Based on the CVE-2 0 1 6-0 7 0 3 analysis DrownAttack for OpenSSL hazards-vulnerability warning-the black bar safety net

ID MYHACK58:62201672167
Type myhack58
Reporter dou, dou
Modified 2016-03-04T00:00:00


  1. What is the Drown Attack

Drown is a cross-Protocol attack, through the use of SSLv2 vulnerabilities to attack the TLS, in fact, is the man in the middle attacks further use. Man in the middle attacks simple example: such as hijacking the user's traffic HTTP. However, some server and client communication is encrypted, such as TLS and SSL. Here Drown attack the use of SSLv2 vulnerability, where the need for different services using RSA key exchange technique, this case the different services of the private key will be the same, then you can use this vulnerability to decrypt a TLS or SSLv3 connection, and then for some man in the middle attacks, such as the Administrator's session is hijacked to, the harm can be imagined.

! drownattack1

2. How to accurately test a Drown Attack

The author at https://github. com/them/public_drown_scanner released DROWN Scanner, but does not accurately test the Drown Attack vulnerabilities because to exploit this vulnerability presupposes the existence of sslv2 vulnerability, while sslv2 this service's private key and other services, so that you can send a probe to the sslv2 server access to the server abnormal response to help attack. Drown Attack affects OpenSSL versions 1.0.2, 1.0.1 l, 1.0.0 q, 0.9.8 ze and all previous versions, the user needs to upgrade to OpenSSL 1.0.2 a, 1.0.1 m, 1.0.0 r and 0.9.8 zf

  1. How to use the sslv2 vulnerability to obtain crack the TSL method

SSLv2 vulnerability based on the use of the Bleichenbacher RSA fill a prompt attack to obtain the private key, which is based on the decrypted, find the fill does not meet the specifications, the decryption Class Library times will throw an exception, so you get a prompt, so an attacker can use this prompt to keep sending the ciphertext, constantly correcting, eventually crack the TSL connection.

  1. Break the TLS cost

From a technical standpoint, DROWN is a new form of cross-Protocol filled a prompt attack, which enables an attacker through a carefully constructed special connection to the SSLv2 server to obtain the same private key after crack the TLS connection.

The attacker begins by observing approximately several hundred times a client connection with the server, the end will decrypt one of them. Gather these connections take a long time to monitor the traffic or dns hijacking these connection requests. These connections can be any version of SSL or TLS, provided that they use the RSA key exchange method, i.e. using the same key. Then, the attacker can repeat the connection SSLv2 Server carefully design the handshake packet of the constantly modified to crack the TSL connection.

Each time the server response to the probe is used to determine the modified ciphertext whether it is the correct format, the final decrypted into plaintext. Because the attacker does not know the server's key, so he does not know the plaintext is nothing, but the server's response will eventually lead to the attacker enough information to crack the key. There are two types of format will lead to leakage of the private key. First, send a probe containing only the 40 size of the ciphertext, he is using the RSA encryption algorithm, then the attacker can by comparing the server's response to determine whether it is in the correct format, probably need 2^4 0 try to calculate, it is a relatively large amount of calculation, but you can use the GPU to operation. Overall, about 4 million probe is connected, the 2^5 0 this calculation can be successfully decrypted 9 0 0 a TLS connection in one, with the Amazon cloud server to run all of the attacks need 4 4 0 knife.

Another is in the OpenSSl bug, this consumption is particularly low, because the attacker can be through careful design of the probe message quickly know the format is correct, and thus does not require a lot of calculation. In this case, the attacker would need a total of 1 million 7 thousand probe connection can be in the 2 6 0 TLS request to obtain a correct connection, with a station come on the computer only takes less than a minute of time.

As can be seen, the Drown Attack of the hazards is still very large, of course this is relatively speaking, it is necessary to satisfy some conditions in order to achieve, but for the application providers to say or need as soon as possible hit a good patch, upgrade OpenSSl, turn off SSLv2,do not use the RSA key exchange method, to eliminate everything is compromised.

  1. The attacker compromised the TLS will get to what

Because TLS is the encryption of the user and the server end of the communication, therefore, compromised TLS, all communication into a plaintext form. Such as: username, password, credit card number, e-mail, SMS, and some sensitive documents will be seen directly. At the same time, the attacker can also use a similar dns hijacking in this attack, disguised as a secure website, using JavaScript to control user behavior, etc.

6. Some doubts answered

–DROWN represent? On behalf decrypt“those outdated there are weaknesses in the RSA encryption technology”

–DROWN the attacker can steal the server key? Can not, can only be decrypted once connected.

– The attacker needs the server for new certificate? Do not need to, because the attacker does not obtain the private key, so it is not necessary to obtain a new certificate.

–Be able to monitor to this attack? It is possible, for example, to view the IDS or server logs, see if there's a large number of SSLv2 connections.

–In my close up SSlv2, you also need to take other precautions? Need, because if you use the RSA key Exchange method, it will make the other SSLv2 Server key the same, so you need to check all the keys are the same.

–How many popular sites will be affected? These are in 2 0 1 6 years 3 month 1 day exposure of the Alexa Top 10,000 websites found that the presence of DROWN attacks the vulnerability of the site.

! drownattack2


  1. References

Drown Attack official website: