Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Juliano Rizzo
Thai Duong
Abstract
At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called Padding Oracle attack, against CBC-mode encryption
with PKCS#5 padding (See [6]). By giving an oracle which on receipt of
a ciphertext, decrypting it and then replying to the sender whether the
padding is correct or not, he shows that one can efficiently decrypt data
without knowing the encryption key. In this paper, we turn Padding Oracle attack into a new set of practical web hacking techniques. From the
starting point being the question: how to find Padding Oracles in real life
systems, we proceed to show how to crack various CAPTCHA in popular
web sites. Then we show how to decrypt view states in JavaServer Faces
web development frameworks. We go on extending Padding Oracle attack
by introducing CBC-R, a technique that allows attackers with access to a
Padding Oracle to efficiently encrypt arbitrary plaintexts under the same
key as that oracle. CBC-R permits us to mount the most interesting exploits such as creating CAPTCHA graffiti for fun, or creating malicious
view states to run arbitrary code in JavaServer Faces for profit. Then
we show how to combine Padding Oracle attack and cross-domain information leakage in web browsers to deploy a distributed Padding Oracle
attack. We demonstrate that one can use this technique to map all ciphertexts to corresponding plaintexts, hence break under-lied cryptosystems,
in a fast, distributed manner. Finally, we describe several popular systems
vulnerable to Padding Oracle attacks that we found during this research.
We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this paper would uncover many more vulnerabilities
for years to come.
Introduction
In this research, we show that widely used web development frameworks and
web sites are using encryption wrongly that allow attackers to read and modify
http://netifera.com,
juliano@netifera.com
thaidn@vnsecurity.net
http://vnsecurity.net,
data that should be protected. It has been known for years in cryptography
community that encryption is not authentication. If encrypted messages are
not authenticated, data integrity cannot be guaranteed which makes systems
vulnerable to practical and dangerous chosen-ciphertext attacks, one of them
being Padding Oracle attack that Vaudenay presented at EuroCrypt 2002 (See
[6]). As explained in Paterson and Yaus summary in [5], Padding Oracle attack
requires an oracle which on receipt of a ciphertext, decrypts it and replies to the
sender whether the padding is VALID or INVALID. The attack works under the
assumption that the attackers can intercept padded messages encrypted in CBC
mode, and have access to the aforementioned padding oracle. The result is that
attackers can recover the plaintext corresponding to any block of ciphertext
using an average of 128 ? b oracle calls, where b is the number of bytes in a
block. The easiest fix for Padding Oracle attack is to encrypt-then-MAC, i.e.
encrypting information to get the ciphertext, then signing the ciphertext with
a Message Authentication Code scheme. One can use a ciphertext mode that
combines both data confidentiality and data authenticity such as CCM, OCB,
EAX, or GCM 1 . For more details on Vaudenays attack and suggested fixes,
please see [7, 1, 3, 4, 5].
In Section 2, we describe manual and automated testing techniques to find
Padding Oracle in real life systems. In Section 3, we describe basic Padding
Oracle attacks to crack CAPTCHA and decrypt secret data of popular web
sites and web development frameworks. In Section 4, we introduce advanced
Padding Oracle attacks that allow us to mount the most interesting exploits
such as creating CAPTCHA graffiti for fun, or creating malicious view states
to run arbitrary code in JavaServer Faces for profit. In Section 5, we list several popular web development frameworks and web sites that are vulnerable
to Padding Oracle attacks, including but not limited to eBay Latin America,
Apache MyFaces, SUN Mojarra, Ruby On Rails, OWASP ESAPI, etc. We
conclude in Section 6.
If you start looking today, you would see that Padding Oracle is pervasive.
Its everywhere like SQL Injection or Cross Site Scripting. This is because few
people believe that attackers can decrypt their encrypted secrets if they leak
out just 1-bit information. Unfortunately, the reality is that if you somehow
let attackers know that whether or not an error has occurred while you decrypt
something, then they can decrypt your messages. Succinctly in short, leak 1-bit,
and you are 0wn3d.
1 See http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation for links to relevant RFCs and papers of these modes
2.1
Manual Testing
2.2
Automated Testing
After doing some manual testing, one usually needs to use an automated tool
to confirm the existence of Padding Oracles. By changing the ciphertext randomly, the ultimate goal of automated tools is to force the target reveal as
many different reactions to the modified messages as possible. We are going
to release POET a.k.a Padding Oracle Exploitation Tool 3 which finds and
exploits Padding Oracle automatically.
