kzLiu2017 / SAMBA

5 stars 0 forks source link

No results reported by the SSL API misuse detection script #1

Closed ChinaNuke closed 2 months ago

ChinaNuke commented 4 months ago

Hello, I've read your paper and it's really an excellent work!

I am currently attempting to use your tool to find vulnerabilities in my devices. I first followed the instructions in the README file, loaded the R6200-bin+wget binary into IDA Pro 8.4 on Linux, and ran the SSL_API_Misuse_Detection_SSL_version-v3.py script. I made a couple of modifications to make it run on my computer:

 ida_auto.auto_wait()
 sys.setrecursionlimit(100000)
-result_path = 'E:/result/ssl-file/20.04/'
+result_path = './result/'
 folder = get_root_filename()
 info = idaapi.get_inf_structure()
-if info.procName == "ARM":
+if info.procname == "ARM":
     machine = "arm"
-elif (info.procName == "mipsl") | (info.procName == "mipsb"):
+elif (info.procname == "mipsl") | (info.procname == "mipsb"):
     machine = "mips"
-elif info.procName == "metapc":
+elif info.procname == "metapc":
     machine = "X86-64"

The script completed without any errors or warnings, but it appears that no results were generated. Since the code lacks documentation and comments, making it challenging to understand and debug the 1500 lines of code. Could you please help me debug the script or let me know if I missed any steps?

I have attached the logs and contents of some relevant files below:

Output in IDA Pro ``` ***************************************del leave **************************************save file ***************************************build ALL_roads Building intra cfg for each function ************************************build roads in line ******************************************Middle result ******************************************Final result ```
fun_address.txt ``` ae3 ae6 1a23 1c8c 1ca4 1d6d 2009 20de 230c 2352 2369 23f3 2491 24a2 2570 25d7 25f4 2629 2b72 2b78 2b78 2b7d 2b7f 2ba2 2ba2 2bb3 2bb6 2bee ```
fun_name.txt ``` SSL_connect TLSv1_client_method SSL_CTX_set_verify SSLv2_client_method SSL_get_peer_certificate SSLv3_client_method SSL_set_connect_state SSL_CTX_new SSL_get_verify_result SSL_read SSLv23_client_method SSL_new exit SSL_CTX_ctrl _start gethttp.clone.8 http_loop main download_child_p retrieve_tree res_retrieve_file retrieve_url retrieve_from_file openssl_read ssl_init ssl_connect_wget ssl_check_certificate ```
matrix.txt ``` 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 ```
Report_method.txt ``` arm0 0 Roads use TLSv1_(client_)method Road_index: 0 Roads use TLSv1_1_(client_)method Road_index: 0 Roads use SSLv2_(client_)method Road_index: 0 Roads use SSLv3_(client_)method Road_index: 0 Roads only use SSLv23_(client_)method Road_index: 0 Roads use SSLv23_(client_)method & SSL_(CTX_)set_options: Road_index: 0 Roads use TLS_(client_)method Road_index: 0 Roads use TLS_(client)_method and SSL_CTX_set_min_proto_version and the minimum version is higher than SSL 3.0 Road_index: 0 Roads use TLS_(client)_method and SSL_(CTX_)set_options and disable SSL 3.0: Road_index: 0 Roads use TLSv1_2_(client_)method Road_index: 0 Roads use TLSv1_3_(client_)method Road_index: arm0 0 Roads use TLSv1_(client_)method Road_index: 0 Roads use TLSv1_1_(client_)method Road_index: 0 Roads use SSLv2_(client_)method Road_index: 0 Roads use SSLv3_(client_)method Road_index: 0 Roads only use SSLv23_(client_)method Road_index: 0 Roads use SSLv23_(client_)method & SSL_(CTX_)set_options: Road_index: 0 Roads use TLS_(client_)method Road_index: 0 Roads use TLS_(client)_method and SSL_CTX_set_min_proto_version and the minimum version is higher than SSL 3.0 Road_index: 0 Roads use TLS_(client)_method and SSL_(CTX_)set_options and disable SSL 3.0: Road_index: 0 Roads use TLSv1_2_(client_)method Road_index: 0 Roads use TLSv1_3_(client_)method Road_index: ```
Report_verify.txt ``` 0 Correct0 Roads don't use SSL_CTX_set_verify. but use SSL_get_peer_certificate & SSL_get_verify_result Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_peer_certificate, only use SSL_get_verify_result Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_verify_result, only use SSL_get_peer_certificate Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_verify_result & SSL_get_peer_certificate Road_index: Correct0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. But use SSL_get_peer_certificate & SSL_get_verify_result Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_peer_certificate, only use SSL_get_verify_result Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_verify_result, only use SSL_get_peer_certificate Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_verify_result & SSL_get_peer_certificate Road_index: Correct0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_PEER. Road_index: Correct0 Roads use SSL_CTX_set_verify & use SSL_get_peer_certificate & SSL_get_verify_result Road_index: 0 Correct0 Roads don't use SSL_CTX_set_verify. but use SSL_get_peer_certificate & SSL_get_verify_result Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_peer_certificate, only use SSL_get_verify_result Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_verify_result, only use SSL_get_peer_certificate Road_index: Wrong0 Roads don't use SSL_CTX_set_verify & SSL_get_verify_result & SSL_get_peer_certificate Road_index: Correct0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. But use SSL_get_peer_certificate & SSL_get_verify_result Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_peer_certificate, only use SSL_get_verify_result Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_verify_result, only use SSL_get_peer_certificate Road_index: Wrong0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_NONE. Don't use SSL_get_verify_result & SSL_get_peer_certificate Road_index: Correct0 Roads use SSL_CTX_set_verify and its parament is SSL_VERIFY_PEER. Road_index: Correct0 Roads use SSL_CTX_set_verify & use SSL_get_peer_certificate & SSL_get_verify_result Road_index: ```
Report_final.txt (This file is empty)
Report_middle.txt ``` main 0xae58 main 0xae58 ```
kzLiu2017 commented 4 months ago

I'm sorry, I uploaded an old version of the code. Please try the latest one, and if you still have any issues, let me know and I'll take another look

ChinaNuke commented 4 months ago

Thank you for the updated code, it's now working. 👍🏼