PADDING ORACLE FOR THE MASSES

Size: px

Start display at page:

Download "PADDING ORACLE FOR THE MASSES"

Suzanna Allen
6 years ago
Views:

1 PADDING ORACLE FOR THE MASSES 1

2 What is this presentation about? This presentation is a scrap book from our experience developing a reliable exploit against ASP.Net It tooks 2 people working full time to create a reliable and working exploit for this vulnerabilities All the kudos to Juliano Rizzo and Thai Duong for finding such a clever technique and teaching the world about the risks 2

3 3

4 Padding Oracle: it s not a vulnerability it's an *Attack* 4

5 What is the vulnerability? The vulnerability is a bad crypto implementation when using cbc mode of operation A block cipher by itself allows encryption of only a single data block of the cipher lengths IBM came out with CBC (Cipher Block chaining), this mode of operation causes the decryption of a block of ciphertext to depend on all the preceding ciphertext blocks (ie. If you encrypt again the same block, the ciphertext will be different.) 5

6 I AM PROTECTED. IM USING AES CONFIDENCIALITY!= AUTHENTICITY 6

7 HOW DOES CBC WORKS? 7

8 Decryption process C0 dk(c0) IV IMV0 + P0 8

9 Decryption process C0 C1 dk(c0) IV dk(c1) IMV0 IMV1 + + P0 P1 9

10 HOW DOES PADDING WORKS? 10

11 PKCS7 AAAAAAA AAAAAAA1 Seven bytes data, padded with one \x01 byte AAAAAA AAAAAA22 Six bytes data, padded with two \x02 bytes 11

12 PKCS7 AAAAAAAA AAAAAAAA Eight bytes data, padded with eight \x08 bytes 12

13 PADDING ORACLES

14 H A L B H LA B Y T R E QW R O C T C RE R W Evil Hacker P Y R C DE G N O D A P O TI N NG I D 14

15 WRONG PADDING The difference between a correct decryption or a wrong padding came in different flavours: Time difference Error Code Stack trace HTML length Strawberry 15

16 IV captcha.php?val= ABCDEFGH IJKLMNOP Encrypted Data 16

17 captcha.php?val=abcdefghijklmnop IJKLMNOP dk(...) ABCDEFGH X1X2X3X4X5X6X7X8 + PYWTL333 17

18 Controlled DATA IJKLMNOP dk(...) ABCDEFGH X1X2X3X4X5X6X7X8 + PYWTL333 18

19 IJKLMNOP dk(...) X1X2X3X4X5X6X7X8 + ABCDEFGH = PYWTL333 IMV Plaintext IV 19

20 So, if by some means we can know the IMV for a specific block, we can forge custom captchas 20

21 HOW DOES THE ATTACK WORKS? 21

22 We modify the last byte from the IV We leave the enc block Fixed IJKLMNOP dk(...) ABCDEFGI Fixed X1X2X3X4X5X6X7X8 + PYWTL33Z 22

23 This will make the final result work or fail, in this case we can see that 33Z is not a valid padding IJKLMNOP dk(...) ABCDEFGI X1X2X3X4X5X6X7X8 + PYWTL33Z Wrong Padding 23

24 We keep changing the iv's last character until we find the correct padding (the web will behave differently) IJKLMNOP dk(...) ABCDEFGT X1X2X3X4X5X6X7X8 + PYWTL331 Padding Ok! 24

25 T + X8 = 1 25

26 X8 = 1 + T = 0x55 26

27 Now that we know the 8th byte of the IMV, we go for the 7th 27

28 First we set the last IV byte such as the last decryted byte is a 2 IJKLMNOP dk(...) ABCDEFH\x57 X1X2X3X4X5X6X7X8 + PYWTL332 X8=0x = 0x57 28

29 Now we try to find the 7th IMV byte by keep changing the 7th IV byte IJKLMNOP dk(...) ABCDEFH\x57 Fixed X1X2X3X4X5X6X7X8 + PYWTL372 Wrong Padding 29

