OpenSSL Alternative Chains Certificate Forgery MITM Proxy - Metasploit
This page contains detailed information about how to use the auxiliary/server/openssl_altchainsforgery_mitm_proxy metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: OpenSSL Alternative Chains Certificate Forgery MITM Proxy
Module: auxiliary/server/openssl_altchainsforgery_mitm_proxy
Source code: modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb
Disclosure date: 2015-07-09
Last modification time: 2021-02-19 20:35:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2015-1793
This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/openssl_altchainsforgery_mitm_proxy
msf auxiliary(openssl_altchainsforgery_mitm_proxy) > show targets
... a list of targets ...
msf auxiliary(openssl_altchainsforgery_mitm_proxy) > set TARGET target-id
msf auxiliary(openssl_altchainsforgery_mitm_proxy) > show options
... show and set options ...
msf auxiliary(openssl_altchainsforgery_mitm_proxy) > exploit
Required Options
CACERT: The leaf certificate's CA certificate
CERT: The leaf certificate
KEY: The leaf certificate's private key
HOST: The server address
Go back to menu.
Msfconsole Usage
Here is how the server/openssl_altchainsforgery_mitm_proxy auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/openssl_altchainsforgery_mitm_proxy
msf6 auxiliary(server/openssl_altchainsforgery_mitm_proxy) > show info
Name: OpenSSL Alternative Chains Certificate Forgery MITM Proxy
Module: auxiliary/server/openssl_altchainsforgery_mitm_proxy
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2015-07-09
Provided by:
David Benjamin
Adam Langley
Ramon de C Valle <[email protected]>
Available actions:
Name Description
---- -----------
Service Run MITM proxy
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CACERT yes The leaf certificate's CA certificate
CERT yes The leaf certificate
HOST yes The server address
KEY yes The leaf certificate's private key
PASSPHRASE no The pass phrase for the leaf certificate's private key
PORT 443 yes The server port
SRVHOST 0.0.0.0 yes The proxy address
SRVPORT 443 yes The proxy port
SUBJECT /C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com no The subject field for the fake certificate
Description:
This module exploits a logic error in OpenSSL by impersonating the
server and sending a specially-crafted chain of certificates,
resulting in certain checks on untrusted certificates to be bypassed
on the client, allowing it to use a valid leaf certificate as a CA
certificate to sign a fake certificate. The SSL/TLS session is then
proxied to the server allowing the session to continue normally and
application data transmitted between the peers to be saved. The
valid leaf certificate must not contain the keyUsage extension or it
must have at least the keyCertSign bit set (see X509_check_issued
function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert
fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module
requires an active man-in-the-middle attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2015-1793
https://cwe.mitre.org/data/definitions/754.html
http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6
Module Options
This is a complete list of options available in the server/openssl_altchainsforgery_mitm_proxy auxiliary module:
msf6 auxiliary(server/openssl_altchainsforgery_mitm_proxy) > show options
Module options (auxiliary/server/openssl_altchainsforgery_mitm_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
CACERT yes The leaf certificate's CA certificate
CERT yes The leaf certificate
HOST yes The server address
KEY yes The leaf certificate's private key
PASSPHRASE no The pass phrase for the leaf certificate's private key
PORT 443 yes The server port
SRVHOST 0.0.0.0 yes The proxy address
SRVPORT 443 yes The proxy port
SUBJECT /C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com no The subject field for the fake certificate
Auxiliary action:
Name Description
---- -----------
Service Run MITM proxy
Advanced Options
Here is a complete list of advanced options supported by the server/openssl_altchainsforgery_mitm_proxy auxiliary module:
msf6 auxiliary(server/openssl_altchainsforgery_mitm_proxy) > show advanced
Module advanced options (auxiliary/server/openssl_altchainsforgery_mitm_proxy):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/openssl_altchainsforgery_mitm_proxy module can do:
msf6 auxiliary(server/openssl_altchainsforgery_mitm_proxy) > show actions
Auxiliary actions:
Name Description
---- -----------
Service Run MITM proxy
Evasion Options
Here is the full list of possible evasion options supported by the server/openssl_altchainsforgery_mitm_proxy auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/openssl_altchainsforgery_mitm_proxy) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #13540 Merged Pull Request: Change OptString of RPORT to OptPort
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6139 Merged Pull Request: Remove bad references (dead links)
- #5735 Merged Pull Request: Add openssl_altchainsforgery_mitm_proxy.rb
References
- CVE-2015-1793
- CWE-754
- http://git.openssl.org/?p=openssl.git;a=commit;h=f404943bcab4898d18f3ac1b36479d1d7bbbb9e6
See Also
Check also the following modules related to this module:
- auxiliary/server/openssl_heartbeat_client_memory
- auxiliary/dos/ssl/openssl_aesni
- auxiliary/scanner/ssl/openssl_ccs
- auxiliary/scanner/ssl/openssl_heartbleed
- auxiliary/scanner/http/open_proxy
- auxiliary/scanner/wproxy/att_open_proxy
- auxiliary/server/jsse_skiptls_mitm_proxy
- auxiliary/server/socks_proxy
- payload/cmd/unix/reverse_openssl
- auxiliary/server/android_browsable_msf_launch
- auxiliary/server/android_mercury_parseuri
- auxiliary/server/browser_autopwn
- auxiliary/server/browser_autopwn2
- auxiliary/server/dhclient_bash_env
- auxiliary/server/dhcp
- auxiliary/server/fakedns
- auxiliary/server/ftp
- auxiliary/server/http_ntlmrelay
- auxiliary/server/icmp_exfil
- auxiliary/server/ldap
- auxiliary/server/local_hwbridge
- auxiliary/server/ms15_134_mcl_leak
- auxiliary/server/netbios_spoof_nat
- auxiliary/server/pxeexploit
- auxiliary/server/regsvr32_command_delivery_server
- auxiliary/server/socks_unc
- auxiliary/server/teamviewer_uri_smb_redirect
- auxiliary/server/tftp
- auxiliary/server/webkit_xslt_dropper
- auxiliary/server/wget_symlink_file_write
- auxiliary/server/wpad
- auxiliary/gather/exchange_proxylogon_collector
- auxiliary/scanner/http/exchange_proxylogon
- auxiliary/scanner/http/rewrite_proxy_bypass
- exploit/osx/local/libxpc_mitm_ssudo
Authors
- David Benjamin
- Adam Langley
- Ramon de C Valle
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.