Menu
I would like to be able to test for POODLE vulnerability over TLS.
There are already several ways to do this like Qualys SSLLabs for instance, but it is too restrictive (only TCP port 443 of servers available on the Internet). There is also this link, but I got a lot false positives/negatives when tested: http://www.exploresecurity.com/testing-for-poodle_tls-manually/
So now I am trying to modify TLS implementation of OpenSSL 1.0.2d to be able to send invalid packets (using openssl s_client ...) and to see the behavior of servers.
Even if I am not really familiar with C, I could find interesting code implementing the padding for AES-CBC-SHA (according to RFC 2246) in OpenSSL in crypto/evp/e_aes_cbc_hmac_sha1.c on line 518:
/* pad the payload|hmac */
plen += SHA_DIGEST_LENGTH;
for (l = len - plen - 1; plen < len; plen++)
out[plen] = l;
I modified it into this in order to change the first padding byte to make it incorrect according to RFC:
/* pad the payload|hmac */
plen += SHA_DIGEST_LENGTH;
for (l = len - plen - 1; plen < len; plen++) {
if (plen == len - l - 1)
out[plen] = (l + 1) % 256;
else
out[plen] = l;
}
Then compile and test:
./config
make
./apps/openssl s_client -connect www.google.com:443 -servername www.google.com -tls1 -cipher AES128-SHA
And I could connect and make an HTTP request which got response...
So my question is: wasn't it the good file I modified or is this something else?
Thank you a lot for your help.
584
Poodle v2. It has been recently discovered that the POODLE vulnerability affects more than simply SSL 3.0. Improper checking of TLS “padding” means that the vulnerability may also be used to exploit TLS 1.0 and TLS 1.1. This vulnerability was found in sites using load balancers from two manufacturers, F5 and A10.
The POODLE security flaw enables a man-in-the-middle (MiTM) attacker to eavesdrop on supposedly secure communications. This means attackers can exploit POODLE to steal users' private information and -- possibly -- impersonate the user, resulting in the user losing control over the exploited web application.
On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack.
The POODLE attack (Padding Oracle on Downgraded Legacy Encryption) exploits a vulnerability in the SSL 3.0 protocol (CVE-2014-3566). This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3.
I had the same problem, answered here. Basically, you need to modify ssl3_enc function (in s3_enc.c file) and replace
memset(&rec->input[rec->length], 0, i);
with
for(size_t j = 0; j < i; ++j) {
rec->input[rec->length + j] = rand() % 256;
}
and also it's best to increase padding size for the cases when block aligns well and there is no padding. To do that just add:
i += bs;
right before these lines
/* we need to add 'i-1' padding bytes */
l += i;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
