TLS-Attacker V2.2 And The ROBOT Attack

We found out that many TLS implementations are still vulnerable to different variations of a 19-year old Bleichenbacher's attack. Since Hanno argued to have an attack name, we called it ROBOT: https://robotattack.org

Given the new attack variants, we released a new version of TLS-Attacker 2.2, which covers our vulnerabilities.

Bleichenbacher's attack from 1998

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allow an adversary to execute an adaptive-chosen ciphertext attack. This attack also belongs to the category of padding oracle attacks. By performing the attack, the adversary exploits different responses returned by the server that decrypts the requests and validates the PKCS#1 1.5 padding. Given such a server, the attacker can use it as an oracle and decrypt ciphertexts.

We refer to one of our previous blog posts for more details.

OK, so what is new in our research?

In our research we performed scans of several well-known hosts and found out many of them are vulnerable to different forms of the attack. In the original paper, an oracle was constructed from a server that responded with different TLS alert messages. In 2014, further side-channels like timings were exploited. However, all the previous studies have considered mostly open source implementations. Only a few vulnerabilities have been found.

In our scans we could identify more than seven vulnerable products and open source software implementations, including F5, Radware, Cisco, Erlang, Bouncy Castle, or WolfSSL. We identified new side-channels triggered by incomplete protocol flows or TCP socket states.

For example, some F5 products would respond to a malformed ciphertext located in the ClientKeyExchange message with a TLS alert 40 (handshake failure) but allow connections to timeout if the decryption was successful. We could observe this behaviour only when sending incomplete TLS handshakes missing ChangeCipherSpec and Finished messages.

See our paper for more interesting results.

Release of TLS-Attacker 2.2

These new findings motivated us to implement the complete detection of Bleichenbacher attacks in our TLS-Attacker. Before our research, TLS-Attacker had implemented a basic Bleichenbacher attack evaluation with full TLS protocol flows. We extended this evaluation with shortened protocol flows with missing ChangeCipherSpec and Finished messages, and implemented an oracle detection based on TCP timeouts and duplicated TLS alerts. In addition, Robert (@ic0ns) added many fixes and merged features like replay attacks on 0-RTT in TLS 1.3.

You can find the newest version release here: https://github.com/RUB-NDS/TLS-Attacker/releases/tag/v2.2

TLS-Attacker allows you to automatically send differently formatted PKCS#1 encrypted messages and observe the server behavior:

$ java -jar Attacks.jar bleichenbacher -connect [host]:[port]

In case the server responds with different error messages, it is most likely vulnerable. The following example provides an example of a vulnerable server detection output:

14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered vulnerable to this attack if it responds differently to the test vectors.
14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered secure if it always responds the same way.
14:12:49 [main] CONSOLE attacks.impl.Attacker - Found a difference in responses in the Complete TLS protocol flow with CCS and Finished messages.
14:12:49 [main] CONSOLE attacks.impl.Attacker - The server seems to respond with different record contents.
14:12:49 [main] INFO  attacks.Main - Vulnerable:true

In this case TLS-Attacker identified that sending different PKCS#1 messages results in different server responses (the record contents are different).

Related posts

1. Best Hacking Tools 2020
2. Hack Tools Pc
3. Nsa Hack Tools
4. New Hack Tools
5. Hacker Tool Kit
6. Hacks And Tools
7. Best Hacking Tools 2020
8. Pentest Tools Subdomain
9. What Are Hacking Tools
10. Hacker Tools Software
11. Pentest Tools Tcp Port Scanner
12. New Hacker Tools
13. Hacking Tools Hardware
14. Hacking Tools Windows
15. Termux Hacking Tools 2019
16. Pentest Tools Review
17. Top Pentest Tools
18. Hacking Tools Github
19. Termux Hacking Tools 2019
20. Pentest Tools Tcp Port Scanner
21. Pentest Tools For Android
22. Pentest Tools Download
23. Tools For Hacker
24. Pentest Tools
25. Hacking Tools Software
26. Pentest Tools
27. Usb Pentest Tools
28. Hacker Tools Mac
29. Hacking Tools Pc
30. Free Pentest Tools For Windows
31. Pentest Tools
32. Hacking Tools For Windows 7
33. Hacks And Tools
34. Hak5 Tools
35. Tools 4 Hack
36. Hacker Security Tools
37. Hack Tools For Windows
38. How To Make Hacking Tools
39. Hacking Tools Download
40. Pentest Tools Website Vulnerability
41. Pentest Tools Website Vulnerability
42. Hacking Tools For Beginners
43. Hack Tools Download
44. Hacker Tools Online
45. Hacking Tools 2020
46. Github Hacking Tools
47. Computer Hacker
48. Hacking Tools For Windows
49. Underground Hacker Sites
50. Pentest Tools Alternative
51. Blackhat Hacker Tools
52. Pentest Tools Apk
53. Pentest Tools
54. Nsa Hack Tools Download
55. Pentest Tools Tcp Port Scanner
56. Hacking Tools For Windows 7
57. Hacking Tools Kit
58. Hacking App
59. Hacker Tools For Ios
60. Nsa Hacker Tools
61. Hacking Tools Windows 10
62. Pentest Tools Windows
63. Pentest Tools Alternative
64. Hacker Tools Linux
65. Computer Hacker
66. Hacking Tools Kit
67. Pentest Tools Subdomain
68. Hacker Tools List
69. Hacking Tools Kit
70. Hack Tools Github
71. Best Hacking Tools 2019
72. Hack Rom Tools
73. Hacker
74. Physical Pentest Tools
75. Hacker Tools For Pc
76. Hack App
77. Pentest Automation Tools
78. New Hacker Tools
79. Wifi Hacker Tools For Windows
80. Computer Hacker
81. Tools For Hacker
82. Pentest Tools Kali Linux
83. Ethical Hacker Tools
84. Growth Hacker Tools
85. Hacker Tools For Pc
86. Hacking Tools Usb
87. Hacker Tools Linux
88. Bluetooth Hacking Tools Kali
89. Hacking Tools For Windows
90. Pentest Recon Tools
91. Hacker Tools Apk Download
92. Nsa Hacker Tools