If you want to write your own tool to detect Padding Oracle, you can follow
this guideline which is very similar to the last word decryption algorithm that
Vaudenay described in his seminal paper (See [6, Section 3.1]):
1. Pick a few random words r1 , ..., rb where b denotes the cipher block size,
and take i = 0
2. Pick r = r1 |...|rb1 |(rb i), where | denotes contatenation.
3. Send r|y to the target web site, where y is a valid ciphertext block that
you found during the manual testing phase. Record the value of i, content
length, and content type of the response. Increment i, and go back to step
2 until i > 255.
4. Now you have 256 responses. If all of them are the same, then its bad
news, the target is not easily showing you that it is vulnerable to Padding
Oracle attack. Otherwise, look at each value of i where the responses
are different from the rest. Manually resend each corresponding r|y, and
examine carefully each response to see what happens.
A final note is people often use one global crypto key and a fixed IV to encrypt
everything, so if attackers found a Padding Oracle, then they can use it to
decrypt all data encrypted under that key and IV.
Since HTTP is a stateless protocol, web developers must either manage states on
the server, or push them to the client. For performance and scalability reasons,
most web developers tend to go with the latter method. They want to keep the
state as a secret, and turn to cryptography which is the right tool. However,
they use it wrongly, i.e. neither sign the ciphertext nor use an authenticated
block cipher mode, and make their systems vulnerable to Padding Oracle attack.
In this section, we show two basic Padding Oracles attacks:
3 POET has probably been released by the time you read this paper. You can download it
at http://netifera.com/research
3.1
Cracking CAPTCHA
3.2
JavaServer Faces introduces a powerful and flexible system for saving and restoring the state of the view between requests to the server. JSF implementations
support two primary mechanisms for saving states, based on the value of the
javax.faces.STATE_SAVING_METHOD initialization parameter. If this parameter is set to client, then it would cause the saved state to be included in the
rendered markup that is sent to the client (such as in a hidden input field for
HTML). The state information must be included in the subsequent request,
making it possible for JSF to restore the view without having saved information
on the server side.
Although JSF specification advises that state information should be encrypted
and tamper evident, as far as we know no implementation follows that advice. Some frameworks such as SUN Mojarra and Apache MyFaces do encrypt
state information, but they dont protect the integrity of encrypted states which
makes them vulnerable to Padding Oracle attacks.
By default, all JSF frameworks would display a very detailed error message if it
fails to decrypt a view state, which makes the Padding Oracle very obvious: if
one sees javax.crypto.BadPaddingException, then its INVALID padding; its
VALID padding otherwise.
Most JSF frameworks allow developers to turn off error messages. Then attackers can use the following simple trick. Say an attacker wants to decrypt block Ci
of an encrypted view state C0 |C1 |...|Cn1 , then they would append Crandom |Ci
to create C0 |C1 |...|Cn1 |Crandom |Ci , and send this message to the server. Since
Java ignores those extra blocks while decrypting and deserializing view states,
6
4.1
A Padding Oracle is all attackers need to decrypt messages. But can Padding
Oracle help if their goal is to encrypt messages? The short answer is yes. We
designed the following technique, which allows one to use a Padding Oracle to
encrypt messages of any length under the same key as the Padding Oracle. It
is very simple but we have not seen it published before, given the surprisingly
fruitful consequences of this finding. We call it CBC-R encryption, and Section
4.1.2 shows that CBC-R has permitted us to mount the most interesting exploits.
5 For
CBC-R Encryption
CBC-R turns a decryption oracle into an encryption oracle 6 . We all know that
CBC decryption works as following:
Pi = DK (Ci ) Ci1
C0 = IV
Look at the XOR operation. It takes two parameters: one is the previous ciphertext block Ci1 which is controlled by attackers, and another is the intermediate
plaintext block of the current ciphertex block DK (Ci ). Attackers dont have access to K, but they can use a Padding Oracle to get DK (Ci ). In other words,
attackers can make that XOR operation to produce any plaintext block Pi as
they want.
The process is simple. Attackers take one random ciphertext block, call it Ci .
Any random block would work. They send that block to the Padding Oracle to
get its intermediate plaintext, call this operation DP addingOracle (Ci ). Since
Pi = Ci1 DP addingOracle (Ci )
and attackers control Ci1 , they can make Pi equal to anything they want. But
does this make Pi1 garbled? Yes, but attackers can fix Pi1 by sending Ci1
to the Padding Oracle to get its intermediate plaintext, and set:
Ci2 = Pi1 DP addingOracle (Ci1 )
6 Please note that Padding Oracle is just one kind of decryption oracles that can work well
with CBC-R
1. Cn1 = random
2. for i = n 1 down to 1:
Ci1 = Pi DP addingOracle (Ci )
3. IV = P0 DP addingOracle (C0 )
Figure 3: CBC-R pseudocode
We said that CBC-R allows attackers to encrypt any message, but if they
cannot set the IV, the first plaintext block will be random and meaningless. If
the victim expects the decrypted message to start with a standard header, and
attackers dont control the IV, then the victim will ignore the forged message
constructed by CBC-R. This is what happens with compressed data, and Java
serialized object streams to name a few.
