Upload
uzik13
View
219
Download
0
Embed Size (px)
Citation preview
7/27/2019 Breach - Bh 2013 - Presentation
1/40
SSL, GONE IN 30 SECONDSb r e a c h
SSL, GONE IN 30 SECONDS
A
BREACH
beyond
CRIME
Angelo Prado
Neal Harris
Yoel Gluck
7/27/2019 Breach - Bh 2013 - Presentation
2/40
SSL, GONE IN 30 SECONDSb r e a c h
AGENDA
Review ofCRIME
Introducing BREACH
In the weeds
Demo time!
Mitigations
Proceed with caution:
7/27/2019 Breach - Bh 2013 - Presentation
3/40
SSL, GONE IN 30 SECONDSb r e a c h
PREVIOUSLY...
CRIME
Presented at
ekoparty 2012
Target
Secrets in HTTP
headers
Requirements
TLS compression
MITM
A browserJuliano Rizzo
Thai Duong
7/27/2019 Breach - Bh 2013 - Presentation
4/40
SSL, GONE IN 30 SECONDSb r e a c h
SO ABOUT CRIME...
SSL doesnt hide length
SSL/SPDYcompress headers
CRIME issues requests with every possible character,and measures the ciphertext length
Looks for the plaintext which compresses
the mostguesses the secret byte by byte
Requires small bootstrapping sequence
knownKeyPrefix=secretCookieValue
The Compression Oracle:
7/27/2019 Breach - Bh 2013 - Presentation
5/40
SSL, GONE IN 30 SECONDSb r e a c h
COMPRESSION OVERVIEW
DEFLATE / GZIP LZ77: reducing redundancy
Googling the googles -> Googling the g(-13,4)s
Huffman coding:replace common
bytes with shorter codes
7/27/2019 Breach - Bh 2013 - Presentation
6/40
SSL, GONE IN 30 SECONDSb r e a c h
ITS FIXED!
TLS
CompressionDisabled
7/27/2019 Breach - Bh 2013 - Presentation
7/40SSL, GONE IN 30 SECONDSb r e a c h
DO NOT PANIC:
TUBES SECURE
7/27/2019 Breach - Bh 2013 - Presentation
8/40SSL, GONE IN 30 SECONDSb r e a c h
Or are they?
7/27/2019 Breach - Bh 2013 - Presentation
9/40SSL, GONE IN 30 SECONDSb r e a c h
[lets bring it back to life]
7/27/2019 Breach - Bh 2013 - Presentation
10/40SSL, GONE IN 30 SECONDSb r e a c h
FIRST THINGS FIRST:FIX WIKIPEDIA
7/27/2019 Breach - Bh 2013 - Presentation
11/40SSL, GONE IN 30 SECONDSb r e a c h
BREACHBrowser Reconnaissance & Exfiltration via
Adaptive Compression ofHypertext
INTRODUCING
7/27/2019 Breach - Bh 2013 - Presentation
12/40SSL, GONE IN 30 SECONDSb r e a c h
A CRIMEAGAINST THE
RESPONSE BODY
7/27/2019 Breach - Bh 2013 - Presentation
13/40SSL, GONE IN 30 SECONDSb r e a c h
(sample traffic)
7/27/2019 Breach - Bh 2013 - Presentation
14/40SSL, GONE IN 30 SECONDSb r e a c h
BREACH / the ingredients
Very prevalent, any browser
Any version of SSL / TLS
GZIP A secret in the response body
CSRF, PII, ViewState anything!
