$30 off During Our Annual Pro Sale. View Details »

Voracle - Compression Oracle Attacks on VPN Tunnels

Nafeez
August 11, 2018

Voracle - Compression Oracle Attacks on VPN Tunnels

Leaking secrets from OpenVPN using compression oracle side channel.

Nafeez

August 11, 2018
Tweet

More Decks by Nafeez

Other Decks in Technology

Transcript

  1. Compression Oracle
    Attacks on VPN
    Networks
    Nafeez

    View Slide

  2. Nafeez
    AppSec research, static analysis tools, writing code

    Maker @ assetwatch.io - Simple & Transparent Attack
    Surface Discovery

    @sketpic_fx

    View Slide

  3. Overview
    Compression Side Channel and Encryption

    History of attacks

    VPNs and how they use compression

    Voracle attack

    How to find if your "VPN" is vulnerable

    Way forward

    View Slide

  4. Data Compression
    LZ77
    Replace redundant patterns

    102 Characters

    Everything looked dark and bleak, everything looked gloomy,
    and everything was under a blanket of mist
    89 Characters

    Everything looked dark and bleak, (-34,18)gloomy,
    and (-54,11)was under a blanket of mist

    View Slide

  5. Data Compression
    Huffman Coding
    Replace frequent bytes with shorter codes

    https://en.wikipedia.org/wiki/Huffman_coding

    View Slide

  6. Data Compression
    DEFLATE - LZ77 + Huffman Coding

    ZLIB, GZIP are well known DEFLATE libraries

    View Slide

  7. Compression Side Channel
    First known research in 2002

    View Slide

  8. The Side Channel
    Length of encrypted payloads

    View Slide

  9. Plain Text Data
    Compress
    Encrypt
    Encrypted Data +
    Data Length

    View Slide

  10. Plain Text Data
    Compress
    Encrypt
    Add Attacker
    Controlled Bytes
    Encrypted Data +
    Data Length

    View Slide

  11. Plain Text Data
    Compress
    Encrypt
    Add Attacker
    Controlled Bytes
    Observe Encrypted
    Traffic
    Encrypted Data +
    Data Length

    View Slide

  12. Compression Oracle Attack
    Chosen Plain Text Attack

    Brute force the secret byte by byte

    Force a compression using the chosen byte and the
    existing bytes in the secret

    View Slide

  13. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=1
    Encrypted Length = 30
    secret=637193-some-app-data;secret=1

    View Slide

  14. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=1
    Encrypted Length = 30
    secret=637193-some-app-data;secret=1
    Application Data
    Attacker injected
    bytes
    Whole data before
    compression /
    encryption

    View Slide

  15. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=1
    Encrypted Length = 30
    secret=637193-some-app-data;secret=1
    Compressible Compressible

    View Slide

  16. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=2
    Encrypted Length = 30
    secret=637193-some-app-data;secret=2

    View Slide

  17. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=3
    Encrypted Length = 30
    secret=637193-some-app-data;secret=3

    View Slide

  18. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=4
    Encrypted Length = 30
    secret=637193-some-app-data;secret=4

    View Slide

  19. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=5
    Encrypted Length = 30
    secret=637193-some-app-data;secret=5

    View Slide

  20. secret=637193-some-app-data;
    Compress
    Encrypt
    Data Length
    secret=6
    Encrypted Length = 29
    secret=637193-some-app-data;secret=6
    More Compression, Smaller Length
    Compression increased
    by 1 byte

    View Slide

  21. How can we convert this
    into a real world attack on
    browsers?

    View Slide

  22. Plain Text Data
    Compress
    Encrypt
    Add Attacker
    Controlled Bytes
    Observe Encrypted
    Traffic
    Encrypted Data +
    Data Length

    View Slide

  23. Add Attacker
    Controlled Bytes
    Observe Encrypted
    Traffic
    Ambient authority of
    Cookies in browsers
    Simple cross-domain
    requests with POST body
    MITM. People do this
    all the time

    View Slide

  24. EkoParty 2012
    Back in 2012
    Juliano Rizzo, Thai Duong

    View Slide

  25. CRIME, 2012
    www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf

    View Slide

  26. TIME Attack 2013
    Tal Be'ery, Amichai Shulman
    Timing side channel purely via browsers, using TCP window
    sizes.

    Extending CRIME to HTTP Responses

    View Slide

  27. BREACH Attack 2013
    BreachAttack.com
    Angelo Prado, Neal Harris, Yoel Gluck

    View Slide

  28. So far
    CRIME style attacks have been mostly targeted on HTTPS

    There are more - HEIST, Practical Developments to BREACH

    View Slide

  29. So, whats new today?

    View Slide

  30. VPN Tunnels

    View Slide

  31. TLS VPNs are pretty
    common these days

    View Slide

  32. View Slide

  33. What do most of these
    SaaS VPNs have in
    common?

    View Slide

  34. OpenVPN

    View Slide

  35. High level overview
    Authentication & Key Negotiation (Control Channel)

    Data Channel Compression
    Data Channel Encryption

    View Slide

  36. Compress everything
    UDP

    TCP

    Bi-Directional

    View Slide

  37. OpenVPN Compression
    Algorithms
    LZO

    LZ4

    -LZ77 Family-

    View Slide

  38. We have a compress then
    encrypt on all of data channel

    View Slide

  39. VORACLE Attack

    View Slide

  40. Under a VPN, HTTP
    WebApps are still
    insecure !

    View Slide

  41. Things are safe, if the underlying app
    layer already uses an encryption channel.

    View Slide

  42. Things might go bad, if the VPN tunnel is
    helping you encrypt already non-
    encrypted data

    View Slide

  43. Lets see how this attack works on an
    HTTP website using an encrypted VPN

    View Slide

  44. VPN Server and Client has compression enabled
    Requirements
    Attacker can observe VPN traffic
    VPN User visits attacker.com

