Vigil@nce: SSL, TLS, obtaining HTTPS Cookies
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who can control HTTPS connections of victim’s web
browser and which has a sufficient bandwidth, can use several SSL
sessions in order to compute HTTP headers, such as cookies.
– Severity: 1/4
– Creation date: 26/09/2011
IMPACTED PRODUCTS
– Microsoft IIS
– Microsoft Internet Explorer
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows 7
– Microsoft Windows Vista
– Microsoft Windows XP
– Opera
– Protocol SSL/TLS
DESCRIPTION OF THE VULNERABILITY
The SSL/TLS protocol supports CBC (Cipher Block Chaining)
encryption: a clear block is "XORed" (operation Exclusive OR) with
the last encrypted block, and the result is encrypted. This
dependence between a block and its previous block was the subject
of several theoretical studies since 2002, and led to the
definition of TLS 1.1 in 2006, which uses a different algorithm.
The HTTPS "protocol", used by web browsers, encapsulates an HTTP
session in a SSL/TLS session. An HTTP query is like:
GET /abcdefg HTTP/1.0
Headers (cookies)
...
This query is fragmented in blocks of 8 bytes, which are encrypted
by CBC. The first block is thus "GET /abc".
An attacker can setup a malicious web site, and invite the victim
to connect. This web site can request the victim’s web browser to
load the page "/abcdefg" of a site secured by SSL/TLS.
The attacker controls the size of the requested url (via
"/abcdefg"), so he can place the first byte of headers at the end
of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks
follows a block which is fully known ("defg HTT"). The attacker
can then capture the encrypted SSL/TLS session, and memorize the
last encrypted block. This block is used as an initialization
vector to compute an XOR between "defg HTT" (block 2) encrypted,
and a guessed character located at the end of "P/1.1\r\n" (block
3). The result is reinjected by the attacker at the end of the
HTTP query in clear text. He captures the resulting encrypted
block, and if it is the same as the third encrypted block, then
the guessed character was correct. The attacker repeats these
queries as many times as necessary.
An attacker, who can control HTTPS connections of victim’s web
browser and which has a sufficient bandwidth, can therefore use
several SSL sessions in order to compute HTTP headers, such as
cookies.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SSL-TLS-obtaining-HTTPS-Cookies-11014