This limitation could prevent some of the highest impact attacks, and we have
not found generic way to overcome it. However, we have found workarounds for
particular cases.
Using Captured Ciphertext As Prefix If attackers capture a ciphertext
whose plaintext is a valid message, then they can prepend the ciphertext to
their CBC-R encrypted message to get a valid header after decrypting:
Pvalid = DK (Ccaptured |IVCBCR |PCBCR )
The resulting forged plaintext message will have a valid header, but it still has a
garbled block at the position of IVCBCR . This broken block can still make the
victim reject the message, but we can make the victim ignore it if we choose the
prefix carefully, i.e. the garbled block becomes part of some string that doesnt
affect the semantic of the message such as comment or textbox label.
Brute-Forcing C0 In CBC-R, the final block Cn1 is a random block (See
Figure 3). Each different Cn1 would yield a different Cn1 , ..., C0 chain. In
other words, CBC-R can produce many different ciphertexts that decrypted
to the same plaintext block chain Pn1 , ..., P1 . The only difference is the first
plaintext block which is computed as following:
P0 = DK (C0 ) IV
Attackers want P0 to contain a valid header. In some systems, this means that
the first few bytes of P0 must match some magic numbers. There are also
systems that accept a message if the first byte of its P0 matches its size. If this
is the case, and if the message is short enough, attackers can try their luck by
brute-forcing C0 .
The idea is simple: attackers change Cn1 , hence change C0 , until they can get
a valid P0 . For example, if the first byte of P0 must match the message size, one
needs to try at most 256 different CBC-R ciphertexts to obtain a valid message.
For longer messages or more complex message validation rules, brute-forcing is
not practical.
4.1.2
CBC-R Applications
sudo make me a CAPTCHA Since CBC-R can help one to encrypt arbitrary messages of any length. In other words, one can use CBC-R to create
10
and Figure 6 8 .
Creating Malicious JSF view states Its easy to see that attackers can
use CBC-R to create malicious view states that in worst case could allow them
to execute code in vulnerable JSF systems. The two remaining questions are:
Which view states to create?
How to solve the garbled block problem?
For the first question, the book of Apache MyFaces and Facelets technology
observed that (See [8]):
[...]When the HTML form is submitted it carries the view state value
back to the server in the form of an HTTP parameter. JSF uses the
value of this parameter to reconstruct the view during the restore
view phase. The view is restored by reversing the process used to
7 See
http://bit.ly/pwn3dCAPTCHA
http://bit.ly/0wn3dCAPTCHA (please note that this CAPTCHA was not made by
CBC-R ;-)
9 We have to solve this problem because we dont control the IV of most JSF frameworks
8 See
11
12
As a result, we know which view states to create. For the second question, it
depends on the content of JSF view states which are Java Object Serialization
Stream 11 . The generic solution is to use the technique described in Section
4.1.1 to prepend known valid ciphertext to our CBC-R encrypted view state
12
, and make the garbled block become part of a string that doesnt affect the
semantic of the view state such as textbox label.
Please note that although we attack only JSF view states, our techniques can
be applied to exploit other kind of state information in different formats such as
XML, serialized objects, JSON, simply comma separated variable-value pairs,
etc.
4.2
http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/protocol.html#8101
JSF view states start with the same known header. See Figure 2
13 Watch
it
at
http://www.youtube.com/watch_private?v=e46APUpDvk&sharing_token=ZaLFKwi0ipTWzw_2vThJSA (you need to login into YouTube)
12 All
13
Below are several web development frameworks and web sites vulnerable to
Padding Oracle attacks that we found during this research. Due to time constraint, we look at only popular systems, i.e. web sites with a large number
of customers, and frameworks with a large number of developers. We strongly
believe that this is just the tip of the iceberg, and the techniques we describe in
this paper would uncover many more vulnerabilities for years to come.
5.1
MercadoLibre.com, a.k.a eBay Latin America, is Latin Americas numberone e-commerce site with more than 40 million registered users that buy
and sell products. We found that MercadoLibres CAPTCHA 14 can be
cracked by using the technique described in Section 3.1. Please note that
MercadoLibres CAPTCHA uses a secret IV, so one needs to manually
recover the secret IV before automating their CAPTCHA cracking process.
