Practically DROWNing
0 likes485 views
This document discusses the DROWN attack in detail. It describes how the attack works by exploiting vulnerabilities in the SSLv2 protocol to decrypt TLS connections. Specifically, it uses a Bleichenbacher padding oracle attack and works by intercepting TLS handshake messages, transforming them, and sending them to an SSLv2 server to recover the premaster secret and decrypt traffic. The document provides information on the computational requirements, prevalence of vulnerable servers, variations of the attack that can decrypt more quickly, and recommendations for mitigation.
Practically DROWNing
- 1. Practical DROWNing Putting a well known, highly computationally heavy crypto attack into practice in real time. Where What Who Ruxmon Melbourne Practical DROWNing Tim Noise
- 2. tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Blackhat sell out and V.I.L.E henchman
- 3. SECURESOCKETLAYER • Sucked so bad v1 was never used Emphasis on the first S - SSL • v2 was released in 1995 • It sucked so bad, v3 was released in 1996 • It sucked so bad TLS replaced it in 1998 • In 2016 we remembered v2 sucked and disabled it again • We went back to SSLv2 in 2014
- 4. TransportLAYERSECURITYTurns out SSL was not good • TLS 1.0 released in 99 - allows for downgrade to SSL (thx) • TLS 1.1 released in 2006 - Fixes CBC, introduces explicit IV • TLS 1.2 released in 2008 • 2011 TLS1.2 removes downgrade, particularly to SSLv2
- 5. BasicHandshakesWere not blood-stacking just yet
- 6. ProtocolIMPLENTATIONSIts actually people who make code
- 7. RECENT-ISHATTACKS • BEAST • CRIME • BREACH • POODLE • Logjam • Heart bleed • Cache bleed • DROWN Are we bored with codenames, logos and fancy websites yet?
- 8. NoteworthyCVEsOftheDAY • CVE-2016-0800 / DROWN • CVE-2016-0705 / Double Free in DSA • CVE-2016-0798 / Memory Leak • CVE-2016-0797 / Null Pointer deref/Heap corruption • CVE-2016-0799 / Format String memory issues • CVE-2016-0702 / Side Channel Attack • CVE-2016-0703 / Divide and Conquer Key Recovery • CVE-2016-0704 / Bleichenbacher oracle in SSLv2 Not all DROWN related, OpenSSL bugs with the same day 0
- 9. DROWNCVE-2016-0800 • Downgrade to SSLv2 • Bleichenbacher padding oracle (CVE-2016-0704) • Available to any port or service that can negotiate SSLv2 • Compounded with CVE-2015-3197 to select disabled ciphers Decrypting RSA with Obsolete and Weakened eNcryption
- 10. VendorRESPONSE • 0day was March 1, 2016 • Reported from upstream on February 22, 2016 • Immediately treated as High Touch • Patches to OpenSSL were committed to git on 18th & 20th of February • Other libraries followed shortly after • RPMs published 0day along with RHSA Cold sweats and beating day 0
- 11. HOWtoDROWNBetter than Bondi Rescue
- 12. HOWtoDROWN • Attacker collects TLS RSA Key Exchange messages • Intercept cipher text containing 48 byte premaster secret to PKCS#1 v1.5 encoded messages of length to SSLv2 oracle • Perform the Bleichenbacher oracle • Transform the data back into plain text Better than Bondi Rescue
- 13. DifficultyDROWNing • Computational work for standard drown is 2^50 • requires observing 1000 TLS handshake • requires performing 40,000 negations • Under 8 hours and $440 using AWS EC2 Compute nodes Spin up all the CUDA cores
- 14. DOYOUCARE? • Initial estimate at 11.5m (33% of scanned) of HTTPS server • Special DROWN 79% of the 11.5m • Key reuse allows multiple servers to expose each other (SMTP/IPMI/HTTPS etc) Makes your KPIs look good and your CISO can sleep at night
- 15. SPECIALDROWN • Special extra clear oracle • Requires only 1/2 the number of connections • Enabled by CVE-2016-703 / Divide-and-conquer session key recovery • Can be calculated in real time (under 1min on a single core) • Before the initial Handshake times out, allowing MITM It only takes a toddler 30 seconds
- 16. TakeAWAY • Install patched packages! • Disable SSLv* • Disable Shitty Ciphers • Filter SSL negotiations on the network Stuff to do when you get home • Test for weak ciphers • Test for SSL negotiation • Test for Key Reuse • Do more than test! MITM and Decrypt things Defenders Attackers
- 17. QUESTIONS?
- 18. Practical DROWNing Putting a well known, highly computationally heavy crypto attack into practice in real time. Where What Who Ruxmon Melbourne Practical DROWNing Tim Noise
- 19. tIMNOISE • twitter/dnoiz1 • github/dnoiz1 • mIRC/dnz • streetz/notorious D N Z • tim@drkns.net Blackhat sell out and V.I.L.E henchman