@@ -1939,26 +1939,25 @@ http_head() {
19391939}
19401940
19411941# does a simple http head via printf with no proxy, only used by run_opossum()
1942- # arg1: URL
1943- # arg2: extra http header
1942+ # arg1: extra http header
19441943#
19451944# return codes:
19461945# 0: all fine (response header is returned as string)
19471946# 1: server didn't respond within HEADER_MAXSLEEP
19481947# 3: server didn't respond within HEADER_MAXSLEEP and PROXY was defined
19491948#
1949+ # return http header as string
1950+ #
19501951http_head_printf() {
1951- local request_header="$2"
1952+ local node="$NODE"
1953+ local path="$URL_PATH"
1954+ local extra_header="$1"
19521955 local useragent="$UA_STD"
19531956 local tmpfile=$TEMPDIR/$NODE.$NODEIP.http_head_printf.log
19541957 local errfile=$TEMPDIR/$NODE.$NODEIP.http_head_printf-err.log
19551958 local -i ret=0
1956- local proto="" foo="" node="" query=""
19571959
19581960 [[ $DEBUG -eq 0 ]] && errfile=/dev/null
1959-
1960- IFS=/ read -r proto foo node query <<< "$1"
1961- node=${node%:*}
19621961 # $node works here good as it connects via IPv6 first, then IPv4.
19631962 # This is a subshell, so fd 8 is not inherited
19641963 bash -c "exec 8<>/dev/tcp/$node/80" 2>/dev/null &
@@ -1969,14 +1968,16 @@ http_head_printf() {
19691968 bash -c "exec 8<>/dev/tcp/$node/80" 2>/dev/null
19701969 if [[ $? -eq 0 ]]; then
19711970 exec 33<>/dev/tcp/$node/80
1972- # not killed --> socket open. Now we connect to the virtual host "$node"
1973- printf -- "%b" "HEAD ${proto}//${node}/${query} HTTP/1.1\r\nUser-Agent: ${useragent}\r\nHost: ${node}\r\n${request_header}\r\nAccept: */*\r\n\r\n\r\n" >&33 2>$errfile
1971+ safe_echo "HEAD ${path} HTTP/1.1\r\nUser-Agent: ${useragent}\r\nHost: ${node}\r\nAccept: */*\r\n${extra_header}\r\n\r\n" >&33 2>$errfile
19741972 ret=0
1975- if [[ $DEBUG -eq 0 ]] ; then
1976- cat <&33
1977- else
1978- cat <&33 >$tmpfile
1979- cat $tmpfile
1973+ touch $tmpfile
1974+ # This doesn't block
1975+ while IFS= read -r line <&33; do
1976+ safe_echo "$line" >>$tmpfile
1977+ done
1978+ cat $tmpfile
1979+ if [[ $DEBUG -ge 2 ]]; then
1980+ cat $tmpfile >&2
19801981 fi
19811982 else
19821983 if [[ -n "$PROXY" ]]; then
@@ -8054,10 +8055,10 @@ determine_trust() {
80548055 out "$code"
80558056 fi
80568057 fileout "${jsonID}${json_postfix}" "CRITICAL" "failed $code. $addtl_warning"
8057- if [[ "$code" =~ "chain incomplete" ]]; then
8058- set_grade_cap "B" "Issues with chain of trust $code"
8058+ if [[ "$code" =~ "chain incomplete" ]]; then
8059+ set_grade_cap "B" "Issues with chain of trust $code"
80598060 else
8060- set_grade_cap "T" "Issues with chain of trust $code"
8061+ set_grade_cap "T" "Issues with chain of trust $code"
80618062 fi
80628063 else
80638064 # alt least one ok and other(s) not ==> display the culprit store(s)
@@ -17860,6 +17861,8 @@ run_ticketbleed() {
1786017861}
1786117862
1786217863# https://opossum-attack.com/, TLS Upgrade via old RFC 2817
17864+ # TL;DR: curl -vi -I -H "Upgrade: TLS/1.0" <FQDN> --> returns "Upgrade: TLS/1.0"?
17865+ # We might be better off with cURL but sockets are sometimes better
1786317866#
1786417867run_opossum() {
1786517868 local cve='CVE-2025-49812'
@@ -17881,8 +17884,7 @@ run_opossum() {
1788117884 fi
1788217885 case $service in
1788317886 HTTP)
17884- uri=${URI/https:\/\//}
17885- response=$(http_head_printf http://${uri} 'Upgrade: TLS/1.0\r\n\r\nClose\r\n')
17887+ response=$(http_head_printf 'Upgrade: TLS/1.0')
1788617888 # In any case we use $response but we handle the return codes
1788717889 # 0: connection was fine, 1 or 3: no http connection
1788817890 ret=$?
@@ -17904,6 +17906,7 @@ run_opossum() {
1790417906 fi
1790517907 fi
1790617908 ;;
17909+
1790717910 IMAP|FTP|POP3|SMTP|LMTP|NNTP)
1790817911 outln "(implemented currently for HTTP only)"
1790917912 fileout "$jsonID" "INFO" "not yet implemented" "$cve" "$cwe"
0 commit comments