Since August, I’ve spent countless hours studying CBC padding oracle attacks toward the development of a new scan tool called padcheck. Using this tool, I was able to identify thousands of popular domains which could be targeted by an active network adversary (i.e. MiTM) to hijack authenticated HTTPS sessions.

The underlying vulnerabilities break down into two main categories which I have named Zombie POODLE and GOLDENDOODLE. These names specifically refer to the techniques for exploiting a variety of underlying flaws in the MAC-Then-Pad-Then-Encrypt scheme used for TLS CBC ciphers. Zombie POODLE exploits a ‘MAC validity’ oracle whereas GOLDENDOODLE exploits a ‘pad validity’ oracle. These attacks are described in more detail in separate blog posts for Zombie POODLE and GOLDENDOODLE.

In this post, I will provide background on how I came to develop padcheck and identify several vulnerable implementations.

Background

The story of how I came to discover these vulnerabilities technically began in October 2017 when Hanno Böck and Juraj Somorovsky invited me to collaborate with them on assessing the prevalence and exploitability of Bleichenbacher oracle threats on the Internet. This research went on to be called ROBOT and it won the 2018 Pwnie award in the ‘Best Cryptographic Attack’ category.

Being involved in this research really opened my eyes to just how badly the TLS standards have failed to displace insecure technology.

In the case of ROBOT, the specifications repeatedly added increasingly unruly countermeasures for Bleichenbacher’s attack rather than simply deprecating the use of PKCS#1 v1.5 (or RSA encryption based key exchange). After this, I was excited to investigate more TLS flaws and, after several lengthy discussions with Hanno, I decided to read up on CBC padding oracle attacks.

In the week following Black Hat, I began reviewing CBC padding oracles (Read more...)