Attacker-supplied guess
In response body
Three-character prefix
To bootstrap compression
Less than 30 seconds for
simple pages
Fairly stable pages
No SSL tampering / downgrade
MITM / traffic visibility
7/27/2019 Breach - Bh 2013 - Presentation
15/40SSL, GONE IN 30 SECONDSb r e a c h
[PREFIX / sample bootstrap]
secret (CSRF token)
guess
7/27/2019 Breach - Bh 2013 - Presentation
16/40SSL, GONE IN 30 SECONDSb r e a c h
BREACH / architecture
7/27/2019 Breach - Bh 2013 - Presentation
17/40
7/27/2019 Breach - Bh 2013 - Presentation
18/40
SSL, GONE IN 30 SECONDSb r e a c h
C&C/ logic
Traffic Monitor Transparent relay SSL proxy
HTML/JS Controller
I. Dynamically generated for specific target serverII. Injects & listens to iframe streamer from c&c:81 that
dictates the new HTTP requests to be performed(img.src=...)
III. Issues the outbound HTTP requests to the target site via
the victim's browser, session-riding a valid SSL channel
IV. Upon synchronous completion of every request (onerror),
performs a unique callback to c&c:82 for the Traffic
Monitor to measure encrypted response size
MITM: ARP spoofing,
DNS, DHCP, WPAD
7/27/2019 Breach - Bh 2013 - Presentation
19/40
SSL, GONE IN 30 SECONDSb r e a c h
C&C/ logic
Main C&C Driver Coordinates character guessing
Adaptively issues requests to target site
Listens toJS callbacks upon request completion
Measures -inbound- packets length
Has built-in intelligence for compression oracleruntime recovery
7/27/2019 Breach - Bh 2013 - Presentation
20/40
SSL, GONE IN 30 SECONDSb r e a c h
THE ORACLE
MEASURESIZE DELTA
GUESSINGBYTE-BY-BYTE
ERRORRECOVERY
7/27/2019 Breach - Bh 2013 - Presentation
21/40
SSL, GONE IN 30 SECONDSb r e a c h
SSL cipher text
HTTP clear text
10 bytes
TCP connection
SSL records
SSL REVEALS LENGTH
7/27/2019 Breach - Bh 2013 - Presentation
22/40
SSL, GONE IN 30 SECONDSb r e a c h
COMPRESSION ORACLE (I)
tkn=
guess=
supersecret48 bytes
supersecreX
aftergzip
tkn=
guess=
supersecret
38 bytes
(-22, 10)X
7/27/2019 Breach - Bh 2013 - Presentation
23/40
SSL, GONE IN 30 SECONDSb r e a c h
COMPRESSION ORACLE (II)
tkn=
guess=
supersecret48 bytes
supersecret
aftergzip
tkn=
guess=
supersecret
37 bytes
(-22, 11)
7/27/2019 Breach - Bh 2013 - Presentation
24/40
SSL, GONE IN 30 SECONDSb r e a c h
7/27/2019 Breach - Bh 2013 - Presentation
25/40
SSL, GONE IN 30 SECONDSb r e a c h
THE ORACLEHuffman Coding Nightmares
Incorrect Guess
https://target-server.com/page.php?blah=blah2...
&secret=4bf (response: 1358 bytes)a
Correct Guess
https://target-server.com/page.php?blah=blah2...
&secret=4bf (response: 1358 bytes)b
7/27/2019 Breach - Bh 2013 - Presentation
26/40
SSL, GONE IN 30 SECONDSb r e a c h
THE ORACLEFighting Huffman Coding
Two Tries + random [dynamic] padding
7
8
https://target-server.com/page.php?blah=blah2...
&secret=4bf {}{}(...){}{}{}{}{}
&secret=4bf{}{}(...){}{}{}{}{}
7
7
https://target-server.com/page.php?blah=blah2...
