Crypto weakness in popular Web A pplications

The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP AppSecBeijing/Asia 2011

Crypto weakness in popular Web Applications

Hanqin WuAliyun.com

axis@ph4nt0m.org

2

About Me2001 Founder of “Ph4nt0m”2005 join alibaba corp.2008 join aliyun.com

t.qq.com/aullik5Blog ： hi.baidu.com/aullik5Book: 《完美防线》

3

Crypto in pentestingctk=moVQoAbeoXAtdR3BHGRFVA&chk=50f059614bb

2977a9dda630cd727277a-50067753

ID=5bfb08d687b3dee5:T=1303616991:S=ALNI_MZ46CtBJfBaUSGkdUlJmLEyTfwgPQ

http://passport.baidu.com/center?auth=ead603c8bb7d4ea68f2812a497aa7f5c40c6eb

438b3da9e1d8b5b3de6a82f30b7a3b

4

Cipher analysis ： encoding

Base64 ：

Hex ：ead603c8bb7d4e…… = \xea\xd6\x04\xc8\xbb\x7d\x4e……

5

Cipher analysis ： cipher length

Stream cipher: arbitrary lengthBlock cipher ：

6

Cipher analysis ： cipher mode

ECB-mode ： change 1 byte in plaintext 1 block changed in ciphertextCBC-mode ： change 1 byte in plaintext whole ciphertext changed

7

In developer’s mind

1.Third-party crypto library2.performance3.security – only key length

8

Failures1.Using hash algorithm instead of

crypto2.No “salts” when using hash

algorithm3.Using “time” instead of random

num.4.Lack of knowledage about crypto5.……

9

Crypto introduce

Block cipher

Stream cipher

10

Basic in cryptoIV ： init vector

mode ： ECB 、 CBC 、 CFB 、 OFB 、CTR

blocksize ： Blocksize

KEY

11

Attack

12

Attack block cipher

13

ECB mode

14

Attack ecb mode

15

CBC mode

16

Padding OraclePadding ： PKCS#5

Oracle

Like “blind injection”

“side channel attack”

17

Attack stream cipher

18

Stream cipher

19

Reused Key AttackE(A) = A xor CE(B) = B xor C

E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor BE(A) xor E(B) = A xor B

20

PHPWind StrCode()

for ($i = 0; $i < $strLen; $i++) {

$k = $i % $keyLen;

$code .= $string[$i] ^ $key[$k];

}

21

PHPWind captcha generationck.php ， chars: $list = 'BCEFGHJKMPQRTVWXY2346789';

"1315107631"."\t\t".md5("73669"."1315107631")timestam

ptimestampcaptch

a

22

Gain captcha

23

Set-Cookie

24

Crack captchaknown ：plaintext1= time1 + md5(captcha1 + time1)

Aciphertext1

E(A)ciphertext2

E(B)want ： ‖plaintext2 = time2 + md5(captcha2 + time2)

B

MD5 Rainbow Table !

⊕⊕

25

Crack It!

26

Bit-flipping Attack

E(A) xor E(B) = A xor B

A xor E(A) xor B = E(B)

27

Captcha never expired

Global.php: gdconfirm()

Common.php: safecheck()

28

constructBit-flipping Attack: A xor E(A) xor B = E(B)Never expired time:$timestamp– $cookieData[0] < 0

29

POC

30

Discuz! authcode()$keyc ： IV$ckey_length ： IV length$keya: xor key$keyb: HMAC key

31

authcode() analysis

79uz_d57e_auth=d08fwJQZGV/999z5qNLk5OIofp9dd2qDkWXVeg1RFQGwKicuAMaih5M5aefx0ycOfLAc2jtZL/y3J7TpUh2GsAPl;

000000000067c38ee9eca0b04dccccbbbb

IV

timestamp（ 10bytes）HMAC （ 16bytes ） plaintext（ xx

bytes ）

32

authcode() security consideration

Reused Key Attack ： IV makes xor key changed

everytime XOR_KEY = fn(IV, KEY)Bit-flipping Attack ： HMAC defend against forgery HMAC = fn(Plaintext, KEY)

33

authcode() weak IVDefault length of IV is 4 bytes ：

Collect an IV dicts （ a-z0-9 ）： 364 = 1,679,616 个 IVThe same iv, the same xor key -- in WEP cracking ， 24bits IV will expired in 5

hours

34

POC:known ：

test ： crack($cipher2) == $plaintext2

35

POC:

36

Collect ciphers and IVs

37

Birthday AttackThe possibilities in 30 personAny 2 have the same specific

birthday: 1 − (364 / 365)30 ≈ 7.9%

Any 2 have the same birthday ： nearly 70%

38

39

Attack authcode() ？Reused Key Attack ： IV makes xor key changed

everytime brutefoce IVsBit-flipping Attack ： HMAC defend against forgery still safe

40

Other attack ？Discuz! Getwebshell:http://www.oldjun.com/blog/index.php/archives/76/Phpcms cookie sql injection:http://www.80vul.com/phpcms/phpcms_sys_auth.txt

……

Summary & Conclusion

42

adviceDo not use ECB modeDo not use stream cipherUse AES-256 or blowfish in CBC modeDo not use the same key to do different thingsUse random IVUse HMAC-SHA512 instead of MD5

Thanks!