Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Voracle - Compression Oracle Attacks on VPN Tun...

Nafeez
August 11, 2018
Technology
2
7.1k

Voracle - Compression Oracle Attacks on VPN Tunnels

Leaking secrets from OpenVPN using compression oracle side channel.

Nafeez

August 11, 2018
Tweet

More Decks by Nafeez

See All by Nafeez
DomFlow - Untangling the DOM for easy juicy bugs
skepticfx
2
1.4k
Attacking Web Proxies in the modern Era.
skepticfx
3
740
Securing your nodejs deployments while you sleep
skepticfx
3
320
JS Suicide: Using Javascript's security features to kill itself
skepticfx
2
840
alert(/xss/) – How to catch an XSS before someone reports or exploits it?
skepticfx
2
230

Other Decks in Technology

See All in Technology
SREの視点で考えるSIEM活用術 〜AWS環境でのセキュリティ強化〜
coconala_engineer
1
290
開発視点でAWS Signerを考えてみよう!! ~コード署名のその先へ~
masakiokuda
3
160
フロントエンドも盛り上げたい!フロントエンドCBとAmplifyの軌跡
mkdev10
2
270
Micro Frontends: Necessity, Implementation, and Challenges
rainerhahnekamp
2
480
Running JavaScript within Ruby
hmsk
3
310
LiteXとオレオレCPUで作る自作SoC奮闘記
msyksphinz
0
570
プロダクト開発におけるAI時代の開発生産性
shnjtk
2
230
こんなデータマートは嫌だ。どんな? / waiwai-data-meetup-202504
shuntak
6
1.9k
はてなの開発20年史と DevOpsの歩み / DevOpsDays Tokyo 2025 Keynote
daiksy
6
1.5k
Webアプリを Lambdaで動かすまでに考えること / How to implement monolithic Lambda Web Application
_kensh
7
1.3k
NLP2025 参加報告会 / NLP2025
sansan_randd
4
570
Recap of Next - Google Cloud で実践する クラウドネイティブ最前線 / The Frontlines of Cloud-Native with Insights from Google Cloud
aoto
PRO
1
100

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Optimising Largest Contentful Paint
csswizardry
36
3.2k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
Docker and Python
trallard
44
3.3k
Building an army of robots
kneath
304
45k
Optimizing for Happiness
mojombo
377
70k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
KATA
mclloyd
29
14k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k

Transcript

  1. Compression Oracle Attacks on VPN Networks Nafeez

  2. Nafeez AppSec research, static analysis tools, writing code Maker @

    assetwatch.io - Simple & Transparent Attack Surface Discovery @sketpic_fx

  3. Overview Compression Side Channel and Encryption History of attacks VPNs

    and how they use compression Voracle attack How to find if your "VPN" is vulnerable Way forward

  4. Data Compression LZ77 Replace redundant patterns 102 Characters Everything looked

    dark and bleak, everything looked gloomy, and everything was under a blanket of mist 89 Characters Everything looked dark and bleak, (-34,18)gloomy, and (-54,11)was under a blanket of mist

  5. Data Compression Huffman Coding Replace frequent bytes with shorter codes

    https://en.wikipedia.org/wiki/Huffman_coding

  6. Data Compression DEFLATE - LZ77 + Huffman Coding ZLIB, GZIP

    are well known DEFLATE libraries

  7. Compression Side Channel First known research in 2002

  8. The Side Channel Length of encrypted payloads

  9. Plain Text Data Compress Encrypt Encrypted Data + Data Length

  10. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Encrypted

    Data + Data Length

  11. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe

    Encrypted Traffic Encrypted Data + Data Length

  12. Compression Oracle Attack Chosen Plain Text Attack Brute force the

    secret byte by byte Force a compression using the chosen byte and the existing bytes in the secret

  13. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1

  14. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1 Application Data Attacker injected bytes Whole data before compression / encryption

  15. secret=637193-some-app-data; Compress Encrypt Data Length secret=1 Encrypted Length = 30

    secret=637193-some-app-data;secret=1 Compressible Compressible

  16. secret=637193-some-app-data; Compress Encrypt Data Length secret=2 Encrypted Length = 30

    secret=637193-some-app-data;secret=2

  17. secret=637193-some-app-data; Compress Encrypt Data Length secret=3 Encrypted Length = 30

    secret=637193-some-app-data;secret=3

  18. secret=637193-some-app-data; Compress Encrypt Data Length secret=4 Encrypted Length = 30

    secret=637193-some-app-data;secret=4

  19. secret=637193-some-app-data; Compress Encrypt Data Length secret=5 Encrypted Length = 30

    secret=637193-some-app-data;secret=5

  20. secret=637193-some-app-data; Compress Encrypt Data Length secret=6 Encrypted Length = 29

    secret=637193-some-app-data;secret=6 More Compression, Smaller Length Compression increased by 1 byte

  21. How can we convert this into a real world attack

    on browsers?

