Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Voracle - Compression Oracle Attacks on VPN Tun...

Nafeez
August 11, 2018
Technology
2
6.9k

Voracle - Compression Oracle Attacks on VPN Tunnels

Leaking secrets from OpenVPN using compression oracle side channel.

Nafeez

August 11, 2018
Tweet

More Decks by Nafeez

See All by Nafeez
DomFlow - Untangling the DOM for easy juicy bugs
skepticfx
2
1.3k
Attacking Web Proxies in the modern Era.
skepticfx
3
730
Securing your nodejs deployments while you sleep
skepticfx
3
290
JS Suicide: Using Javascript's security features to kill itself
skepticfx
2
820
alert(/xss/) – How to catch an XSS before someone reports or exploits it?
skepticfx
2
220

Other Decks in Technology

See All in Technology
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
570
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
Platform Engineering for Software Developers and Architects
syntasso
1
510
AGIについてChatGPTに聞いてみた
blueb
0
130
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
290
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
SSMRunbook作成の勘所_20241120
koichiotomo
1
110
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
Lambdaと地方とコミュニティ
miu_crescent
2
370
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
180
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
120

Featured

See All Featured
Designing Experiences People Love
moore
138
23k
Happy Clients
brianwarren
98
6.7k
BBQ
matthewcrist
85
9.3k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Scaling GitHub
holman
458
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Documentation Writing (for coders)
carmenintech
65
4.4k

Transcript

  1. Compression Oracle Attacks on VPN Networks Nafeez

  2. Nafeez AppSec research, static analysis tools, writing code Maker @

    assetwatch.io - Simple & Transparent Attack Surface Discovery @sketpic_fx

  3. Overview Compression Side Channel and Encryption History of attacks VPNs

    and how they use compression Voracle attack How to find if your "VPN" is vulnerable Way forward

  4. Data Compression LZ77 Replace redundant patterns 102 Characters Everything looked

    dark and bleak, everything looked gloomy, and everything was under a blanket of mist 89 Characters Everything looked dark and bleak, (-34,18)gloomy, and (-54,11)was under a blanket of mist

  5. Data Compression Huffman Coding Replace frequent bytes with shorter codes

    https://en.wikipedia.org/wiki/Huffman_coding

  6. Data Compression DEFLATE - LZ77 + Huffman Coding ZLIB, GZIP

    are well known DEFLATE libraries

  7. Compression Side Channel First known research in 2002

  8. The Side Channel Length of encrypted payloads

  9. Plain Text Data Compress Encrypt Encrypted Data + Data Length

  10. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Encrypted

    Data + Data Length

  11. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe

    Encrypted Traffic Encrypted Data + Data Length

  12. Compression Oracle Attack Chosen Plain Text Attack Brute force the

    secret byte by byte Force a compression using the chosen byte and the existing bytes in the secret

  13. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1

  14. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1 Application Data Attacker injected bytes Whole data before compression / encryption

  15. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1 Compressible Compressible

  16. secret=637193-some-app-data; Compress Encrypt Data Length secret=2 Encrypted Length = 30

    secret=637193-some-app-data;secret=2

  17. secret=637193-some-app-data; Compress Encrypt Data Length secret=3 Encrypted Length = 30

    secret=637193-some-app-data;secret=3

  18. secret=637193-some-app-data; Compress Encrypt Data Length secret=4 Encrypted Length = 30

    secret=637193-some-app-data;secret=4

  19. secret=637193-some-app-data; Compress Encrypt Data Length secret=5 Encrypted Length = 30

    secret=637193-some-app-data;secret=5

  20. secret=637193-some-app-data; Compress Encrypt Data Length secret=6 Encrypted Length = 29

    secret=637193-some-app-data;secret=6 More Compression, Smaller Length Compression increased by 1 byte

  21. How can we convert this into a real world attack

    on browsers?

