Merge pull request #410 from RUB-NDS/moreattackfixes

Padding Oracle and Bleichenbacher attack Rework

Author: ic0ns

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/config/HeartbleedCommandConfig.java

@@ -18,7 +18,6 @@
 import de.rub.nds.tlsattacker.core.config.delegate.ProtocolVersionDelegate;
 import de.rub.nds.tlsattacker.core.constants.HeartbeatMode;
 import de.rub.nds.tlsattacker.core.workflow.factory.WorkflowTraceType;
-import de.rub.nds.tlsattacker.transport.TransportHandlerType;
 
 public class HeartbleedCommandConfig extends AttackConfig {
 
@@ -65,7 +64,6 @@ public boolean isExecuteAttack() {
     public Config createConfig() {
         Config config = super.createConfig();
         config.setAddHeartbeatExtension(true);
-        config.setWorkflowTraceType(WorkflowTraceType.FULL);
         config.setHeartbeatMode(HeartbeatMode.PEER_ALLOWED_TO_SEND);
         return config;
     }

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/exception/PaddingOracleUnstableException.java

@@ -0,0 +1,21 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.exception;
+
+/**
+ *
+ * @author Robert Merget <robert.merget@rub.de>
+ */
+public class PaddingOracleUnstableException extends RuntimeException {
+
+    public PaddingOracleUnstableException(String string) {
+        super(string);
+    }
+
+}

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/BleichenbacherAttacker.java

@@ -11,6 +11,7 @@
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.BleichenbacherCommandConfig;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Bleichenbacher;
+import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherVulnerabilityMap;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowGenerator;
 import de.rub.nds.tlsattacker.attacks.pkcs1.BleichenbacherWorkflowType;
 import de.rub.nds.tlsattacker.attacks.pkcs1.Pkcs1Vector;
@@ -99,12 +100,45 @@ private EqualityError isVulnerable(BleichenbacherWorkflowType bbWorkflowType, Li
             return null;
         }
         printBleichenbacherVectormap(bleichenbacherVectorMap);
+        EqualityError error = getEqualityError(bleichenbacherVectorMap);
+        if (error == EqualityError.SOCKET_EXCEPTION || error == EqualityError.SOCKET_STATE) {
+            LOGGER.debug("Found a Socket related side channel. Rescanning to confirm.");
+            // Socket Equality Errors can be caused by problems on on the
+            // network. In this case we do a rescan
+            // and check if we find the exact same answer behaviour (twice)
+            List<VectorFingerprintPair> secondBleichenbacherVectorMap = getBleichenbacherMap(bbWorkflowType,
+                    pkcs1Vectors);
+            EqualityError error2 = getEqualityError(secondBleichenbacherVectorMap);
+            BleichenbacherVulnerabilityMap mapOne = new BleichenbacherVulnerabilityMap(bleichenbacherVectorMap, error);
+            BleichenbacherVulnerabilityMap mapTwo = new BleichenbacherVulnerabilityMap(secondBleichenbacherVectorMap,
+                    error2);
+            if (mapOne.looksIdentical(mapTwo)) {
+                List<VectorFingerprintPair> thirdBleichenbacherVectorMap = getBleichenbacherMap(bbWorkflowType,
+                        pkcs1Vectors);
+                EqualityError error3 = getEqualityError(secondBleichenbacherVectorMap);
+                BleichenbacherVulnerabilityMap mapThree = new BleichenbacherVulnerabilityMap(
+                        secondBleichenbacherVectorMap, error2);
+                if (!mapTwo.looksIdentical(mapThree)) {
+                    LOGGER.debug("The third scan prove this vulnerability to be non existent");
+                    error = EqualityError.NONE;
+                }
+            } else {
+                LOGGER.debug("The second scan prove this vulnerability to be non existent");
+                error = EqualityError.NONE;
+            }
+        }
+        if (error != EqualityError.NONE) {
+            LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a vulnerability with " + bbWorkflowType.getDescription());
+        }
+        return error;
+    }
+
+    public EqualityError getEqualityError(List<VectorFingerprintPair> bleichenbacherVectorMap) {
         ResponseFingerprint fingerprint = bleichenbacherVectorMap.get(0).getFingerprint();
         for (VectorFingerprintPair pair : bleichenbacherVectorMap) {
             EqualityError error = FingerPrintChecker.checkEquality(fingerprint, pair.getFingerprint(), false);
             if (error != EqualityError.NONE) {
-                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a difference in responses in the {}.",
-                        bbWorkflowType.getDescription());
+                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found an EqualityError!");
                 LOGGER.log(LogLevel.CONSOLE_OUTPUT,
                         EqualityErrorTranslator.translation(error, fingerprint, pair.getFingerprint()));
                 return error;

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/impl/PaddingOracleAttacker.java

