CVE-2017-15361 PoC — Infineon Trusted Platform Module Infineon RSA库安全漏洞

Source

Associated Vulnerability

Description

Bro plugin to check if certificates are affected by CVE-2017-15361

Readme

Johanna::ROCA
=============

This plugin implements detection of CVE-2017-15361 keys; it is a
reimplementation of the source available at
https://github.com/crocs-muni/roca.

This plugin provides two new BIFs that can check public keys:

* `roca_vulnerable_cert` checks if a certificate is vulnerable
* `roca_vulnerable_mod` checks if a modulus is vulerable.

This plugin also ships with a script that is automatically loaded
and can notify you when CVE-2017-15361 are encountered on the wire.

To enable this, set:

```
redef ROCA::Notify=T;
```

Afterwards you should get notice.log entries when such keys are encountered.
Example:

```
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2017-10-25-00-59-28
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
1449265638.475275	CHhAvVGS1DHFjwGM9	192.168.6.74	52122	104.236.167.107	4433	Fvv5qY2DMGQY2MYQ03	application/x-x509-user-cert	104.236.167.107:4433/tcp	tcp	ROCA::CVE_2017_15361_KEY	Certificate uses a key potentially affected by CVE-2017-15361	-	192.168.6.74	104.236.167.107	4433	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
#close	2017-10-25-00-59-28
```

Installation
------------

This plugin requires GMP (The GNU MP Bugnum Library) to be installed on the
system. If this is the case, you should be able to install it using bro-pkg
using:

```
bro-pkg install 0xxon/bro-plugin-roca
```

If you have to specify the path to gmp, you can manually clone the repository
and install it using:

```
./configure --with-gmp=[directory]
make install
```

File Snapshot

 [4.0K]  /data/pocs/ed145e03632d174ec66a72181ea9fb40656ab98c
├── [ 257]  bro-pkg.meta
├── [   0]  CHANGES
├── [4.0K]  cmake
│   └── [1.0K]  FindGMP.cmake
├── [1.4K]  CMakeLists.txt
├── [2.4K]  configure
├── [ 377]  configure.plugin
├── [1.5K]  COPYING
├── [ 703]  Makefile
├── [   9]  README -> README.md
├── [1.9K]  README.md
├── [4.0K]  scripts
│   ├── [  13]  __load__.bro
│   └── [ 931]  main.bro
├── [4.0K]  src
│   ├── [ 588]  Plugin.cc
│   ├── [ 419]  Plugin.h
│   ├── [1.6K]  roca.bif
│   └── [3.6K]  roca.c
├── [4.0K]  tests
│   ├── [4.0K]  Baseline
│   │   ├── [4.0K]  roca.show-plugin
│   │   │   └── [ 171]  output
│   │   ├── [4.0K]  roca.test-key
│   │   ├── [4.0K]  roca.test-key-connection
│   │   └── [4.0K]  roca.test-script
│   │       └── [ 912]  notice.log
│   ├── [ 701]  btest.cfg
│   ├── [  15]  Makefile
│   ├── [4.0K]  roca
│   │   ├── [  76]  show-plugin.bro
│   │   ├── [1.3K]  test-key.bro
│   │   ├── [ 277]  test-key-connection.bro
│   │   └── [ 117]  test-script.bro
│   ├── [4.0K]  Scripts
│   │   └── [ 610]  get-bro-env
│   └── [4.0K]  Traces
│       ├── [8.4K]  not-vulnerable.pcap
│       └── [1.6K]  vulnerable.pcap
└── [   4]  VERSION

12 directories, 28 files

Remarks