    View Slide

  45. Attack Setup
    VPN User

    View Slide

  46. Attack Setup
    VPN User
    Browser

    View Slide

  47. Attack Setup
    VPN User
    Browser
    HTTP WebApp

    View Slide

  48. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression

    View Slide

  49. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression

    View Slide

  50. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker

    View Slide

  51. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker
    attacker.com

    View Slide

  52. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker
    attacker.com
    Passive
    MITM

    View Slide

  53. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker
    attacker.com
    Passive
    MITM
    Injected Ads,

    Malicous Blogs,

    etc.

    View Slide

  54. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker
    attacker.com
    Passive
    MITM
    Injected Ads,

    Malicous Blogs,

    etc.
    Can Observe VPN
    Data packet Lengths

    View Slide

  55. Attack Setup
    VPN User
    Browser
    HTTP WebApp
    Trusted VPN with Compression
    Attacker
    attacker.com
    Passive
    MITM
    Injected Ads,

    Malicous Blogs,

    etc.
    Can Observe VPN
    Data packet Lengths
    Can Send Cross
    Domain requests to
    the HTTP WebApp

    View Slide

  56. Attacker can now conduct Compression Oracle attacks on
    HTTP requests and responses

    View Slide

  57. https://github.com/OpenVPN/openvpn3
    Browser
    VPN Client
    VPN Server OpenVPN Server
    WebApp http://insecure.skepticfx.com
    Mozilla Firefox
    Steal sessionId cookie from a cross-domain website
    Attack Goal
    Demo

    View Slide

  58. Voracle
    https://github.com/skepticfx/voracle

    View Slide

  59. Attack Challenges
    No Server Name Indication(SNI) or TLS certificates.

    VPN traffic is too chatty. Everything goes through it

    Hard to determine attacker's own traffic

    View Slide

  60. Browser needs to send HTTP
    requests in single TCP Data Packet
    Also

    View Slide

  61. Google Chrome splits Plain HTTP
    requests into Header and Body
    So we can't get the compression
    window in the same request

    View Slide

  62. Mozilla Firefox sends them all
    in a single TCP data packet
    Now we get the compression
    window in the same request

    View Slide

  63. Detecting Voracle in your
    VPN

    View Slide

  64. If your VPN provider is using OpenVPN -
    take a look at your client configuration.

    View Slide

  65. OpenVPN Client
    Configuration (*.OVPN)

    View Slide

  66. Or you can test this dynamically by
    triggering compression and observing the
    length

    View Slide

  67. DIY Voracle Detection
    Fire up Wireshark

    Connect to your VPN under test

    Send a few Curl requests with compression

    Observe VPN Payload Length

    View Slide

  68. curl -s -o /dev/null -X POST http://website.com
    -d "--some-data-- Secret=37346282;
    --blah-- Secret=1 Secret=1"
    Length = x

    Curl and Observe Length

    View Slide

  69. curl -s -o /dev/null -X POST http://website.com
    -d "--some-data-- Secret=37346282;
    --blah-- Secret=2 Secret=2"
    Length = x

    Curl and Observe Length

    View Slide

  70. curl -s -o /dev/null -X POST http://website.com
    -d "--some-data-- Secret=37346282;
    --blah-- Secret=3 Secret=3"
    Length = x-1

    Curl and Observe Length
    More Compression, Smaller Length

    View Slide

  71. Fix?

    View Slide

  72. Fixing Compression is an
    interesting problem

    View Slide

  73. Remember when SPDY
    was vulnerable to
    CRIME?

    View Slide

  74. HPACK in HTTP/2
    selectively disables header
    compression for sensitive
    fields

    View Slide

  75. https://http2.github.io/http2-spec/compression.html

    View Slide

  76. cf-nocompress
    https://blog.cloudflare.com/a-solution-to-compression-oracles-on-the-web/

    View Slide

  77. For VPNs, Disable
    compression entirely for
    all plain text transactions

    View Slide

  78. Turning compression
    off by default is
    opinionated

    View Slide

  79. OpenVPN chose to warn the implementors
    more explicitly to turn off data Compression.
    https://github.com/OpenVPN/openvpn/commit/a59fd147

    View Slide

  80. turned off
    compression entirely

    View Slide

  81. Its time, everything
    moves to HTTPS

    View Slide

  82. Takeaway
    EndUsers & Website owners - If you are using VPN to
    access plain text websites over the internet, its time to move
    them to HTTPs.

    VPN Providers - Explicitly state what your VPN protects
    against. If you are claiming your VPN tunnel protects against
    plain text web apps, ensure you do not compress them.

    View Slide

  83. Thank you!
    @skeptic_fx
    [email protected]

    View Slide