30 IJKLMNOP dk(...) ABCDEFJ\x57 Fixed X1X2X3X4X5X6X7X8 + PYWTL322 Padding Ok! 30

31 If you want to make your encrypted buf say something, you already have the pieces! 31

32 We calculate an IV in order to produce our message :) IJKLMNOP dk(...) 68 5b 1f 5e b0 73 4d 57 IMV found 2b 1a f1 20 4f 55 using padding oracle + CANVAS22 Message 32

33 ASP.NET 33

34 It's Fixed on the Server C0 C1 dk(c0) IV dk(c1) IMV0 IMV1 + + P0 P1 34

35 Your target is ScriptResource.axd, this will allow you to download any file on the www root, including web.config (machine password, etc) It has its own protocol for doing stuffs 35

36 R ~/web.config 36

37 R#XXXXXXXX ~/web.config 37

38 After a lot of brain cells burning, we came out with the following: RANDOM IV for next IV for next ABCDEFGHI R#xxxxxx TRASHED ~/web.config 38

39 RANDOM IV for next Obtained via randomly modifying the block 12k to 100k average (could be more). R#xxxxxx TRASHED IV for next ABCDEFGHI Obtained via Padding Oracle. Around 2k request. ~/web.config 39

40 Workarounds They don t work, the only way to fix the bug is the patch Examples: Redirecting all the logs to the same web Adding a random sleep to each request 40

41 MAGIC T BLOCK 41

42 RANDOM ORIGINAL1 ORIGINAL2 ORIGINAL3 Randomly change a block, to obtain a T. This will decrypt all the other blocks hits Txxxxxx UNENCRYPTED UNENCRYPTED UNENCRYPTED 42

44 MAGIC T Block The magic T Block will replace padding oracle It will also allow you to do CBC-R This will bypass all types of workarounds Can speed up the QR-Block lookup!! 44

45 First objetive: find a QRBlock 45

46 Bruteforce!!!

47 Send a lot of random blocks T-BLOCK random1 random2 Txxxxxx trashhh trashhh... RandomN Padding blocks... trashhh Trash + padding 47

48 Until we find our QR-Block T-BLOCK random1 random2... Txxxxxx trashhh trashhh... randomx R#... randomn Padding blocks trashhh Trash + padding 48

49 Life it's no so easy... We need to set a correct IV for each bruteforce block 49

50 We need to mimic the first block IV randomx IMV blah blah Padding blocks blah blah Trash + padding + $$... 50

51 Simplification: default IV = \x00\x00\x00\x00\x00\x00\x00\x00 51

52 If instead of sending 8 random bytes you send \x00\x random bytes everything is simpler! 52

53 Life is easy again :) \x00\x00 + random T-BLOCK random1 random2 Txxxxxx trashhh trashhh randomx R#... randomn Padding blocks trashhh Trash + padding + R#... 53

54 but... 54

55 we can be out of phase T-BLOCK random1 random2... Txxxxxx trashhh trashr#... R. randomx #... randomn Padding blocks ashhhtr Trash + padding False negative 55

56 The encoding eat some characters 56

57 Solution: Every n blocks we send a mark random1 random2 random3 trashhh trashhh trashhh mark-iv mark xxxxxxxx immunity random1 random2 random3 trashhh trashhh trashhh m xxx 57

58 The Padding Oracle attack took requests in avg. 58

59 The Magic-T takes 700 request (tblock: 400, qrblock: 300) 59

60 DEMO 60

61 Is that all? ASP.net is just one wrong implementation, there are more. As a consultant you should be looking for: Session keys that looks like base64 (ASP.NET Uses UrlEncoded base64, it is a bit different) Encrypted cookies Persisted information such as viewstate Any encrypted information that is stored clientside and returned to the server 61

62 Conclusion Workarounds are useless. PATCH! Exploits once again show themselves to be a necessary tool to prove server risks This is a error of implementation, even if you fix asp.net, your own developers software could have made their own crypto and be vulnerable 62

63 More information Security Flaws Induced by CBC Padding S. Vaudenay Padding Oracle Attacks on the ISO CBC Mode Padding Standard - K.G. Paterson and A. Yau Practical Padding Oracle Attacks J. Rizzo and T. Duong 63

64 THANKS NICO Matias Soler Agustin Gianni 64

Block Cipher Modes of Operation

Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book