BIDZ.com is a leading online retailer of jewelry that is ranked 5th amongst
auction sites according to Alexa. We found that attackers can crack
BIDZs CAPTCHA 15 using the technique described in Section 3.1. Since
attackers can control the IV of BIDZs CAPTCHA, they can apply CBCR technique to create CAPTCHA graffiti for fun (See Figure 5). We also
use BIDZ as the target to demonstrate the power of a distributed Padding
Oracle attack, as described in Section 4.2 16 .
5.2
There are probably a handful of JSF implementations out there, but we dont
have time to test all of them so we focus on the most two popular which are
Apache MyFaces and SUN Mojarra. Both of them can be attacked using the
techniques described in Section 3.2 and Section 4.1.2.
5.3
5.3.1
Others
Ruby On Rails
Ruby On Rails 17 , which was created in 2003, is probably the most widely used
web development framework in the world. Since version 2.3, Ruby On Rails has
14 See
http://www.mercadolibre.com.ar/jm/reg
http://www.bidz.com/bzJApp/ViewCustomerLoginForm.action
16 Watch
the screen cast at http://www.youtube.com/watch_private?v=e46APUpDvk&sharing_token=ZaLFKwi0ipTWzw_2vThJSA (you need to login into YouTube)
17 See http://www.rubyonrails.org
15 See
14
OWASP ESAPI
OWASP ESAPI 20 , which stands for OWASP Enterprise Security API Toolkits,
is a project that claim to help software developers guard against security-related
design and implementation flaws. However, we found that all OWASP ESAPI
for Java up to version 2.0 RC2 are vulnerable to Padding Oracle attacks 21 .
There were some significant changes in ESAPI Encryption API since 2.0 RC3
22
. Unfortunately, while these changes are heading towards the correct direction,
i.e. signing the ciphertex or using an authenticated encryption mode, but at the
time of this writing, there are still some bugs in the latest implementation 23
that make applications using ESAPI for Java still vulnerable to Padding Oracle
attacks. We leave the finding of these bugs as an exercise for readers.
Conclusion
Nate Lawson
24
once said
25
[...]If you find yourself needing to implement crypto, its likely you
can avoid it by thinking about the situation differently. For example,
many web developers get seduced into designing their own crypto as
a way to push state to the client instead of managing it on the server.
This opens up a much wider attack surface on the server application
since now every part of that blob needs to be considered malicious.
As the saying goes, "... now you have two problems."
18 See
http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html
http://guides.rails.info/2_3_release_notes.html
20 See http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
21 See http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/org/owasp/esapi/reference/JavaEncryptor.html
22 See http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core2.0-readme-crypto-changes.html
23 See http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java
24 http://www.root.org
25 http://news.ycombinator.com/item?id=621227
19 See
15
Acknowledgments
References
[1] J. Black and H. Urtubia. Side-Channel Attacks on Symmetric Encryption
Schemes: The Case for Authenticated Encryption. In Proceedings of the
11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9,
2002, pages 327338. USENIX, 2002.
[2] D. Byrne. Multiplatform View State Tampering Vulnerabilities.
Trustwaves SpiderLabs. 8 Feb. 2009. Trustwave. 24 Feb. 2009
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
[3] B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Interception in a SSL/TLS Channel. In Proc. CRYPTO 2003, D. Boneh (ed.), LNCS
Vol. 2729, pp. 583599, 2003.
[4] V. Klima and T. Rosa. Side Channel Attacks on CBC Encrypted Messages
in the PKCS#7 Format. Cryptology ePrint Archive, Report 2003/098, 2003.
[5] K.G. Paterson and A. Yau. Padding Oracle Attacks on the ISO CBC Mode
Padding Standard. In T. Okamoto, editor, Topics in Cryptology CT-RSA
2004, volume 2964 of Lecture Notes in Computer Science, pages 305323.
Springer-Verlag, 2004.
[6] S. Vaudenay. Security Flaws Induced by CBC Padding Applications to
SSL, IPSEC, WTLS...In L. Knudsen, editor, Advances in Cryptology
EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science,
pages 534545. Springer-Verlag, 2002
[7] A. K. L. Yau, K. G. Paterson, and C. J. Mitchell. Padding Oracle Attacks on
CBC- Mode Encryption with Secret and Random IVs. In H. Gilbert and H.
Handschuh, editors, Proceedings of FSE 2005, volume 3557 of LNCS, pages
299319. Springer- Verlag, 2005.
16
17