  22. Plain Text Data Compress Encrypt Add Attacker Controlled Bytes Observe

    Encrypted Traffic Encrypted Data + Data Length

  23. Add Attacker Controlled Bytes Observe Encrypted Traffic Ambient authority of

    Cookies in browsers Simple cross-domain requests with POST body MITM. People do this all the time

  24. EkoParty 2012 Back in 2012 Juliano Rizzo, Thai Duong

  25. CRIME, 2012 www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf

  26. TIME Attack 2013 Tal Be'ery, Amichai Shulman Timing side channel

    purely via browsers, using TCP window sizes. Extending CRIME to HTTP Responses

  27. BREACH Attack 2013 BreachAttack.com Angelo Prado, Neal Harris, Yoel Gluck

  28. So far CRIME style attacks have been mostly targeted on

    HTTPS There are more - HEIST, Practical Developments to BREACH

  29. So, whats new today?

  30. VPN Tunnels

  31. TLS VPNs are pretty common these days

  32. None

  33. What do most of these SaaS VPNs have in common?

  34. OpenVPN

  35. High level overview Authentication & Key Negotiation (Control Channel) Data

    Channel Compression Data Channel Encryption

  36. Compress everything UDP TCP Bi-Directional

  37. OpenVPN Compression Algorithms LZO LZ4 -LZ77 Family-

  38. We have a compress then encrypt on all of data

    channel

  39. VORACLE Attack

  40. Under a VPN, HTTP WebApps are still insecure !

  41. Things are safe, if the underlying app layer already uses

    an encryption channel.

  42. Things might go bad, if the VPN tunnel is helping

    you encrypt already non- encrypted data

  43. Lets see how this attack works on an HTTP website

    using an encrypted VPN

  44. VPN Server and Client has compression enabled Requirements Attacker can

    observe VPN traffic VPN User visits attacker.com

  45. Attack Setup VPN User

  46. Attack Setup VPN User Browser

  47. Attack Setup VPN User Browser HTTP WebApp

  48. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression

  49. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression

  50. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker

  51. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com

  52. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM

  53. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc.

  54. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc. Can Observe VPN Data packet Lengths

  55. Attack Setup VPN User Browser HTTP WebApp Trusted VPN with

    Compression Attacker attacker.com Passive MITM Injected Ads,
 Malicous Blogs,
 etc. Can Observe VPN Data packet Lengths Can Send Cross Domain requests to the HTTP WebApp

  56. Attacker can now conduct Compression Oracle attacks on HTTP requests

    and responses

  57. https://github.com/OpenVPN/openvpn3 Browser VPN Client VPN Server OpenVPN Server WebApp http://insecure.skepticfx.com

    Mozilla Firefox Steal sessionId cookie from a cross-domain website Attack Goal Demo

  58. Voracle https://github.com/skepticfx/voracle

  59. Attack Challenges No Server Name Indication(SNI) or TLS certificates.
 VPN

    traffic is too chatty. Everything goes through it Hard to determine attacker's own traffic

  60. Browser needs to send HTTP requests in single TCP Data

    Packet Also

  61. Google Chrome splits Plain HTTP requests into Header and Body

    So we can't get the compression window in the same request

  62. Mozilla Firefox sends them all in a single TCP data

    packet Now we get the compression window in the same request

  63. Detecting Voracle in your VPN

  64. If your VPN provider is using OpenVPN - take a

    look at your client configuration.

  65. OpenVPN Client Configuration (*.OVPN)

  66. Or you can test this dynamically by triggering compression and

    observing the length

  67. DIY Voracle Detection Fire up Wireshark Connect to your VPN

    under test Send a few Curl requests with compression Observe VPN Payload Length

  68. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=1 Secret=1" Length = x Curl and Observe Length

  69. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=2 Secret=2" Length = x Curl and Observe Length

  70. curl -s -o /dev/null -X POST http://website.com -d "--some-data-- Secret=37346282;

    --blah-- Secret=3 Secret=3" Length = x-1 Curl and Observe Length More Compression, Smaller Length

  71. Fix?

  72. Fixing Compression is an interesting problem

  73. Remember when SPDY was vulnerable to CRIME?

  74. HPACK in HTTP/2 selectively disables header compression for sensitive fields

  75. https://http2.github.io/http2-spec/compression.html

  76. cf-nocompress https://blog.cloudflare.com/a-solution-to-compression-oracles-on-the-web/

  77. For VPNs, Disable compression entirely for all plain text transactions

  78. Turning compression off by default is opinionated

  79. OpenVPN chose to warn the implementors more explicitly to turn

    off data Compression. https://github.com/OpenVPN/openvpn/commit/a59fd147

  80. turned off compression entirely

  81. Its time, everything moves to HTTPS

  82. Takeaway EndUsers & Website owners - If you are using

    VPN to access plain text websites over the internet, its time to move them to HTTPs. VPN Providers - Explicitly state what your VPN protects against. If you are claiming your VPN tunnel protects against plain text web apps, ensure you do not compress them.

  83. Thank you! @skeptic_fx [email protected]