Voracle - Compression Oracle Attacks on VPN Tunnels

Slide 1

Slide 1 text

Compression Oracle Attacks on VPN Networks Nafeez

Slide 2

Slide 2 text

Nafeez AppSec research, static analysis tools, writing code Maker @ assetwatch.io - Simple & Transparent Attack Surface Discovery @sketpic_fx

Slide 3

Slide 3 text

Overview Compression Side Channel and Encryption History of attacks VPNs and how they use compression Voracle attack How to ﬁnd if your "VPN" is vulnerable Way forward

Slide 4

Slide 4 text

Data Compression LZ77 Replace redundant patterns 102 Characters Everything looked dark and bleak, everything looked gloomy, and everything was under a blanket of mist 89 Characters Everything looked dark and bleak, (-34,18)gloomy, and (-54,11)was under a blanket of mist

Slide 5

Slide 5 text

Data Compression Huﬀman Coding Replace frequent bytes with shorter codes https://en.wikipedia.org/wiki/Huﬀman_coding

Slide 6

Slide 6 text

Data Compression DEFLATE - LZ77 + Huﬀman Coding ZLIB, GZIP are well known DEFLATE libraries

Slide 7

Slide 7 text

Compression Side Channel First known research in 2002

Slide 8

Slide 8 text

The Side Channel Length of encrypted payloads

Slide 9

Slide 9 text

Plain Text Data Compress Encrypt Encrypted Data + Data Length

Slide 10

Slide 10 text

Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Encrypted Data + Data Length

Slide 11

Slide 11 text

Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe Encrypted Trafﬁc Encrypted Data + Data Length

Slide 12

Slide 12 text

Compression Oracle Attack Chosen Plain Text Attack Brute force the secret byte by byte Force a compression using the chosen byte and the existing bytes in the secret

Slide 13

Slide 13 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30 secret=637193-some-app-data;secret=1

Slide 14

Slide 14 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30 secret=637193-some-app-data;secret=1 Application Data Attacker injected bytes Whole data before compression / encryption

Slide 15

Slide 15 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30 secret=637193-some-app-data;secret=1 Compressible Compressible

Slide 16

Slide 16 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=2 Encrypted Length = 30 secret=637193-some-app-data;secret=2

Slide 17

Slide 17 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=3 Encrypted Length = 30 secret=637193-some-app-data;secret=3

Slide 18

Slide 18 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=4 Encrypted Length = 30 secret=637193-some-app-data;secret=4

Slide 19

Slide 19 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=5 Encrypted Length = 30 secret=637193-some-app-data;secret=5

Slide 20

Slide 20 text

secret=637193-some-app-data; Compress Encrypt Data Length secret=6 Encrypted Length = 29 secret=637193-some-app-data;secret=6 More Compression, Smaller Length Compression increased by 1 byte

Slide 21

Slide 21 text

How can we convert this into a real world attack on browsers?

Slide 22

Slide 22 text

Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe Encrypted Trafﬁc Encrypted Data + Data Length

Slide 23

Slide 23 text

Add Attacker Controlled Bytes Observe Encrypted Trafﬁc Ambient authority of Cookies in browsers Simple cross-domain requests with POST body MITM. People do this all the time

Slide 24

Slide 24 text

EkoParty 2012 Back in 2012 Juliano Rizzo, Thai Duong

Slide 25

Slide 25 text

CRIME, 2012 www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf

Slide 26

Slide 26 text

TIME Attack 2013 Tal Be'ery, Amichai Shulman Timing side channel purely via browsers, using TCP window sizes. Extending CRIME to HTTP Responses

Slide 27

Slide 27 text

BREACH Attack 2013 BreachAttack.com Angelo Prado, Neal Harris, Yoel Gluck

Slide 28

Slide 28 text

So far CRIME style attacks have been mostly targeted on HTTPS There are more - HEIST, Practical Developments to BREACH

Slide 29

Slide 29 text

So, whats new today?

Slide 30

Slide 30 text

VPN Tunnels

Slide 31

Slide 31 text

TLS VPNs are pretty common these days

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

What do most of these SaaS VPNs have in common?

Slide 34

Slide 34 text

OpenVPN

Slide 35

Slide 35 text

High level overview Authentication & Key Negotiation (Control Channel) Data Channel Compression Data Channel Encryption

Slide 36

Slide 36 text

Compress everything UDP TCP Bi-Directional

Slide 37

Slide 37 text

OpenVPN Compression Algorithms LZO LZ4 -LZ77 Family-

Slide 38

Slide 38 text

We have a compress then encrypt on all of data channel

Slide 39

Slide 39 text

VORACLE Attack

Slide 40

Slide 40 text

Under a VPN, HTTP WebApps are still insecure !

Slide 41

Slide 41 text

Things are safe, if the underlying app layer already uses an encryption channel.

