padding oracle [opkoko2011]
Post on 22-Nov-2014
232 Views
Preview:
DESCRIPTION
TRANSCRIPT
Padding Oracle
On the Best server-side Bugpwnie awards 2011
2
Padding Oracle• 2002 – Vaudenay
– side-channel– padding oracle– CBC-mode
• Network encryption
• 2010 – Doung, Rizzo– Web!– Captchas– JSF ViewStates– ASP.NET
• ASP.NET – O_O
3
Block Ciphers
E
P
C
D
P
P: PlaintextC: Ciphertextk: key
E: EncryptD: Decrypt
Block cipher: Fixed block/plaintext/ciphertext length128 bit – 16 bytes64 bit – 8 bytes
(key length and block length are totally unrelated)
k
4
Electronic Code Book
E
P[0]
C[0]
E
P[1]
C[1]
E
P[2]
C[2]
5
ECB
Other modesplaintext
This image is derived from File:Tux.jpg, and therefore requires attribution. All uses are permitted provided that Larry Ewing, the owner of the original image, who requires that you mention him, his email address, lewing@isc.tamu.edu, and The GIMP, according to http://www.isc.tamu.edu/~lewing/linux/.
6
Cipher Block Chaining
E
P[0]
C[0]
xor
IV
E
P[1]
C[1]
xor
E
P[2]
C[2]
xor
7
Cipher Block Chaining
xor
C[0]
P[0]
D
IV
xor
C[1]
P[1]
D
xor
C[2]
P[2]
D
8
_
9
CBC and XOR
xor
C
P
D
IV
intermediate
0 xor X = 0 X = 00 xor X = 1 X = 11 xor X = 1 X = 11 xor X = 0 X = 0
If only we had an oracle telling us the plaintext!
10
Oracle: PKCS #5 Padding
? ? ? ? ? ? ? 01
? ? ? ? ? ? 02 02
? ? ? ? ? 03 03 03
? 07 07 07 07 07 07 07
08 08 08 08 08 08 08 08
….
Last ciphertext block is an oracle! Padding: OKPadding: Bad
11
12
Padding Oracle
xor
??????1
IV1
intermediate
xor
?????22
IV2
intermediate
xor
????333
IV3
intermediate
13
Padding Oracle
xor
C
P
D
IV
intermediate
C fixed => intermediate fixed
IV can be set by attacker
Padding Oracle yields P
IV xor P = intermediateSearch for P = ???????1Search for P = ??????22…Search for P = 88888888
intermediate xor IV = P
14
DEMO
or if demo breaks, youtube
http://youtu.be/B7UzYaTSeq8
15
CBC-R: CBC in reverse
xor
C
P
D
IV
intermediate
C = whatever
Padding Oracle intermediate
P = whatever
IV = P xor intermediate
IV & C valid ciphertext
16
C[2] C[1] C[0] C[-1]
xor
C[0]
P[0]
D
C[-1]
xor
C[1]
P[1]
D
xor
C[2]
P[2]
D
17
Encrypt and Authenticate
E
P
C
D
P
HMAC
C + M
verify
C
c = encrypt( p )m = hmac( c )transmit( c, m )
recieve( c, m )mm = hmac( c )if ( m == mm ) { p = decrypt( c )}else { ninja kill sender}
18
Developer challenges• Encryption frameworks may not be secure
– 2010, most web frameworks were insecure– some frameworks are still very broken
• Options– OWASP, Microsoft – responds to security– Validate your framework yourself– Do not trust that web encryption works
19
Pwnie Awards
http://youtu.be/yghiC_U2RaM
20
Demonstration environment• Encryption key in web.config• Windows server• ASP.NET• DotNetNuke CMS
• Latest / fully patched versions at time of video release.
21
ScriptResources.axd?d=• Ciphertext in d= parameter• Plaintext of d= supports grabbing files
• Vulnerable to Padding Oracle and CBC-R• ?d= CBC-R ( ”R|~Web.config” )
• Attacker has encryption secrets!
22
Becomming DotNetNuke admin
• Web.config gives encryption keys• Generate ASP.NET authentication cookie
– FormsAuthentication.SetAuthCookie( Convert.ToString( LoggedOnUserName ), true );
– Encrypt and MAC authcookie for ”SuperUser”• Upload DotNetNuke extension backdoor
23
OS: Complete loss of control• Start local command shell
– User: network service
• Privilege escalation exploit– ”Token kidnaping revenge”– User: SYSTEM
• Callback to netcat listener
top related