Friday, August 28, 2020

TLS-Attacker V2.2 And The ROBOT Attack

We found out that many TLS implementations are still vulnerable to different variations of a 19-year old Bleichenbacher's attack. Since Hanno argued to have an attack name, we called it ROBOT: https://robotattack.org

Given the new attack variants, we released a new version of TLS-Attacker 2.2, which covers our vulnerabilities.

Bleichenbacher's attack from 1998

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allow an adversary to execute an adaptive-chosen ciphertext attack. This attack also belongs to the category of padding oracle attacks. By performing the attack, the adversary exploits different responses returned by the server that decrypts the requests and validates the PKCS#1 1.5 padding. Given such a server, the attacker can use it as an oracle and decrypt ciphertexts.
We refer to one of our previous blog posts for more details.

OK, so what is new in our research?

In our research we performed scans of several well-known hosts and found out many of them are vulnerable to different forms of the attack. In the original paper, an oracle was constructed from a server that responded with different TLS alert messages. In 2014, further side-channels like timings were exploited. However, all the previous studies have considered mostly open source implementations. Only a few vulnerabilities have been found.

In our scans we could identify more than seven vulnerable products and open source software implementations, including F5, Radware, Cisco, Erlang, Bouncy Castle, or WolfSSL. We identified new side-channels triggered by incomplete protocol flows or TCP socket states.

For example, some F5 products would respond to a malformed ciphertext located in the ClientKeyExchange message with a TLS alert 40 (handshake failure) but allow connections to timeout if the decryption was successful. We could observe this behaviour only when sending incomplete TLS handshakes missing ChangeCipherSpec and Finished messages.
See our paper for more interesting results.

Release of TLS-Attacker 2.2

These new findings motivated us to implement the complete detection of Bleichenbacher attacks in our TLS-Attacker. Before our research, TLS-Attacker had implemented a basic Bleichenbacher attack evaluation with full TLS protocol flows. We extended this evaluation with shortened protocol flows with missing ChangeCipherSpec and Finished messages, and implemented an oracle detection based on TCP timeouts and duplicated TLS alerts. In addition, Robert (@ic0ns) added many fixes and merged features like replay attacks on 0-RTT in TLS 1.3.
You can find the newest version release here: https://github.com/RUB-NDS/TLS-Attacker/releases/tag/v2.2

TLS-Attacker allows you to automatically send differently formatted PKCS#1 encrypted messages and observe the server behavior:
$ java -jar Attacks.jar bleichenbacher -connect [host]:[port]
In case the server responds with different error messages, it is most likely vulnerable. The following example provides an example of a vulnerable server detection output:
14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered vulnerable to this attack if it responds differently to the test vectors.
14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered secure if it always responds the same way.
14:12:49 [main] CONSOLE attacks.impl.Attacker - Found a difference in responses in the Complete TLS protocol flow with CCS and Finished messages.
14:12:49 [main] CONSOLE attacks.impl.Attacker - The server seems to respond with different record contents.
14:12:49 [main] INFO  attacks.Main - Vulnerable:true
In this case TLS-Attacker identified that sending different PKCS#1 messages results in different server responses (the record contents are different).

Related posts


  1. New Hacker Tools
  2. Pentest Tools Review
  3. Pentest Tools Free
  4. Hack Tools
  5. Pentest Tools Free
  6. Blackhat Hacker Tools
  7. Hacker Tool Kit
  8. Hacking Tools Hardware
  9. Pentest Tools Bluekeep
  10. Pentest Tools Windows
  11. How To Make Hacking Tools
  12. Computer Hacker
  13. Hacker Tools Windows
  14. Tools Used For Hacking
  15. Hacker Tools
  16. Hack App
  17. Pentest Tools Website
  18. Hacker Tools Github
  19. Hacking Tools Online
  20. Nsa Hack Tools
  21. Pentest Tools Open Source
  22. Hack Tool Apk
  23. Pentest Automation Tools
  24. Hacker Tools Windows
  25. Hacker
  26. Pentest Box Tools Download
  27. Hacking Tools Kit
  28. Growth Hacker Tools
  29. Hacker Security Tools
  30. Install Pentest Tools Ubuntu
  31. Pentest Tools Port Scanner
  32. Hacker Tools List
  33. Install Pentest Tools Ubuntu
  34. Hacker Tools Free Download
  35. Pentest Tools For Windows
  36. Hack Tools For Pc
  37. How To Hack
  38. Hacker Hardware Tools
  39. Hacker Techniques Tools And Incident Handling
  40. Hacking Tools For Windows
  41. Tools 4 Hack
  42. Pentest Tools Download
  43. Hacker Tool Kit
  44. How To Hack
  45. Hacking Tools
  46. Hack Tools Download
  47. New Hack Tools
  48. What Is Hacking Tools
  49. Hacking Tools Mac
  50. Beginner Hacker Tools
  51. Hacker Tools 2020
  52. Hacking Tools Kit
  53. Hacker Tools 2019
  54. Tools Used For Hacking
  55. How To Install Pentest Tools In Ubuntu
  56. New Hacker Tools
  57. Hack Tools Online
  58. Hacking Tools
  59. What Is Hacking Tools
  60. Growth Hacker Tools
  61. Hacker Tools Github
  62. Beginner Hacker Tools
  63. Hack Tools For Windows
  64. Hacker Security Tools
  65. Pentest Tools Review
  66. Nsa Hacker Tools
  67. Pentest Tools Apk
  68. Hack Tools For Windows
  69. Hack Tool Apk No Root
  70. Hacker Tool Kit
  71. Underground Hacker Sites
  72. Hack Tools
  73. Hacking Tools Online
  74. Pentest Automation Tools
  75. Pentest Automation Tools
  76. Pentest Tools Port Scanner
  77. Hackers Toolbox
  78. Pentest Tools Github
  79. Hacking Tools Hardware
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)