RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Pyth

看板Bugtraq作者ivan.時間16年前 (2009/12/24 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串2/2 (看更多)

I created a Camtasia Movie some time ago "exploiting" the vulnerability by injecting "/user/profile/E1/" into the first ssl request to "/"=20 http://www.hacking-lab.com/download/ This can help others to understand the vulnerability.=20 Regards Ivan -----Original Message----- From: Barry Raveendran Greene [mailto:bgreene@senki.org]=20 Sent: Monday, December 21, 2009 9:16 PM To: 'RedTeam Pentesting GmbH'; bugtraq@securityfocus.com Subject: RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Python) Also, can you change this: "Transport Layer Security (TLS) Renegotiation Indication Extension, IETF draft standard that addresses the vulnerability." To: "Transport Layer Security (TLS) Renegotiation Indication Extension, IETF TLS Working Group draft that addresses the vulnerability." Where "IETF TLS Working Group" is hyperlinked to http://www.ietf.org/dyn/wg/charter/tls-charter.html That would help people who do not have a clue who the IETF or the TLS WG or that both are open standards forums. Thanks, Barry > -----Original Message----- > From: RedTeam Pentesting GmbH [mailto:release@redteam-pentesting.de] > Sent: Monday, December 21, 2009 5:04 AM > To: bugtraq@securityfocus.com > Subject: TLS Renegotiation Vulnerability: Proof of Concept Code > (Python) >=20 > Information about a vulnerability in the TLS protocol was published in > the > beginning of November 2009. Attackers can take advantage of that > vulnerability > to inject arbitrary prefixes into a network connection protected by > TLS. This > can result in severe vulnerabilities, depending on the application > layer > protocol used over TLS. >=20 > RedTeam Pentesting used the Python module "TLS Lite" to develop proof > of concept > code that exploits this vulnerability. It is published at >=20 > http://www.redteam-pentesting.de/publications/tls-renegotiation >=20 > to raise awareness for the vulnerability and its potential impact. > Furthermore, > it shall give interested persons the opportunity to analyse > applications > employing TLS for further vulnerabilities. >=20 > -- > RedTeam Pentesting GmbH Tel.: +49 241 963-1300 > Dennewartstr. 25-27 Fax : +49 241 963-1304 > 52068 Aachen http://www.redteam-pentesting.de/ > Germany Registergericht: Aachen HRB 14004 > Gesch=E4ftsf=FChrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 ivan. 的文章

文章代碼(AID): #1BCbhabQ (Bugtraq)

討論串 (同標題文章)

完整討論串 (本文為第 2 之 2 篇)：

排序：最新先 | 最舊先 | 留言數

RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Pyth RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Pyth

ivan.

16年前, 12/24

RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Pyth RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Pyth

16年前, 12/23

文章代碼(AID): #1BCbhabQ (Bugtraq)