【SSL】POODLE 漏洞细节分析与攻击构造
2015-07-28 15:26
1681 查看
0x01 TLS使用中的降级
To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.
0x02 SSL 3.0的脆弱性与POODLE攻击过程
The most severe problem of CBC encryption in SSL 3.0 is that its block cipher padding is not deterministic, and not covered by the MAC (Message Authentication Code): thus, the integrity of padding cannot be fully verified when decrypting. Padding by 1 to L bytes (where L is the block size in bytes) is used to obtain an integral number of blocks before performing blockwise CBC (cipherblock chaining) encryption. The weakness is the easiest to exploit if there’s an entire block of padding, which (before encryption) consists of L1 arbitrary bytes followed by a single byte of value L1. To process an incoming ciphertext record C1 ... Cn also given an initialization vector C0 (where each Ci is one block), the recipient first determines P1 ... Pn as Pi = DK (Ci ) ⊕ Ci1 (where DK denotes blockcipher decryption using perconnection key K), then checks and removes the padding at the end, and finally checks and removes a MAC. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK (Ci ) ⊕ Cn1 happens to have L1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack [tlscbc].
In the web setting, this SSL 3.0 weakness can be exploited by a maninthe middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack [BEAST]. To launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim’s browser to send cookiebearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there’s a nonnegligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies. Assume that each block C has 16 bytes, C[0] ... C[15]. (Eightbyte blocks can be handled similarly.) Also assume, for now, that the size of the cookies is known. (Later we will show how to start the attack if it isn’t.) The MAC size in SSL 3.0 CBC cipher suites is typically 20 bytes, so below the CBC layer, an encrypted POST request will look as follows:
POST /path Cookie: name=value...\r\n\r\nbody ‖ 20byte MAC ‖ padding
这里的path和body是攻击者可以控制的,而且假设cookie的长度已经知道(后面有不知道的进一步实现细节),这里就可以多次发送Ci 替换Cn 的包进行尝试(每次的key都不一样),直到满足P‘n[15]=15(256次以内),这时候就可以通过公式求出一个字节,接下来可以控制长度进行进一步的破解。
The attacker controls both the request path and the request body, and thus can induce requests such that the following two conditions hold:
● The padding fills an entire block (encrypted into Cn ).
● The cookies’ first asofyet unknown byte appears as the final byte in an earlier block (encrypted into Ci ).
The attacker then replaces Cn by Ci and forwards this modified SSL record to the server. Usually, the server will reject this record, and the attacker will simply try again with a new request. Occasionally (on average, once in 256 requests), the server will accept the modified record, and the attacker will conclude that DK (Ci )[15] ⊕ Cn1 [15] = 15, and thus that Pi [15] = 15 ⊕ Cn1 [15] ⊕ Ci1 [15]. This reveals the cookies’ first previously unknown byte. The attacker proceeds to the next byte by changing the sizes of request path and body simultaneously such that the request size stays the same but the position of the headers is shifted , continuing until it has decrypted as much of the cookies as desired. 1 The expected overall effort is 256 SSL 3.0 requests per byte. As the padding hides the exact size of the payload, the cookies’ size is not immediately apparent, but inducing requests GET /, GET /A, GET /AA, ... allows the attacker to observe at which point the block boundary gets crossed: after at most 16 such requests, this will reveal the padding size, and thus the size of the cookies.
在cookies长度不确定的情况下,可以通过控制增加客户端的path长度并对比密文Ciphertext长度,基本在16个请求以内就可以确定其实际长度。
0x03 思路:
Poodle攻击需要满足的条件比较多:1. 首先是基于SSLV3的脆弱性,而现在浏览器已经不支持SSL v3(也是因为其脆弱性),所以在攻击时我使用了Chrome 20.0版本进行尝试。2.攻击者必须可以实施中间人攻击,控制用户流量以及控制客户端发送AJAX请求,从而进行攻击。
基于以上两点并参考Patzkes的实现思路,演示的结构如下图:
我们控制的是Request Generator(victim Browser)中产生ajax请求,Request Generator由浏览器访问HTTP Server得到,接下来对TLS Proxy进行访问,TLS Proxy作为中间人对SSL流量进行处理,通过对HTTPS Server进行访问而leak用户的cookie等加密过后的敏感信息。
0x04 实现:
攻击演示中分别实现了HttpsServer.py和Attacker.py。HttpsServer提供sslv3的连接,Attacker通过作为Proxy修改SSL流量进行攻击。一开始尝试使用httpserver + socat进行,但是socat会被阻塞掉所以导致了浏览器一直卡在一个线程,然后重写服务器解决掉了。
其中还存在的问题是:
1.存在一些小bug;2.因为浏览器的同源策略,ajax请求在安全机制打开的情况下不成功,我初步是通过先禁用解决的;3.攻击速度比较慢,效率低,10个字节之后浏览器都崩溃了。
To work with legacy servers, many TLS clients implement a downgrade dance: in a first handshake attempt, offer the highest protocol version supported by the client; if this handshake fails, retry (possibly repeatedly) with earlier protocol versions. Unlike proper protocol version negotiation (if the client offers TLS 1.2, the server may respond with, say, TLS 1.0), this downgrade can also be triggered by network glitches, or by active attackers. So if an attacker that controls the network between the client and the server interferes with any attempted handshake offering TLS 1.0 or later, such clients will readily confine themselves to SSL 3.0.