Slide 42

Slide 42 text

Things might go bad, if the VPN tunnel is helping you encrypt already non- encrypted data

Slide 43

Slide 43 text

Lets see how this attack works on an HTTP website using an encrypted VPN

Slide 44

Slide 44 text

VPN Server and Client has compression enabled Requirements Attacker can observe VPN traffic VPN User visits attacker.com

Slide 45

Slide 45 text

Attack Setup VPN User

Slide 46

Slide 46 text

Attack Setup VPN User Browser

Slide 47

Slide 47 text

Attack Setup VPN User Browser HTTP WebApp

Slide 48

Slide 48 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression

Slide 49

Slide 49 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression

Slide 50

Slide 50 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker

Slide 51

Slide 51 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker attacker.com

Slide 52

Slide 52 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker attacker.com Passive MITM

Slide 53

Slide 53 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker attacker.com Passive MITM Injected Ads,  Malicous Blogs,  etc.

Slide 54

Slide 54 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker attacker.com Passive MITM Injected Ads,  Malicous Blogs,  etc. Can Observe VPN Data packet Lengths

Slide 55

Slide 55 text

Attack Setup VPN User Browser HTTP WebApp Trusted VPN with Compression Attacker attacker.com Passive MITM Injected Ads,  Malicous Blogs,  etc. Can Observe VPN Data packet Lengths Can Send Cross Domain requests to the HTTP WebApp

Slide 56

Slide 56 text

Attacker can now conduct Compression Oracle attacks on HTTP requests and responses

Slide 57

Slide 57 text

https://github.com/OpenVPN/openvpn3 Browser VPN Client VPN Server OpenVPN Server WebApp http://insecure.skepticfx.com Mozilla Firefox Steal sessionId cookie from a cross-domain website Attack Goal Demo

Slide 58

Slide 58 text

Voracle https://github.com/skepticfx/voracle

Slide 59

Slide 59 text

Attack Challenges No Server Name Indication(SNI) or TLS certificates.  VPN traffic is too chatty. Everything goes through it Hard to determine attacker's own traffic

Slide 60

Slide 60 text

Browser needs to send HTTP requests in single TCP Data Packet Also

Slide 61

Slide 61 text

Google Chrome splits Plain HTTP requests into Header and Body So we can't get the compression window in the same request

Slide 62

Slide 62 text

Mozilla Firefox sends them all in a single TCP data packet Now we get the compression window in the same request

Slide 63

Slide 63 text

Detecting Voracle in your VPN

Slide 64

Slide 64 text

If your VPN provider is using OpenVPN - take a look at your client conﬁguration.

Slide 65

Slide 65 text

OpenVPN Client Conﬁguration (*.OVPN)

Slide 66

Slide 66 text

Or you can test this dynamically by triggering compression and observing the length

Slide 67

Slide 67 text

DIY Voracle Detection Fire up Wireshark Connect to your VPN under test Send a few Curl requests with compression Observe VPN Payload Length

Slide 68

Slide 68 text

curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282; --blah-- Secret=1 Secret=1" Length = x Curl and Observe Length

Slide 69

Slide 69 text

curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282; --blah-- Secret=2 Secret=2" Length = x Curl and Observe Length

Slide 70

Slide 70 text

curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282; --blah-- Secret=3 Secret=3" Length = x-1 Curl and Observe Length More Compression, Smaller Length

Slide 71

Slide 71 text

Fix?

Slide 72

Slide 72 text

Fixing Compression is an interesting problem

Slide 73

Slide 73 text

Remember when SPDY was vulnerable to CRIME?

Slide 74

Slide 74 text

HPACK in HTTP/2 selectively disables header compression for sensitive ﬁelds

Slide 75

Slide 75 text

https://http2.github.io/http2-spec/compression.html

Slide 76

Slide 76 text

cf-nocompress https://blog.cloudﬂare.com/a-solution-to-compression-oracles-on-the-web/

Slide 77

Slide 77 text

For VPNs, Disable compression entirely for all plain text transactions

Slide 78

Slide 78 text

Turning compression off by default is opinionated

Slide 79

Slide 79 text

OpenVPN chose to warn the implementors more explicitly to turn off data Compression. https://github.com/OpenVPN/openvpn/commit/a59fd147

Slide 80

Slide 80 text

turned off compression entirely

Slide 81

Slide 81 text

Its time, everything moves to HTTPS

Slide 82

Slide 82 text

Takeaway EndUsers & Website owners - If you are using VPN to access plain text websites over the internet, its time to move them to HTTPs. VPN Providers - Explicitly state what your VPN protects against. If you are claiming your VPN tunnel protects against plain text web apps, ensure you do not compress them.

Slide 83

Slide 83 text

Thank you! @skeptic_fx [email protected]