TLS-Attacker V2.2 And The ROBOT Attack

We found out that many TLS implementations are still vulnerable to different variations of a 19-year old Bleichenbacher's attack. Since Hanno argued to have an attack name, we called it ROBOT: https://robotattack.org

Given the new attack variants, we released a new version of TLS-Attacker 2.2, which covers our vulnerabilities.

Bleichenbacher's attack from 1998

In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allow an adversary to execute an adaptive-chosen ciphertext attack. This attack also belongs to the category of padding oracle attacks. By performing the attack, the adversary exploits different responses returned by the server that decrypts the requests and validates the PKCS#1 1.5 padding. Given such a server, the attacker can use it as an oracle and decrypt ciphertexts.

We refer to one of our previous blog posts for more details.

OK, so what is new in our research?

In our research we performed scans of several well-known hosts and found out many of them are vulnerable to different forms of the attack. In the original paper, an oracle was constructed from a server that responded with different TLS alert messages. In 2014, further side-channels like timings were exploited. However, all the previous studies have considered mostly open source implementations. Only a few vulnerabilities have been found.

In our scans we could identify more than seven vulnerable products and open source software implementations, including F5, Radware, Cisco, Erlang, Bouncy Castle, or WolfSSL. We identified new side-channels triggered by incomplete protocol flows or TCP socket states.

For example, some F5 products would respond to a malformed ciphertext located in the ClientKeyExchange message with a TLS alert 40 (handshake failure) but allow connections to timeout if the decryption was successful. We could observe this behaviour only when sending incomplete TLS handshakes missing ChangeCipherSpec and Finished messages.

See our paper for more interesting results.

Release of TLS-Attacker 2.2

These new findings motivated us to implement the complete detection of Bleichenbacher attacks in our TLS-Attacker. Before our research, TLS-Attacker had implemented a basic Bleichenbacher attack evaluation with full TLS protocol flows. We extended this evaluation with shortened protocol flows with missing ChangeCipherSpec and Finished messages, and implemented an oracle detection based on TCP timeouts and duplicated TLS alerts. In addition, Robert (@ic0ns) added many fixes and merged features like replay attacks on 0-RTT in TLS 1.3.

You can find the newest version release here: https://github.com/RUB-NDS/TLS-Attacker/releases/tag/v2.2

TLS-Attacker allows you to automatically send differently formatted PKCS#1 encrypted messages and observe the server behavior:

$ java -jar Attacks.jar bleichenbacher -connect [host]:[port]

In case the server responds with different error messages, it is most likely vulnerable. The following example provides an example of a vulnerable server detection output:

14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered vulnerable to this attack if it responds differently to the test vectors.
14:12:42 [main] CONSOLE attacks.impl.Attacker - A server is considered secure if it always responds the same way.
14:12:49 [main] CONSOLE attacks.impl.Attacker - Found a difference in responses in the Complete TLS protocol flow with CCS and Finished messages.
14:12:49 [main] CONSOLE attacks.impl.Attacker - The server seems to respond with different record contents.
14:12:49 [main] INFO  attacks.Main - Vulnerable:true

In this case TLS-Attacker identified that sending different PKCS#1 messages results in different server responses (the record contents are different).

Related news

1. Pentest Tools Nmap
2. Github Hacking Tools
3. Hacker Search Tools
4. Hacker Tools 2019
5. Hack Tools For Ubuntu
6. Hacker Tools Apk Download
7. Pentest Tools Download
8. Hacking Tools For Pc
9. Hacking Tools Download
10. Pentest Tools Port Scanner
11. Pentest Tools For Windows
12. Underground Hacker Sites
13. Hacker Tools For Ios
14. Hacking Tools Name
15. New Hack Tools
16. Hacking Tools Kit
17. Pentest Tools Windows
18. What Is Hacking Tools
19. Hacker Tool Kit
20. Hack Tools For Pc
21. Pentest Tools Android
22. Hack Tools For Windows
23. Hacker Tools Online
24. Hacker Tools Free
25. Hacker Tools Linux
26. Underground Hacker Sites
27. Hack Tools For Windows
28. World No 1 Hacker Software
29. Pentest Tools Android
30. Hacker
31. Hack Tools Pc
32. Hacking Tools For Windows Free Download
33. New Hacker Tools
34. Hacking Tools For Windows 7
35. Pentest Reporting Tools
36. Hacker Tools Free
37. Hack And Tools
38. Hacker Tools Online
39. Hacking Tools 2020
40. Hack Tools Online
41. Hack Tools For Mac
42. Pentest Tools Port Scanner
43. Pentest Tools Port Scanner
44. Hacker Tools 2019
45. Pentest Tools Alternative
46. Hacker Tools Hardware
47. New Hack Tools
48. Hacker Tools Apk
49. Pentest Tools Apk
50. Hacking App
51. Hacking Tools Software
52. Install Pentest Tools Ubuntu
53. Pentest Tools Bluekeep
54. Nsa Hacker Tools
55. Top Pentest Tools
56. Hack Tools For Windows
57. Hak5 Tools
58. Hack Tools Github
59. Pentest Tools Online
60. Best Hacking Tools 2019
61. Pentest Tools Online
62. Pentest Tools Download
63. Pentest Tools For Ubuntu
64. Hacker Tools For Pc
65. Pentest Tools Website
66. Hack Tools Mac
67. Tools For Hacker
68. Hacker Tools Apk
69. Blackhat Hacker Tools
70. Hack Tools Mac
71. Hacker Tools Mac
72. Hack Tools For Ubuntu
73. Hacking Tools For Games
74. Pentest Automation Tools
75. Hacking Tools Mac
76. Hack Tools
77. Pentest Tools Subdomain
78. Usb Pentest Tools
79. Hacker Tools For Ios
80. Hacking Tools 2020
81. Nsa Hack Tools
82. Hacking Tools For Beginners
83. Hacker Tools Free
84. Pentest Reporting Tools
85. Hacker Tools For Mac
86. Hacking Tools
87. Pentest Tools Port Scanner
88. Pentest Tools Subdomain
89. Blackhat Hacker Tools