03:11 PM

New Crypto-Cracking Tool To Target Databases

'Poet' takes advantage of commonly weak encryption-key deployment

Researchers last week introduced a new penetration-testing tool that makes it possible to capture poorly encrypted Web session data -- such as cookies and HTML parameters. Now they say they're looking into how similar attacks against Web applications can be used to advance attacks against Web-facing databases with sloppy encryption-key deployment.

Demonstrated this spring at Black Hat Europe and officially released last week, the Padding Oracle Exploit Tool (Poet) takes advantage of and automates a side-channel attack called a Padding Oracle Attack, which was introduced to the cryptographic community in 2002. This attack leverages commonly used cryptographic padding oracles that receive cipher text, decrypts it, and replies to the sender whether the padding is valid or invalid. The attack is carried out if attackers can intercept padded messages encrypted in CBC mode, effectively gaining access to encrypted information without a key.

"What happens in Web apps is that it is very common for the programmer to send something encrypted to the client/Web browser [and] not to share it with the client, just to store it for some time like cookies, [which] is a perfect scenario to implement what is called 'chosen cipher text attacks,' where the cipher text is modified and [sent] again to the Web application," says Juliano Rizzo, who together with Thai Duong developed Poet. "Poet should help to show that is not easy to implement cryptography correctly, [and] attacks that could look theoretical are very practical and dangerous."

Rizzo and Duong have shown that Poet can crack CAPTCHAs and decrypt view states in JavaServer Faces Web development frameworks.

"The tool can be used by developers and penetration testers to audit Web application 'black-box' testing in the same way SQL injection and XSS are detected today," Rizzo says.

Adam Muntner, a security consultant and researcher for Gotham Digital Science, says the attacks made possible by Poet are dj vu all over again for the Web application security community.

"Meet the new 'sploit, same as the old 'sploit, to paraphrase The Who," Muntner says. "It's fascinating to see the same attack patterns rear their head, time and time again. The problem isn't so much any particular exploit, not to minimize the impact of this one. It's in software design, development, and testing practices."

From what he has seen so far of Poet, the attack tool takes advantage of two protocol implementation flaws within many Web applications.

"One is a cryptographic implementation flaw. The best crypto algorithm in the world is less useful than a TSA-approved lock if it's implemented poorly. Two, in Web application security, the client, typically an HTML browser, is not to be trusted," Muntner says. "If only one of the two flaws that this attack is dependent on had been caught, the attack would not be possible. In the security world, we refer to this principle as defense-in-depth."

Rizzo believes that Web application developers can best address the vulnerabilities to Padding Oracle Attacks by including more high-level encryption solutions, such as Keyczar, which has added integrity protection and authentication compared to basic cryptography solutions used by developers today.

One problem is that they implement their own cryptography, using low-level cryptography algorithms, and that is hard to implement correctly. They should use more high-level solutions," Rizzo says.

Rizzo and Duong hope Poet will be added to developer and penetration-testing toolkits to check up on application security.

"The tool can be used by developers and penetration testers to audit Web applications -- 'black-box' testing in the same way SQL injection and XSS are detected today," he says.

While Poet primarily highlights threats at the Web application layer, Rizzo also warns database security experts who use similar encryption keys across front-end systems and back-end databases.

"The Poet attack is interactive and databases are not exposed, or shouldn't be, as Web applications are," Rizzo says. "But what can happen is that if, for example, the same key is used to store secret information in a database and also used in some front-end [system] in the Web application connected to the database, the attacker get access to the encrypted database data without the key. It would be possible to use a vulnerable Web application as an oracle to decrypt the data from the database."

In fact, Rizzo says that he and Duong are currently directing research on such exploits now that Poet is released.

"Now we are studying a framework where that could happen: The same keys are reused to store data in the database and to encrypt data sent to the Web client," he says. "You could get a decryption oracle in a Web app, and even if the Web app is not sending interesting data to you, if the same secret key is used somewhere else, you can use the vulnerability in the Web app to decrypt data that you get from somewhere else in the system."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-22
mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.
PUBLISHED: 2018-07-22
joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.php keyword parameter.
PUBLISHED: 2018-07-22
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.