@@ -13,6 +13,7 @@
 import de.rub.nds.modifiablevariable.bytearray.ModifiableByteArray;
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.attacks.config.PaddingOracleCommandConfig;
+import de.rub.nds.tlsattacker.attacks.exception.PaddingOracleUnstableException;
 import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
 import de.rub.nds.tlsattacker.attacks.util.response.EqualityErrorTranslator;
 import de.rub.nds.tlsattacker.attacks.util.response.FingerPrintChecker;
@@ -40,6 +41,7 @@
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Set;
 
 /**
  * Executes a padding oracle attack check. It logs an error in case the tested
@@ -159,6 +161,56 @@ private byte[] createPaddingBytes(int padding) {
 
     @Override
     public Boolean isVulnerable() {
+
+        LOGGER.log(LogLevel.CONSOLE_OUTPUT,
+                "A server is considered vulnerable to this attack if it responds differently to the test vectors.");
+        LOGGER.log(LogLevel.CONSOLE_OUTPUT, "A server is considered secure if it always responds the same way.");
+        HashMap<Integer, List<ResponseFingerprint>> responseMap = createResponseMap();
+
+        EqualityError error = getEqualityError(responseMap);
+        if (error == EqualityError.SOCKET_EXCEPTION || error == EqualityError.SOCKET_STATE) {
+            LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found a candidate for a Socket difference performing rescan");
+            HashMap<Integer, List<ResponseFingerprint>> responseMapTwo = createResponseMap();
+            EqualityError errorTwo = getEqualityError(responseMapTwo);
+            if (error == errorTwo && lookEqual(responseMap, responseMapTwo)) {
+                HashMap<Integer, List<ResponseFingerprint>> responseMapThree = createResponseMap();
+                EqualityError errorThree = getEqualityError(responseMapThree);
+                if (error == errorThree && lookEqual(responseMap, responseMapThree)) {
+                    LOGGER.log(LogLevel.CONSOLE_OUTPUT,
+                            "Found an equality Error in a SocketState, performed to rescans and it still presisted");
+                    LOGGER.log(LogLevel.CONSOLE_OUTPUT, "The Server is very likely vulnerabble");
+                } else {
+                    LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Rescan revealed a false positive");
+                    return false;
+                }
+            } else {
+                LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Rescan revealed a false positive");
+                return false;
+            }
+        }
+        LOGGER.log(LogLevel.CONSOLE_OUTPUT, EqualityErrorTranslator.translation(error, null, null));
+        return error != EqualityError.NONE;
+    }
+
+    public boolean lookEqual(HashMap<Integer, List<ResponseFingerprint>> responseMapOne,
+            HashMap<Integer, List<ResponseFingerprint>> responseMapTwo) {
+        for (Integer key : responseMapOne.keySet()) {
+            List<ResponseFingerprint> listOne = responseMapOne.get(key);
+            List<ResponseFingerprint> listTwo = responseMapTwo.get(key);
+            if (listOne.size() != listTwo.size()) {
+                throw new PaddingOracleUnstableException(
+                        "The padding Oracle seems to be unstable - there is something going terrible wrong. We recommend manual analysis");
+            }
+            for (int i = 0; i < listOne.size(); i++) {
+                if (FingerPrintChecker.checkEquality(listOne.get(i), listTwo.get(i), false) != EqualityError.NONE) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    public HashMap<Integer, List<ResponseFingerprint>> createResponseMap() {
         int macSize = AlgorithmResolver.getMacAlgorithm(tlsConfig.getDefaultSelectedProtocolVersion(),
                 tlsConfig.getDefaultSelectedCipherSuite()).getSize();
         int blockSize = AlgorithmResolver.getCipher(tlsConfig.getDefaultSelectedCipherSuite())
@@ -173,7 +225,6 @@ public Boolean isVulnerable() {
             State state;
             try {
                 state = executeTlsFlow(record);
-
             } catch (WorkflowExecutionException | ConfigurationException E) {
                 LOGGER.warn(E);
                 LOGGER.warn("TLS-Attacker failed execute a Handshake. Skipping to next record");
@@ -194,29 +245,22 @@ public Boolean isVulnerable() {
             } else {
                 LOGGER.warn("Could not execute Workflow. Something went wrong... Check the debug output for more information");
             }
-
         }
-        LOGGER.log(LogLevel.CONSOLE_OUTPUT,
-                "A server is considered vulnerable to this attack if it responds differently to the test vectors.");
-        LOGGER.log(LogLevel.CONSOLE_OUTPUT, "A server is considered secure if it always responds the same way.");
+        return responseMap;
+    }
 
