AL­PA­CA-At­tack: Cross-Pro­to­col-At­tacks

10.​06.​2021 – Ro­bert Mer­get

In co­ope­ra­ti­on with the uni­ver­si­ty Pa­der­born and Müns­ter Uni­ver­si­ty of Ap­p­lied Sci­en­ce­s­ha­ben, sci­en­tists from the chair of Net­work- and Data se­cu­ri­ty dis­co­ver­ed a new flaw in the spe­ci­fi­ca­ti­on of TLS. The vul­nerabi­li­ty is cal­led AL­PA­CA and ex­ploits a we­ak­ness in the au­then­ti­ca­ti­on of TLS for cross-pro­to­col at­tacks. The at­tack al­lows an at­ta­cker to steal cook­ies or per­form cross-si­te-script­ing (XSS) if the spe­ci­fic con­di­ti­ons for the at­tack are met.

TLS is an in­ter­net stan­dard to se­cu­re the com­mu­ni­ca­ti­on bet­ween ser­vers and cli­ents on the in­ter­net, for ex­amp­le that of web ser­vers, FTP ser­vers, and Email ser­vers. This is pos­si­ble be­cau­se TLS was de­si­gned to be ap­p­li­ca­ti­on layer in­de­pen­dent, which al­lows its use in many di­ver­se com­mu­ni­ca­ti­on pro­to­cols.

AL­PA­CA is an ap­p­li­ca­ti­on layer pro­to­col con­tent con­fu­si­on at­tack, ex­ploit­ing TLS ser­vers im­ple­men­ting dif­fe­rent pro­to­cols but using com­pa­ti­ble cer­ti­fi­ca­tes, such as mul­ti-do­main or wild­card cer­ti­fi­ca­tes. At­ta­ckers can re­di­rect traf­fic from one sub­do­main to ano­ther, re­sul­ting in a valid TLS ses­si­on. This breaks the au­then­ti­ca­ti­on of TLS and cross-pro­to­col at­tacks may be pos­si­ble where the be­ha­vi­or of one pro­to­col ser­vice may com­pro­mi­se the other at the ap­p­li­ca­ti­on layer.

We in­ves­ti­ga­te cross-pro­to­col at­tacks on TLS in ge­ne­ral and con­duc­ted a sys­te­ma­tic case study on web ser­vers, re­di­rec­ting HTTPS re­quests from a victim’s web brow­ser to SMTP, IMAP, POP3, and FTP ser­vers. We show that in rea­lis­tic sce­na­ri­os, the at­ta­cker can extract ses­si­on cook­ies and other pri­va­te user data or exe­cu­te ar­bi­tra­ry Ja­va­Script in the con­text of the vul­nerable web ser­ver, the­re­fo­re by­pas­sing TLS and web ap­p­li­ca­ti­on se­cu­ri­ty.

We eva­lua­ted the re­al-world at­tack sur­face of web brow­sers and wi­de­ly-de­ploy­ed Email and FTP ser­vers in lab ex­pe­ri­ments and with in­ter­net-wi­de scans. We find that 1.​4M web ser­vers are ge­ne­ral­ly vul­nerable to cross-pro­to­col at­tacks, i.e., TLS ap­p­li­ca­ti­on data con­fu­si­on is pos­si­ble. Of these, 114k web ser­vers can be at­ta­cked using an ex­ploi­ta­ble ap­p­li­ca­ti­on ser­ver. As a coun­ter­me­a­su­re, we pro­po­se the use of the Ap­p­li­ca­ti­on Layer Pro­to­col Ne­go­tia­ti­on (ALPN) and Ser­ver Name In­di­ca­ti­on (SNI) ex­ten­si­ons in TLS to prevent these and other cross-pro­to­col at­tacks.

Alt­hough this vul­nerabi­li­ty is very si­tua­tio­nal and can be chal­len­ging to ex­ploit, there are some con­fi­gu­ra­ti­ons that are ex­ploi­ta­ble even by a pure web at­ta­cker. Fur­ther­mo­re, we could only ana­ly­ze a li­mi­ted num­ber of pro­to­cols, and other at­tack sce­na­ri­os may exist. Thus, we ad­vi­se that ad­mi­nis­tra­tors re­view their de­ploy­ments and that ap­p­li­ca­ti­on de­ve­lo­pers (cli­ent and ser­ver) im­ple­ment coun­ter­me­a­su­res proac­tive­ly for all pro­to­cols.

More in­for­ma­ti­on can be found at https://al­pa­ca-at­tack.​com

Quel­le

Tags: at­tack, cross-pro­to­col, TLS