Padding Oracle

On the Best server-side Bugpwnie awards 2011

2

Padding Oracle• 2002 – Vaudenay

– side-channel– padding oracle– CBC-mode

• Network encryption

• 2010 – Doung, Rizzo– Web!– Captchas– JSF ViewStates– ASP.NET

• ASP.NET – O_O

3

Block Ciphers

E

P

C

D

P

P: PlaintextC: Ciphertextk: key

E: EncryptD: Decrypt

Block cipher: Fixed block/plaintext/ciphertext length128 bit – 16 bytes64 bit – 8 bytes

(key length and block length are totally unrelated)

k

4

Electronic Code Book

E

P[0]

C[0]

E

P[1]

C[1]

E

P[2]

C[2]

5

ECB

Other modesplaintext

This image is derived from File:Tux.jpg, and therefore requires attribution. All uses are permitted provided that Larry Ewing, the owner of the original image, who requires that you mention him, his email address, lewing@isc.tamu.edu, and The GIMP, according to http://www.isc.tamu.edu/~lewing/linux/.

6

Cipher Block Chaining

E

P[0]

C[0]

xor

IV

E

P[1]

C[1]

xor

E

P[2]

C[2]

xor

7

Cipher Block Chaining

xor

C[0]

P[0]

D

IV

xor

C[1]

P[1]

D

xor

C[2]

P[2]

D

8

_

9

CBC and XOR

xor

C

P

D

IV

intermediate

0 xor X = 0 X = 00 xor X = 1 X = 11 xor X = 1 X = 11 xor X = 0 X = 0

If only we had an oracle telling us the plaintext!

10

Oracle: PKCS #5 Padding

? ? ? ? ? ? ? 01

? ? ? ? ? ? 02 02

? ? ? ? ? 03 03 03

? 07 07 07 07 07 07 07

08 08 08 08 08 08 08 08

….

Last ciphertext block is an oracle! Padding: OKPadding: Bad

11

12

Padding Oracle

xor

??????1

IV1

intermediate

xor

?????22

IV2

intermediate

xor

????333

IV3

intermediate

13

Padding Oracle

xor

C

P

D

IV

intermediate

C fixed => intermediate fixed

IV can be set by attacker

Padding Oracle yields P

IV xor P = intermediateSearch for P = ???????1Search for P = ??????22…Search for P = 88888888

intermediate xor IV = P

14

DEMO

or if demo breaks, youtube

http://youtu.be/B7UzYaTSeq8

15

CBC-R: CBC in reverse

xor

C

P

D

IV

intermediate

C = whatever

Padding Oracle intermediate

P = whatever

IV = P xor intermediate

IV & C valid ciphertext

16

C[2] C[1] C[0] C[-1]

xor

C[0]

P[0]

D

C[-1]

xor

C[1]

P[1]

D

xor

C[2]

P[2]

D

17

Encrypt and Authenticate

E

P

C

D

P

HMAC

C + M

verify

C

c = encrypt( p )m = hmac( c )transmit( c, m )

recieve( c, m )mm = hmac( c )if ( m == mm ) { p = decrypt( c )}else { ninja kill sender}

18

Developer challenges• Encryption frameworks may not be secure

– 2010, most web frameworks were insecure– some frameworks are still very broken

• Options– OWASP, Microsoft – responds to security– Validate your framework yourself– Do not trust that web encryption works

19

Pwnie Awards

http://youtu.be/yghiC_U2RaM

20

Demonstration environment• Encryption key in web.config• Windows server• ASP.NET• DotNetNuke CMS

• Latest / fully patched versions at time of video release.

21

ScriptResources.axd?d=• Ciphertext in d= parameter• Plaintext of d= supports grabbing files

• Vulnerable to Padding Oracle and CBC-R• ?d= CBC-R ( ”R|~Web.config” )

• Attacker has encryption secrets!

22

Becomming DotNetNuke admin

• Web.config gives encryption keys• Generate ASP.NET authentication cookie

– FormsAuthentication.SetAuthCookie( Convert.ToString( LoggedOnUserName ), true );

– Encrypt and MAC authcookie for ”SuperUser”• Upload DotNetNuke extension backdoor

23

OS: Complete loss of control• Start local command shell

– User: network service

• Privilege escalation exploit– ”Token kidnaping revenge”– User: SYSTEM

• Callback to netcat listener