Credit: Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt
DROWN is the Mark Dowd Flash Exploit of crypto attacks. It is one of the all-time great papers not just in crypto exploitation, but in exploitation period.
Start here: almost everyone working in software security knows that if you encrypt a message and then don’t authenticate the resulting ciphertext, you’ve got problems. If you encrypt with a block cipher in CBC mode, which is how everyone encrypted until like 5 minutes ago, you have a problem with a name: a padding oracle.
Among all the viable crypto attacks you can pull off with a laptop to get a game-over serverside flaw with, there are two that you can count on a strong pentester to actually know about: hash length extension and the CBC padding oracle.
What a lot of strong pentesters don’t know is that the padding oracle attack that breaks AES in CBC mode also breaks RSA. The attack is trickier, but not that much trickier, and when you pull it off you join a secret society of people who get to make dumb jokes based on the name “Bleichenbacher”. We have a Slack!
So, DROWN exploits the Bleichenbacher RSA padding oracle against TLS. Easy peasy, lemon squeezy, right?
Wrong. There is neither pease nor squeeze to be found anywhere in DROWN.
To start with: the Bleichenbacher oracle doesn’t work against SSL 3.0 or TLS. And SSL 3.0 or TLS is what everyone uses. But DROWN still works. Why?
Because people still have SSL 2.0 servers stood up on the Internet. They don’t use them. They’re not even aware that they’re there. But they are, and because people are lazy, they have the same certificates and keys installed as the TLS servers do. DROWN takes advantage of that: it’s a cross-protocol attack.
In the DROWN attack, attackers start a handshake with a TLS server, and then quickly shuttle the victim’s TLS messages to an SSL 2 server. SSL 2 is vulnerability to RSA oracles, and can be used as a cross-protocol oracle.
But wait: there’s more. SSL 2.0 is not the same protocol as TLS. It can’t do anything with TLS ciphertexts. But there’s an extension to the RSA padding oracle attack that takes advantage of RSA malleability. The same malleability that allows attackers to do the number-theoretic equivalent of flipping bits in a CBC ciphertext also allows attackers to tune their corrupted TLS RSA ciphertexts.
The DROWN attack takes advantage of an optimization Bardou used for fast padding oracle attacks against embedded hardware to adapt TLS messages to SSL 2.0, and then use SSL 2.0’s vulnerability to padding oracles to decrypt them.
It’s among the coolest attack papers I’ve ever read. Let’s pretend, just for this one Pwnies event, that it had better branding than Badlock.