Loosening ASN.1 parsing #364
Comments
Seanstoppable
added a commit
to Seanstoppable/zgrab2
that referenced
this issue
Oct 14, 2023
This is driven by zmap#378, zmap/zcrypto#364 and zmap#334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ```
zakird
pushed a commit
to zmap/zgrab2
that referenced
this issue
Feb 18, 2024
* Add permissive parsing TLS option This is driven by #378, zmap/zcrypto#364 and #334 This allows a number of scans to actually succeed, rather than fail out when parsing the certificate Example without permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https INFO[0000] started grab at 2023-09-21T21:25:29-05:00 {"ip":"FAILING_IP","data":{"http":{"status":"unknown-error","protocol":"http","result":{},"timestamp":"2023-09-21T21:25:29-05:00","error":"tls: failed to parse certificate from server: asn1: structure error: explicitly tagged member didn't match"}}} INFO[0001] finished grab at 2023-09-21T21:25:29-05:00 {"statuses":{"http":{"successes":0,"failures":1}},"start":"2023-09-21T21:25:29-05:00","end":"2023-09-21T21:25:29-05:00","duration":"987.606886ms"} ``` With Permissive parsing: ``` echo FAILING_IP | ./zgrab2 http -p 443 --use-https --permissive-parsing INFO[0000] started grab at 2023-09-21T21:25:34-05:00 {"ip":"FAILING_UP","data":{"http":{"status":"application-error","protocol":"http","result":{"response":{"status_line":"302 Found","status_code":302,"protocol":{"name":"HTTP/1.1","major":1,"minor":1},"headers":{"content_length":["0"], ... all the HTTP and TLS handshake log data ``` * Make permissive parsing the default/no option
|
I think this can be closed thanks to zmap/zgrab2#400 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a placeholder for an issue reported in the zgrab2 issues @ zmap/zgrab2#378 by @rony0724
Unruly certificates cause a failure for the HTTPS endpoint in question. This should also apply to other TLS protocols (imaps, ftps, etc)
Failing is not unreasonable behavior but it might be useful to handle illegal ASN.1 more gracefully, perhaps silently ignoring any blobs that aren't technically legal but also do not break the entire stream
There are two approaches that come to mind, they aren't mutually exclusive:
I don't have time to look into this now and I can't even guess as whether the changes would have to be made inside ASN.1 parsing logic (blech) or via a higher level interface to ASN.1 parsing. I like to think there is a strict=false argument in some interface that causes unexpected objects to be quietly skipped but that may be too optimistic
Unless there are any objections I would like to leave the issue open, despite it not being a defect. Maybe someone else will have time to look at it, or maybe I'll come back when I have time
Thanks!
EDIT: this seems relevant to my interests... may be an easy task afterall
The text was updated successfully, but these errors were encountered: