TLS Renegotiation Vulnerability: Proof of Concept Code

Information about a vulnerability in the TLS protocol was published in the beginning of November 2009. Attackers can take advantage of that vulnerability to inject arbitrary prefixes into a network connection protected by TLS. This can result in severe vulnerabilities, depending on the application layer protocol used over TLS.

RedTeam Pentesting used the Python module TLS Lite to develop proof of concept code that exploits this vulnerability. It is published here to raise awareness for the vulnerability and its potential impact. Furthermore, it shall give interested persons the opportunity to analyse applications employing TLS for further vulnerabilities.

Source Code

• TLS Renegotiation Vulnerability: Proof of Concept Code

References

• Resource Center: SSL Vulnerability
• Blog of Marsh Ray, one of the discoverers of the TLS vulnerability
• TLS and SSLv3 vulnerabilities explained, Thierry Zoller
• Transport Layer Security (TLS) Renegotiation Indication Extension, IETF TLS Working Group draft that addresses the vulnerability