+    public EqualityError getEqualityError(HashMap<Integer, List<ResponseFingerprint>> responseMap) {
         for (List<ResponseFingerprint> list : responseMap.values()) {
             ResponseFingerprint fingerprint = list.get(0);
             for (int i = 1; i < list.size(); i++) {
                 EqualityError error = FingerPrintChecker.checkEquality(fingerprint, list.get(i), true);
                 if (error != EqualityError.NONE) {
                     LOGGER.log(LogLevel.CONSOLE_OUTPUT, "Found an equality Error: " + error);
-                    LOGGER.debug("Fingerprint1: " + fingerprint.toString());
-                    LOGGER.debug("Fingerprint2: " + list.get(i).toString());
-                    LOGGER.log(LogLevel.CONSOLE_OUTPUT,
-                            EqualityErrorTranslator.translation(error, fingerprint, list.get(i)));
-                    return true;
+                    return error;
                 }
-
             }
         }
-        LOGGER.log(LogLevel.CONSOLE_OUTPUT, EqualityErrorTranslator.translation(EqualityError.NONE, null, null));
-        return false;
+        return EqualityError.NONE;
     }
 
     private void clearConnections(State state) {

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/BleichenbacherVulnerabilityMap.java

@@ -0,0 +1,52 @@
+/**
+ * TLS-Attacker - A Modular Penetration Testing Framework for TLS
+ *
+ * Copyright 2014-2017 Ruhr University Bochum / Hackmanit GmbH
+ *
+ * Licensed under Apache License 2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ */
+package de.rub.nds.tlsattacker.attacks.pkcs1;
+
+import de.rub.nds.tlsattacker.attacks.util.response.EqualityError;
+import de.rub.nds.tlsattacker.attacks.util.response.FingerPrintChecker;
+import java.util.List;
+
+public class BleichenbacherVulnerabilityMap {
+
+    private final List<VectorFingerprintPair> bleichenbacherVectorMap;
+
+    private final EqualityError error;
+
+    public BleichenbacherVulnerabilityMap(List<VectorFingerprintPair> bleichenbacherVectorMap, EqualityError error) {
+        this.bleichenbacherVectorMap = bleichenbacherVectorMap;
+        this.error = error;
+    }
+
+    public boolean looksIdentical(BleichenbacherVulnerabilityMap otherMap) {
+        if (otherMap.error != this.error) {
+            return false;
+        }
+        for (VectorFingerprintPair otherPair : otherMap.bleichenbacherVectorMap) {
+            for (VectorFingerprintPair ourPair : bleichenbacherVectorMap) {
+                if (otherPair.getVector().getDescription().equals(this)) {
+                    // ok we found the right pairs
+                    if (FingerPrintChecker.checkEquality(ourPair.getFingerprint(), otherPair.getFingerprint(), true) != EqualityError.NONE) {
+                        return false;
+                    } else {
+                        break;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+
+    public List<VectorFingerprintPair> getBleichenbacherVectorMap() {
+        return bleichenbacherVectorMap;
+    }
+
+    public EqualityError getError() {
+        return error;
+    }
+}

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/pkcs1/VectorFingerprintPair.java

@@ -9,6 +9,7 @@
 package de.rub.nds.tlsattacker.attacks.pkcs1;
 
 import de.rub.nds.tlsattacker.attacks.util.response.ResponseFingerprint;
+import java.util.Objects;
 
 public class VectorFingerprintPair {
 
@@ -41,4 +42,34 @@ public void setVector(Pkcs1Vector vector) {
     public String toString() {
         return "PKCS#1 Vector: " + vector.getDescription() + " Fingerprint=" + fingerprint.toString();
     }
+
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 67 * hash + Objects.hashCode(this.fingerprint);
+        hash = 67 * hash + Objects.hashCode(this.vector);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj) {
+            return true;
+        }
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final VectorFingerprintPair other = (VectorFingerprintPair) obj;
+        if (!Objects.equals(this.fingerprint, other.fingerprint)) {
+            return false;
+        }
+        if (!Objects.equals(this.vector, other.vector)) {
+            return false;
+        }
+        return true;
+    }
+
 }

Attacks/src/main/java/de/rub/nds/tlsattacker/attacks/util/response/EqualityErrorTranslator.java

@@ -61,7 +61,7 @@ public static String translation(EqualityError error, ResponseFingerprint finger
                 builder.append("The server seems to ocassionally respond with a socket exception.");
                 break;
             case SOCKET_STATE:
-                builder.append("The server seems to ocassionally move the TCP socket in different states. Note that this difference is prone to false-positives if the network is unreliable.");
+                builder.append("The server seems to ocassionally move the TCP socket in different states.");
                 break;
             default:
                 builder.append(error.toString());

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/delegate/CiphersuiteDelegate.java

@@ -12,6 +12,8 @@
 import de.rub.nds.tlsattacker.core.config.Config;
 import de.rub.nds.tlsattacker.core.config.converters.CipherSuiteConverter;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -35,6 +37,10 @@ public void setCipherSuites(List<CipherSuite> cipherSuites) {
         this.cipherSuites = cipherSuites;
     }
 
+    public void setCipherSuites(CipherSuite... cipherSuites) {
+        this.cipherSuites = new ArrayList(Arrays.asList(cipherSuites));
+    }
+
     @Override
     public void applyDelegate(Config config) {
         if (cipherSuites != null) {