0x02 SSL 3.0的脆弱性与POODLE攻击过程
The most severe problem of CBC encryption in SSL 3.0 is that its block cipher padding is not deterministic, and not covered by the MAC (Message Authentication Code): thus, the integrity of padding cannot be fully verified when decrypting. Padding by 1 to L bytes (where L is the block size in bytes) is used to obtain an integral number of blocks before performing blockwise CBC (cipherblock chaining) encryption. The weakness is the easiest to exploit if there’s an entire block of padding, which (before encryption) consists of L1 arbitrary bytes followed by a single byte of value L1. To process an incoming ciphertext record C1 ... Cn also given an initialization vector C0 (where each Ci is one block), the recipient first determines P1 ... Pn as Pi = DK (Ci ) ⊕ Ci1 (where DK denotes blockcipher decryption using perconnection key K), then checks and removes the padding at the end, and finally checks and removes a MAC. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK (Ci ) ⊕ Cn1 happens to have L1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack [tlscbc].
In the web setting, this SSL 3.0 weakness can be exploited by a maninthe middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack [BEAST]. To launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim’s browser to send cookiebearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there’s a nonnegligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies. Assume that each block C has 16 bytes, C[0] ... C[15]. (Eightbyte blocks can be handled similarly.) Also assume, for now, that the size of the cookies is known. (Later we will show how to start the attack if it isn’t.) The MAC size in SSL 3.0 CBC cipher suites is typically 20 bytes, so below the CBC layer, an encrypted POST request will look as follows:
POST /path Cookie: name=value...\r\n\r\nbody ‖ 20byte MAC ‖ padding
这里的path和body是攻击者可以控制的,而且假设cookie的长度已经知道(后面有不知道的进一步实现细节),这里就可以多次发送Ci 替换Cn 的包进行尝试(每次的key都不一样),直到满足P‘n[15]=15(256次以内),这时候就可以通过公式求出一个字节,接下来可以控制长度进行进一步的破解。
The attacker controls both the request path and the request body, and thus can induce requests such that the following two conditions hold:
● The padding fills an entire block (encrypted into Cn ).
● The cookies’ first asofyet unknown byte appears as the final byte in an earlier block (encrypted into Ci ).
The attacker then replaces Cn by Ci and forwards this modified SSL record to the server. Usually, the server will reject this record, and the attacker will simply try again with a new request. Occasionally (on average, once in 256 requests), the server will accept the modified record, and the attacker will conclude that DK (Ci )[15] ⊕ Cn1 [15] = 15, and thus that Pi [15] = 15 ⊕ Cn1 [15] ⊕ Ci1 [15]. This reveals the cookies’ first previously unknown byte. The attacker proceeds to the next byte by changing the sizes of request path and body simultaneously such that the request size stays the same but the position of the headers is shifted , continuing until it has decrypted as much of the cookies as desired. 1 The expected overall effort is 256 SSL 3.0 requests per byte. As the padding hides the exact size of the payload, the cookies’ size is not immediately apparent, but inducing requests GET /, GET /A, GET /AA, ... allows the attacker to observe at which point the block boundary gets crossed: after at most 16 such requests, this will reveal the padding size, and thus the size of the cookies.
在cookies长度不确定的情况下,可以通过控制增加客户端的path长度并对比密文Ciphertext长度,基本在16个请求以内就可以确定其实际长度。
0x03 思路:
Poodle攻击需要满足的条件比较多:1. 首先是基于SSLV3的脆弱性,而现在浏览器已经不支持SSL v3(也是因为其脆弱性),所以在攻击时我使用了Chrome 20.0版本进行尝试。2.攻击者必须可以实施中间人攻击,控制用户流量以及控制客户端发送AJAX请求,从而进行攻击。
基于以上两点并参考Patzkes的实现思路,演示的结构如下图:
我们控制的是Request Generator(victim Browser)中产生ajax请求,Request Generator由浏览器访问HTTP Server得到,接下来对TLS Proxy进行访问,TLS Proxy作为中间人对SSL流量进行处理,通过对HTTPS Server进行访问而leak用户的cookie等加密过后的敏感信息。
0x04 实现:
攻击演示中分别实现了HttpsServer.py和Attacker.py。HttpsServer提供sslv3的连接,Attacker通过作为Proxy修改SSL流量进行攻击。一开始尝试使用httpserver + socat进行,但是socat会被阻塞掉所以导致了浏览器一直卡在一个线程,然后重写服务器解决掉了。
其中还存在的问题是:
1.存在一些小bug;2.因为浏览器的同源策略,ajax请求在安全机制打开的情况下不成功,我初步是通过先禁用解决的;3.攻击速度比较慢,效率低,10个字节之后浏览器都崩溃了。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- python基础教程总结15——4 新闻聚合
- HTML5 新的API 窗口可视区 scrollIntoView dataset calssList
- easyui datagrid
- nyoj数数
- oc代码规范
- 网银在线的异步操作代码示意图
- python操作redis
- OpenCV视屏跟踪
- 命令行的基本使用方法(权限)
- php解析一个url
- MYSQL---设置存储引擎
- Spring DI 集合属性依赖注入
- [LeetCode] Simplify Path
- process launch failed: failed to get the task for process 1482
- iOS知识小集 第三期 (2015.06.30)
- 【图论】【二分图匹配】[HDU 2819]Swap
- 【bzoj3130】 SDOI2013费用流 最大流
- 比较Java Swing中三种注册事件的方法
- 创建fragment的适配器的时候,构造函数传入content参数
- HDU 1755--A Number Puzzle【next_permutation】