  22. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe

    Encrypted Traffic Encrypted Data + Data Length

  23. Add Attacker Controlled Bytes Observe Encrypted Traffic Ambient authority of

    Cookies in browsers Simple cross-domain requests with POST body MITM. People do this all the time

  24. EkoParty 2012 Back in 2012 Juliano Rizzo, Thai Duong

  25. CRIME, 2012 www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf

  26. TIME Attack 2013 Tal Be'ery, Amichai Shulman Timing side channel

    purely via browsers, using TCP window sizes. Extending CRIME to HTTP Responses

  27. BREACH Attack 2013 BreachAttack.com Angelo Prado, Neal Harris, Yoel Gluck

  28. So far CRIME style attacks have been mostly targeted on

    HTTPS There are more - HEIST, Practical Developments to BREACH

  29. So, whats new today?

  30. VPN Tunnels

  31. TLS VPNs are pretty common these days

  32. None

  33. What do most of these SaaS VPNs have in common?

  34. OpenVPN

  35. High level overview Authentication & Key Negotiation (Control Channel) Data

    Channel Compression Data Channel Encryption

  36. Compress everything UDP TCP Bi-Directional

  37. OpenVPN Compression Algorithms LZO LZ4 -LZ77 Family-

  38. We have a compress then encrypt on all of data

    channel

  39. VORACLE Attack

  40. Under a VPN, HTTP WebApps are still insecure !

  41. Things are safe, if the underlying app layer already uses

    an encryption channel.

  42. Things might go bad, if the VPN tunnel is helping

    you encrypt already non- encrypted data

  43. Lets see how this attack works on an HTTP website

    using an encrypted VPN

  44. VPN Server and Client has compression enabled Requirements Attacker can

    observe VPN traffic VPN User visits attacker.com

  45. Attack Setup VPN User

  46. Attack Setup VPN User Browser

  47. Attack Setup VPN User Browser HTTP WebApp

  48. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression

  49. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression

  50. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker

  51. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com

  52. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM

  53. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc.

  54. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc. Can Observe VPN Data packet Lengths

  55. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc. Can Observe VPN Data packet Lengths Can Send Cross Domain requests to the HTTP WebApp

  56. Attacker can now conduct Compression Oracle attacks on HTTP requests

    and responses

  57. https://github.com/OpenVPN/openvpn3 Browser VPN Client VPN Server OpenVPN Server WebApp http://insecure.skepticfx.com

    Mozilla Firefox Steal sessionId cookie from a cross-domain website Attack Goal Demo

  58. Voracle https://github.com/skepticfx/voracle

  59. Attack Challenges No Server Name Indication(SNI) or TLS certificates.
 VPN

    traffic is too chatty. Everything goes through it Hard to determine attacker's own traffic

  60. Browser needs to send HTTP requests in single TCP Data

    Packet Also

  61. Google Chrome splits Plain HTTP requests into Header and Body

    So we can't get the compression window in the same request

  62. Mozilla Firefox sends them all in a single TCP data

    packet Now we get the compression window in the same request

  63. Detecting Voracle in your VPN

  64. If your VPN provider is using OpenVPN - take a

    look at your client configuration.

  65. OpenVPN Client Configuration (*.OVPN)

  66. Or you can test this dynamically by triggering compression and

    observing the length

  67. DIY Voracle Detection Fire up Wireshark Connect to your VPN

    under test Send a few Curl requests with compression Observe VPN Payload Length

  68. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=1 Secret=1" Length = x Curl and Observe Length

  69. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=2 Secret=2" Length = x Curl and Observe Length

  70. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=3 Secret=3" Length = x-1 Curl and Observe Length More Compression, Smaller Length

  71. Fix?

  72. Fixing Compression is an interesting problem

  73. Remember when SPDY was vulnerable to CRIME?

  74. HPACK in HTTP/2 selectively disables header compression for sensitive fields

  75. https://http2.github.io/http2-spec/compression.html

  76. cf-nocompress https://blog.cloudflare.com/a-solution-to-compression-oracles-on-the-web/

  77. For VPNs, Disable compression entirely for all plain text transactions

  78. Turning compression off by default is opinionated

  79. OpenVPN chose to warn the implementors more explicitly to turn

    off data Compression. https://github.com/OpenVPN/openvpn/commit/a59fd147

  80. turned off compression entirely

  81. Its time, everything moves to HTTPS

  82. Takeaway EndUsers & Website owners - If you are using

    VPN to access plain text websites over the internet, its time to move them to HTTPs. VPN Providers - Explicitly state what your VPN protects against. If you are claiming your VPN tunnel protects against plain text web apps, ensure you do not compress them.

  83. Thank you! @skeptic_fx [email protected]