&secret=4bf {}{}(...){}{}{}{}{}---a-b-c-d-
-5-6-8-9-
&secret=4bf {}{}(...){}{}{}{}{}---a-b-c-d--5-6-7-9-
Character set pool + random padding
7/27/2019 Breach - Bh 2013 - Presentation
27/40
SSL, GONE IN 30 SECONDSb r e a c h
THE ORACLETwo Tries Reality
Less than ideal conditions: In theory, two-tries allows for short-circuiting once winner
is found
In practice, still need to evaluate all candidates
Huffman encoding causes collisions
7/27/2019 Breach - Bh 2013 - Presentation
28/40
SSL, GONE IN 30 SECONDSb r e a c h
ROADBLOCKS
Conflict & Recovery mechanisms(no winners / too many winners)
Look-ahead (2+ characters)reliable, but expensive
Best value / averages
Rollback (last-known conflict)
Check compression ratio of guess string
Page URL / HTML entity encoding Can interfere with bootstrapping
7/27/2019 Breach - Bh 2013 - Presentation
29/40
SSL, GONE IN 30 SECONDSb r e a c h
MORE ROADBLOCKS
Stream cipher vs. block cipher
10 bytes
SSL cipher text
Compressed HTTP response
Stream cipher reveals exact plain text length
7/27/2019 Breach - Bh 2013 - Presentation
30/40
SSL, GONE IN 30 SECONDSb r e a c h
MORE ROADBLOCKS
Stream cipher vs. block cipher
Compressed HTTP response
Block cipher hides exact plain text length
16 bytes
SSL cipher text
Compressed HTTP response
Align response to a tipping point
Guess Window (keeping response aligned)
7/27/2019 Breach - Bh 2013 - Presentation
31/40
SSL, GONE IN 30 SECONDSb r e a c h
EVEN MORE ROADBLOCKS
Keep-Alive (a premature death) Image requests vs. scriptsvs. CORS requests
Browser synchronicity limits (1x)
Hard to correlate HTTP requests to TCP segments
Filtering out noise Active application?
Background polling?
7/27/2019 Breach - Bh 2013 - Presentation
32/40
SSL, GONE IN 30 SECONDSb r e a c h
YET MORE ROADBLOCKS
Unstable pages (w/random DOM blocks) Averaging & outlier removal
The war against Huffman coding Weight (symbol) normalization
Circumventing cache Random timestamp
Other Oracles Patent-pending!
7/27/2019 Breach - Bh 2013 - Presentation
33/40
SSL, GONE IN 30 SECONDSb r e a c h
OVERWHELMED?
7/27/2019 Breach - Bh 2013 - Presentation
34/40
SSL, GONE IN 30 SECONDSb r e a c h
DEMO TIME(let us pray)
7/27/2019 Breach - Bh 2013 - Presentation
35/40
SSL, GONE IN 30 SECONDSb r e a c h
THE TOOL
7/27/2019 Breach - Bh 2013 - Presentation
36/40
SSL, GONE IN 30 SECONDSb r e a c h
MITIGATIONS
RANDOMIZING
THE LENGTH variable padding
fighting against math
/FAIL
DYNAMIC
SECRETS dynamic CSRF
tokens per request
MASKING
THE SECRET random XOR easy,
dirty, practical path
downstream enough
THROTTLING
& MONITORING
CSRF-PROTECT
EVERYTHING unrealistic
SEPARATING
SECRETS deliver secrets in
input-less servlets
chunked secret
separation (lib patch)
DISABLING GZIP
FOR DYNAMIC
PAGES
7/27/2019 Breach - Bh 2013 - Presentation
37/40
SSL, GONE IN 30 SECONDSb r e a c h
FUTUREWORK
Better understanding ofDEFLATE / GZIP
Beyond HTTPS
Very generic side-channel
Other protocols, contexts?
Stay tuned for the next BREACH
7/27/2019 Breach - Bh 2013 - Presentation
38/40
SSL, GONE IN 30 SECONDSb r e a c h
WANT MORE?AGENTS STANDING BY
PAPER PRESENTATION POC TOOLBreachAttack.com
http://breachattack.com/http://breachattack.com/7/27/2019 Breach - Bh 2013 - Presentation
39/40
SSL, GONE IN 30 SECONDSb r e a c h
THANKYOU EVERYBODY !
7/27/2019 Breach - Bh 2013 - Presentation
40/40
b h
If you liked the talk*, dont forget to scan your
badge for the evaluation survey* ignore otherwise
BREACHATTACK.COM
@PradoAngelo
Angelo [email protected]
@IAmTheNeal
Neal [email protected]
Yoel Gluck