Fixed a false positve in the BleichenBacherAttacker

ic0ns · ic0ns · commit 06a09090ca3d · 2018-02-06T16:47:23.000+01:00
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/HeartbleedCommandConfig.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/HeartbleedCommandConfig.java
@@ -18,7 +18,6 @@
 import de.rub.nds.tlsattacker.core.config.delegate.ProtocolVersionDelegate;
 import de.rub.nds.tlsattacker.core.constants.HeartbeatMode;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
-import de.rub.nds.tlsattacker.transport.TransportHandlerType;
 
 public class HeartbleedCommandConfig extends AttackConfig {
 
@@ -65,7 +64,6 @@ public boolean isExecuteAttack() {
     public Config createConfig() {
         Config config = super.createConfig();
         config.setAddHeartbeatExtension(true);
-        config.setWorkflowTraceType(WorkflowTraceType.FULL);
         config.setHeartbeatMode(HeartbeatMode.PEER_ALLOWED_TO_SEND);
         return config;
     }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java
@@ -11,6 +11,7 @@
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
+import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherVulnerabilityMap;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowGenerator;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowType;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Pkcs1Vector;
@@ -99,12 +100,45 @@ private EqualityError isVulnerable(BleichenbacherWorkflowType bbWorkflowType, Li
             return null;
         }
         printBleichenbacherVectormap(bleichenbacherVectorMap);
+        EqualityError error = getEqualityError(bleichenbacherVectorMap);
+        if (error == EqualityError.SOCKET_EXCEPTION || error == EqualityError.SOCKET_STATE) {
+            LOGGER.debug("Found a Socket related side channel. Rescanning to confirm.");
+            // Socket Equality Errors can be caused by problems on on the
+            // network. In this case we do a rescan
+            // and check if we find the exact same answer behaviour (twice)
+            List<VectorFingerprintPair> secondBleichenbacherVectorMap = getBleichenbacherMap(bbWorkflowType,
+                    pkcs1Vectors);
+            EqualityError error2 = getEqualityError(secondBleichenbacherVectorMap);
+            BleichenbacherVulnerabilityMap mapOne = new BleichenbacherVulnerabilityMap(bleichenbacherVectorMap, error);
+            BleichenbacherVulnerabilityMap mapTwo = new BleichenbacherVulnerabilityMap(secondBleichenbacherVectorMap,
+                    error2);
+            if (mapOne.looksIdentical(mapTwo)) {
+                List<VectorFingerprintPair> thirdBleichenbacherVectorMap = getBleichenbacherMap(bbWorkflowType,
+                        pkcs1Vectors);
+                EqualityError error3 = getEqualityError(secondBleichenbacherVectorMap);
+                BleichenbacherVulnerabilityMap mapThree = new BleichenbacherVulnerabilityMap(
+                        secondBleichenbacherVectorMap, error2);
+                if (!mapTwo.looksIdentical(mapThree)) {
+                    LOGGER.debug("The third scan prove this vulnerability to be non existent");
+                    error = EqualityError.NONE;
+                }
+            } else {
+                LOGGER.debug("The second scan prove this vulnerability to be non existent");
+                error = EqualityError.NONE;
+            }
+        }
+        if (error != EqualityError.NONE) {
+            LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a vulnerability with " + bbWorkflowType.getDescription());
+        }
+        return error;
+    }
+
+    public EqualityError getEqualityError(List<VectorFingerprintPair> bleichenbacherVectorMap) {
         ResponseFingerprint fingerprint = bleichenbacherVectorMap.get(0).getFingerprint();
         for (VectorFingerprintPair pair : bleichenbacherVectorMap) {
             EqualityError error = FingerPrintChecker.checkEquality(fingerprint, pair.getFingerprint(), false);
             if (error != EqualityError.NONE) {
-                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a difference in responses in the {}.",
-                        bbWorkflowType.getDescription());
+                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found an EqualityError!");
                 LOGGER.log(LogLevel.CONSOLE_OUTPUT,
                         EqualityErrorTranslator.translation(error, fingerprint, pair.getFingerprint()));
                 return error;
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherVulnerabilityMap.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherVulnerabilityMap.java
@@ -0,0 +1,52 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.pkcs1;
+
+import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
+import de.rub.nds.tlsattacker.attacks.util.response.FingerPrintChecker;
+import java.util.List;
+
+public class BleichenbacherVulnerabilityMap {
+
+    private final List<VectorFingerprintPair> bleichenbacherVectorMap;
+
+    private final EqualityError error;
+
+    public BleichenbacherVulnerabilityMap(List<VectorFingerprintPair> bleichenbacherVectorMap, EqualityError error) {
+        this.bleichenbacherVectorMap = bleichenbacherVectorMap;
+        this.error = error;
+    }
+
+    public boolean looksIdentical(BleichenbacherVulnerabilityMap otherMap) {
+        if (otherMap.error != this.error) {
+            return false;
+        }
+        for (VectorFingerprintPair otherPair : otherMap.bleichenbacherVectorMap) {
+            for (VectorFingerprintPair ourPair : bleichenbacherVectorMap) {
+                if (otherPair.getVector().getDescription().equals(this)) {
+                    // ok we found the right pairs
+                    if (FingerPrintChecker.checkEquality(ourPair.getFingerprint(), otherPair.getFingerprint(), true) != EqualityError.NONE) {
+                        return false;
+                    } else {
+                        break;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+
+    public List<VectorFingerprintPair> getBleichenbacherVectorMap() {
+        return bleichenbacherVectorMap;
+    }
+
+    public EqualityError getError() {
+        return error;
+    }
+}
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/VectorFingerprintPair.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/VectorFingerprintPair.java
@@ -9,6 +9,7 @@
 package de.rub.nds.tlsattacker.attacks.pkcs1;
 
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseFingerprint;
+import java.util.Objects;
 
 public class VectorFingerprintPair {
 
@@ -41,4 +42,34 @@ public void setVector(Pkcs1Vector vector) {
     public String toString() {
         return "PKCS#1 Vector: " + vector.getDescription() + " Fingerprint=" + fingerprint.toString();
     }
+
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 67 * hash + Objects.hashCode(this.fingerprint);
+        hash = 67 * hash + Objects.hashCode(this.vector);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final VectorFingerprintPair other = (VectorFingerprintPair) obj;
+        if (!Objects.equals(this.fingerprint, other.fingerprint)) {
+            return false;
+        }
+        if (!Objects.equals(this.vector, other.vector)) {
+            return false;
+        }
+        return true;
+    }
+
 }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/util/response/EqualityErrorTranslator.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/util/response/EqualityErrorTranslator.java
@@ -61,7 +61,7 @@ public static String translation(EqualityError error, ResponseFingerprint finger
                 builder.append("The server seems to ocassionally respond with a socket exception.");
                 break;
             case SOCKET_STATE:
-                builder.append("The server seems to ocassionally move the TCP socket in different states. Note that this difference is prone to false-positives if the network is unreliable.");
+                builder.append("The server seems to ocassionally move the TCP socket in different states.");
                 break;
             default:
                 builder.append(error.toString());
