Skip to content

Opossum vulnerability #2838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 21 commits into from
Closed

Opossum vulnerability #2838

wants to merge 21 commits into from

Conversation

@drwetter
Copy link
Collaborator

@drwetter drwetter commented Jul 11, 2025
edited
Loading

Fixes #2833

This does a check for the opossum vulnerability, see https://opossum-attack.com/ .

It uses a separate function to send the payload and retrieve the result (http_header_printf()). It uses no curl or wget. The latter wouldn't work anyway as according to the manpage as the HTTP header to sent must not contain LFs.

This function was introduced because http_get_header() could use wget if curl is not available. On the way to this PR http_get_header was improved, so that timeouts were used for curl and wget for better maturity.

Done:

  • handling when PROXY is requested (try anyway directly as the payload is not "proxyable")
  • print a message when no HTTP service is present
  • try hard when auth is required for HTTPS
  • manpages
  • help

What is your pull request about?

  • Bug fix
  • Improvement
  • New feature (adds functionality)
  • Breaking change (bug fix, feature or improvement that would cause existing functionality to not work as expected)
  • Typo fix
  • Documentation update
  • Update of other files

If it's a code change please check the boxes which are applicable

  • For the main program: My edits contain no tabs, indentation is five spaces and any line endings do not contain any blank chars
  • I've read CONTRIBUTING.md and Coding_Convention.md
  • I have tested this fix or improvement against >=2 hosts and I couldn't spot a problem
  • I have tested this new feature against >=2 hosts which show this feature and >=2 host which does not (in order to avoid side effects) . I couldn't spot a problem
  • For the new feature I have made corresponding changes to the documentation and / or to help()
  • If it's a bigger change: I added myself to CREDITS.md (alphabetical order) and the change to CHANGELOG.md

drwetter added 4 commits July 11, 2025 13:06
@drwetter
Opossum vulnerabilty
dba3bd0 
Fixes #2833

This does a check for the opossum vulnerability, see https://opossum-attack.com/.

Currently it uses wget or curl, so one if them has to be present.

Proxy handling was introduced in check_pwnedkeys() which should help
that function too.

Also timeouts were used for curl and wget for better maturity.

Todos:
- handling when neither curl or wget is present
- at least a warning when no HTTP service is present
- take care of the diffs in http_get_header() to make this
  work --> make sure it still does using check_pwnedkeys()
  - -H ''?
  - ret codes
- backport proxy stuff in http_get_header() to 3.2
- backport curl/wget timeouts to 3.2
- manpage (incl. RFC 2817)
@drwetter
Fix lf when not vulnerable
d7b996b
@drwetter
do not output the whole output
15a18e7 
text + html , comp_ok --> ok
@drwetter
Add lf at the right location
3f1effa
@drwetter drwetter changed the title Opossum vulnerabilty Opossum vulnerability Jul 11, 2025
drwetter added 6 commits July 11, 2025 14:46
@drwetter
do not output the whole output #2
9349611 
text + html , 2nd comp_ok --> ok
@drwetter
add opossum to docs
e5ec7ac
@drwetter
HTTP/HTTPS & URI for Oposssum
98d1702 
- use http instead of https
- use URI  of NODE
- handle not HTTP services (based on what's written on https://opossum-attack.com/)
- make sure it works in case where certificate-based authentication is requested on
  HTTP thus setting SERVICE to ""
@drwetter
regex fix+ try http harder
83295d6 
- fix bash regex which resulted in cases with https:// in URI in a mangeld curl call
- try also plain text curl test when client auth is requested via HTTPS and SERVICE is empty
@drwetter
exclude do_opossum from rating
b3ad062
@drwetter
testssl.net is more reliable than heise.de
949811e
@drwetter
Copy link
Collaborator Author

drwetter commented Jul 11, 2025

image

Sigh, wget doesn´t work.

@drwetter
Copy link
Collaborator Author

drwetter commented Jul 12, 2025
edited
Loading

better to open a new PR ,see #2842

@drwetter drwetter closed this Jul 12, 2025
@drwetter drwetter deleted the opossum branch July 12, 2025 18:35
drwetter added a commit that referenced this pull request Jul 12, 2025
@drwetter
Merge pull request #2842 from testssl/opossum
e2f08a0 
Redo PR for Opossum , see #2838
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature request]Test for Opossum attack / RFC 2817

2 participants

@drwetter