关联漏洞
标题:
多款F5 BIG-IP产品virtual server 信息泄露漏洞
(CVE-2016-9244)
描述:F5 BIG-IP Analytics等都是美国F5公司的产品。F5 BIG-IP Analytics是一套Web应用程序性能分析软件。APM是一套提供安全统一访问关键业务应用和网络的解决方案。LTM是一款本地流量管理器。virtual server是其中的一个通用配置组件。 多款F5 BIG-IP产品中的virtual server存在安全漏洞。远程攻击者可利用该漏洞从其他会话中获取Secure Sockets Layer (SSL)会话ID。以下产品和版本受到影响:F5 BIG-IP LTM 12.0
描述
This is a tool for exploiting Ticketbleed (CVE-2016-9244) vulnerability.
介绍
# Ticketbleed [](https://raw.githubusercontent.com/EgeBalci/Ticketbleed/master/LICENSE) [](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9244)
This tool is for exploiting Ticketbleed (CVE-2016-9244) vulnerability, the Ticketbleed library inside src folder is a modified version of go's crypto/tls, it has few changes inside `handshake_client.go, tls.go, common.go` files but it is almost same.
# BUILD
cd Ticketbleed
mv Ticketbleed.go.tmp Ticketbleed.go
go get github.com/EgeBalci/Ticketbleed
go build Ticketbleed.go
# USAGE
./Ticketbleed <ip:port> <options>
OPTIONS:
-o, --out Output filename for raw memory
-s, --size Size in bytes to read (Output value may vary)
-h, --help Print this message
# About CVE-2016-9244
Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.
Founder: Filippo Valsorda
Finding Ticketbleed: https://blog.filippo.io/finding-ticketbleed/
VULNERABLE VERSIONS:
<table>
<tr>
<th>Product</th>
<th>Version</th>
</tr>
<tr>
<td>BIG-IP LTM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP AAM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP AFM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP Analytics</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP APM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP ASM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP GTM</td>
<td>11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP Link Controller</td>
<td>12.0.0 - 12.1.2</td>
</tr>
<tr>
<td>BIG-IP PEM</td>
<td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
</tr>
<tr>
<td>BIG-IP PSM</td>
<td>11.4.0 - 11.4.1</td>
</tr>
</table>
文件快照
[4.0K] /data/pocs/64bb117243e471f6983495b65324847030af408f
├── [2.6K] alert.go
├── [ 10K] cipher_suites.go
├── [ 22K] common.go
├── [ 30K] conn.go
├── [5.5K] conn_test.go
├── [2.2K] example_test.go
├── [4.3K] generate_cert.go
├── [ 19K] handshake_client.go
├── [ 18K] handshake_client_test.go
├── [ 31K] handshake_messages.go
├── [6.5K] handshake_messages_test.go
├── [ 21K] handshake_server.go
├── [ 38K] handshake_server_test.go
├── [4.2K] handshake_test.go
├── [ 12K] key_agreement.go
├── [1.0K] LICENSE
├── [ 11K] prf.go
├── [5.3K] prf_test.go
├── [2.3K] README.md
├── [4.0K] testdata
│ ├── [9.8K] Client-TLSv10-ClientCert-ECDSA-ECDSA
│ ├── [9.1K] Client-TLSv10-ClientCert-ECDSA-RSA
│ ├── [9.7K] Client-TLSv10-ClientCert-RSA-ECDSA
│ ├── [9.0K] Client-TLSv10-ClientCert-RSA-RSA
│ ├── [6.5K] Client-TLSv10-ECDHE-ECDSA-AES
│ ├── [6.9K] Client-TLSv10-ECDHE-RSA-AES
│ ├── [5.8K] Client-TLSv10-RSA-RC4
│ ├── [6.7K] Client-TLSv11-ECDHE-ECDSA-AES
│ ├── [7.1K] Client-TLSv11-ECDHE-RSA-AES
│ ├── [5.8K] Client-TLSv11-RSA-RC4
│ ├── [6.0K] Client-TLSv12-AES128-GCM-SHA256
│ ├── [6.0K] Client-TLSv12-AES256-GCM-SHA384
│ ├── [6.9K] Client-TLSv12-ALPN
│ ├── [6.7K] Client-TLSv12-ALPN-NoMatch
│ ├── [ 10K] Client-TLSv12-ClientCert-ECDSA-ECDSA
│ ├── [9.2K] Client-TLSv12-ClientCert-ECDSA-RSA
│ ├── [ 10K] Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384
│ ├── [ 10K] Client-TLSv12-ClientCert-RSA-ECDSA
│ ├── [9.2K] Client-TLSv12-ClientCert-RSA-RSA
│ ├── [6.7K] Client-TLSv12-ECDHE-ECDSA-AES
│ ├── [6.3K] Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384
│ ├── [6.3K] Client-TLSv12-ECDHE-ECDSA-AES-GCM
│ ├── [7.1K] Client-TLSv12-ECDHE-RSA-AES
│ ├── [5.8K] Client-TLSv12-RSA-RC4
│ ├── [8.4K] Client-TLSv12-SCT
│ ├── [5.8K] Server-SSLv3-RSA-3DES
│ ├── [5.9K] Server-SSLv3-RSA-AES
│ ├── [5.5K] Server-SSLv3-RSA-RC4
│ ├── [6.2K] Server-TLSv10-ECDHE-ECDSA-AES
│ ├── [5.5K] Server-TLSv10-RSA-3DES
│ ├── [5.7K] Server-TLSv10-RSA-AES
│ ├── [5.3K] Server-TLSv10-RSA-RC4
│ ├── [1.2K] Server-TLSv11-FallbackSCSV
│ ├── [5.3K] Server-TLSv11-RSA-RC4
│ ├── [8.2K] Server-TLSv12-ALPN
│ ├── [8.1K] Server-TLSv12-ALPN-NoMatch
│ ├── [7.3K] Server-TLSv12-CipherSuiteCertPreferenceECDSA
│ ├── [7.8K] Server-TLSv12-CipherSuiteCertPreferenceRSA
│ ├── [8.8K] Server-TLSv12-ClientAuthRequestedAndECDSAGiven
│ ├── [8.7K] Server-TLSv12-ClientAuthRequestedAndGiven
│ ├── [5.6K] Server-TLSv12-ClientAuthRequestedNotGiven
│ ├── [6.5K] Server-TLSv12-ECDHE-ECDSA-AES
│ ├── [6.2K] Server-TLSv12-IssueTicket
│ ├── [6.2K] Server-TLSv12-IssueTicketPreDisable
│ ├── [2.6K] Server-TLSv12-Resume
│ ├── [6.2K] Server-TLSv12-ResumeDisabled
│ ├── [5.7K] Server-TLSv12-RSA-3DES
│ ├── [6.0K] Server-TLSv12-RSA-AES
│ ├── [6.4K] Server-TLSv12-RSA-AES256-GCM-SHA384
│ ├── [6.4K] Server-TLSv12-RSA-AES-GCM
│ ├── [5.4K] Server-TLSv12-RSA-RC4
│ ├── [4.7K] Server-TLSv12-SNI
│ ├── [4.7K] Server-TLSv12-SNI-GetCertificate
│ └── [4.7K] Server-TLSv12-SNI-GetCertificateNotFound
├── [2.8M] Ticketbleed
├── [4.5K] Ticketbleed.go.tmp
├── [4.7K] ticket.go
├── [ 11K] tls.go
└── [ 13K] tls_test.go
1 directory, 78 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。