with a command. It's not a program failure as I assumed. I was just able to reproduce this. Seems that after the AUTH TLS it is getting the certificate it correctly switched to the TLS layer. It replies plaintext (see above also) though after sending the payload:
That's a tough one, need to sleep over it. First thing which comes to mind is checking for |
Btw: Thx for reporting, @thomaspatzke |
Another idea for a heuristic: run the test multiple times. A service vulnerable to heartbleed would quite certain give different responses while the response in this case was always equal. |
Good idea, thx! We're the results EXACTLY the same?Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection |
Yes! Tested it few times, message seems to be static. |
Good idea, I thought too that would suffice. ;-/ Catch is a vulnerable, idle server. Here I get exacltly the same memory returned a couple of times. And as if the server wanted to tease me, one readable string in all that binary blurp was "42" ;-) . |
Hi Thomas, on my installation the recent commit works as expected and seems robust -- also on the idle server. There's just another check to make sure. Could you please double check? Thx, Dirk |
The test for Heartbleed caused a false positive. After sending the payload the server answers with:
This is an error from the FTP server itself, not leaked memory content.
Environment: vsFTPd 2.2.2 - further details unknown
The text was updated successfully, but these errors were encountered: