Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5 - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/ssl/bleichenbacher_oracle metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Module: auxiliary/scanner/ssl/bleichenbacher_oracle
Source code: modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
Disclosure date: 2009-06-17
Last modification time: 2018-08-27 16:06:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 443
List of CVEs: CVE-2012-5081, CVE-2016-6883, CVE-2017-6168, CVE-2017-12373, CVE-2017-13098, CVE-2017-13099, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-1000385
This module is also known as ROBOT or Adaptive chosen-ciphertext attack.
Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/ssl/bleichenbacher_oracle
msf auxiliary(bleichenbacher_oracle) > show options
... show and set options ...
msf auxiliary(bleichenbacher_oracle) > set RHOSTS ip-range
msf auxiliary(bleichenbacher_oracle) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(bleichenbacher_oracle) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(bleichenbacher_oracle) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(bleichenbacher_oracle) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.
Vulnerable Application
- F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
- Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
- Radware Alteon firmware 31.0.0.0-31.0.3.0 (CVE 2017-17427)
- Cisco ACE (CVE 2017-17428)
- Cisco ASA 5500 series (CVE 2017-12373)
- Bouncy Castle TLS < 1.0.3 configured to use the Java Cryptography Engine (CVE 2017-13098)
- Erlang < 20.1.7, < 19.3.6.4, < 18.3.4.7 (CVE 2017-1000385)
- WolfSSL < 3.12.2 (CVE 2017-13099)
- MatrixSSL 3.8.3 (CVE 2016-6883)
- Oracle Java <= 7u7, <= 6u35, <= 5u36, <= 1.4.2_38 (CVE 2012-5081)
- IBM Domino
- Palo Alto PAN-OS
(source: https://robotattack.org/#patches)
Extra requirements
This module requires a working Python 3 install with the cryptography
and gmpy2
packages installed (e.g. via pip3 install cryptography gmpy2
).
Verification Steps
Perhaps the easiest way to reproduce is to install an older version of Erlang on Linux (the stock erlang
package on Ubuntu 17.10 and before is unpatched), and run the ssl_hello_world example from Cowboy (additionally requires git
and make
, be sure to use the 1.1.x branch for Erlang < 19).
msf4 > use auxiliary/scanner/ssl/robot
msf4 auxiliary(scanner/ssl/robot) > set RHOSTS 192.168.244.128
RHOSTS => 192.168.244.128
msf4 auxiliary(scanner/ssl/robot) > set RPORT 8443
RPORT => 8443
msf4 auxiliary(scanner/ssl/robot) > set VERBOSE true
VERBOSE => true
msf4 auxiliary(scanner/ssl/robot) > run
[*] Running for 192.168.244.128...
[*] 192.168.244.128:8443 - Scanning host for Bleichenbacher oracle
[*] 192.168.244.128:8443 - RSA N: 0xcdb5b51a3102cc751cfd6493a8b8801aa8c235c711e6c6954beca8cf648f461a68c9fd3fa81ad7e41634b739a0a33a138917c4e300a2543f7d09cf83ae9fc5338f6be04a59768708a2fa6b98e9affe0c24a23f79cda03a3ca367d4e7660e9da1c09b17d999b79296c65194f18c392471c9a051be048cbeea347abbb1a42d8af5
[*] 192.168.244.128:8443 - RSA e: 0x10001
[*] 192.168.244.128:8443 - Modulus size: 1024 bits, 128 bytes
[+] 192.168.244.128:8443 - Vulnerable: (strong) oracle found TLSv1.2 with standard message flow
[*] 192.168.244.128:8443 - Result of good request: TLS alert 10 of length 7
[*] 192.168.244.128:8443 - Result of bad request 1 (wrong first bytes): TLS alert 51 of length 7
[*] 192.168.244.128:8443 - Result of bad request 2 (wrong 0x00 position): TLS alert 10 of length 7
[*] 192.168.244.128:8443 - Result of bad request 3 (missing 0x00): TLS alert 51 of length 7
[*] 192.168.244.128:8443 - Result of bad request 4 (bad TLS version): TLS alert 10 of length 7
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf4 auxiliary(scanner/ssl/robot) >
Options
The scanner takes the normal RHOSTS
and RPORT
options to specify the hosts to scan on the port on which to scan them. In addition, it takes two options for the TLS behaviour: cipher_group
and timeout
.
The cipher_group
option:
Select the ciphers to use to negotiate: all TLS_RSA ciphers (all
, the default), TLS_RSA_WITH_AES_128_CBC_SHA (cbc
), or TLS-RSA-WITH-AES-128-GCM-SHA256 (gcm
).
set cipher_group gcm
The timeout
option:
Set the interval to wait before considering the TLS connection timed out. The default is 5 seconds.
set timeout 10
Go back to menu.
Msfconsole Usage
Here is how the scanner/ssl/bleichenbacher_oracle auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/ssl/bleichenbacher_oracle
msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show info
Name: Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Module: auxiliary/scanner/ssl/bleichenbacher_oracle
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2009-06-17
Provided by:
Hanno B��ck
Juraj Somorovsky
Craig Young
Daniel Bleichenbacher
Adam Cammack <adam_cammack[AT]rapid7.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
cipher_group all yes Use TLS_RSA ciphers with AES and 3DES ciphers, or only TLS_RSA_WITH_AES_128_CBC_SHA or TLS-RSA-WITH-AES-128-GCM-SHA256 (Accepted: all, cbc, gcm)
rport 443 yes The target port
timeout 5 yes The delay to wait for TLS responses
Description:
Some TLS implementations handle errors processing RSA key exchanges
and encryption (PKCS #1 v1.5 messages) in a broken way that leads an
adaptive chosen-chiphertext attack. Attackers cannot recover a
server's private key, but they can decrypt and sign messages with
it. A strong oracle occurs when the TLS server does not strictly
check message formatting and needs less than a million requests on
average to decode a given ciphertext. A weak oracle server strictly
checks message formatting and often requires many more requests to
perform the attack. This module requires Python 3 with the gmpy2 and
cryptography packages to be present.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6168
https://nvd.nist.gov/vuln/detail/CVE-2017-17382
https://nvd.nist.gov/vuln/detail/CVE-2017-17427
https://nvd.nist.gov/vuln/detail/CVE-2017-17428
https://nvd.nist.gov/vuln/detail/CVE-2017-12373
https://nvd.nist.gov/vuln/detail/CVE-2017-13098
https://nvd.nist.gov/vuln/detail/CVE-2017-1000385
https://nvd.nist.gov/vuln/detail/CVE-2017-13099
https://nvd.nist.gov/vuln/detail/CVE-2016-6883
https://nvd.nist.gov/vuln/detail/CVE-2012-5081
https://robotattack.org
https://eprint.iacr.org/2017/1189
https://github.com/robotattackorg/robot-detect
Also known as:
ROBOT
Adaptive chosen-ciphertext attack
Module Options
This is a complete list of options available in the scanner/ssl/bleichenbacher_oracle auxiliary module:
msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show options
Module options (auxiliary/scanner/ssl/bleichenbacher_oracle):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
cipher_group all yes Use TLS_RSA ciphers with AES and 3DES ciphers, or only TLS_RSA_WITH_AES_128_CBC_SHA or TLS-RSA-WITH-AES-128-GCM-SHA256 (Accepted: all, cbc, gcm)
rport 443 yes The target port
timeout 5 yes The delay to wait for TLS responses
Advanced Options
Here is a complete list of advanced options supported by the scanner/ssl/bleichenbacher_oracle auxiliary module:
msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show advanced
Module advanced options (auxiliary/scanner/ssl/bleichenbacher_oracle):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/ssl/bleichenbacher_oracle module can do:
msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/ssl/bleichenbacher_oracle auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
ConnectionResetError
Here is a relevant code snippet related to the "ConnectionResetError" error message:
148: return ("TLS alert was truncated (%s)" % (repr(alert)))
149: return ("TLS alert %i of length %i" % (alert[6], len(alert)))
150: else:
151: return "Received something other than an alert (%s)" % (alert[0:10])
152: except ConnectionResetError as e:
153: return "ConnectionResetError"
154: except socket.timeout:
155: return ("Timeout waiting for alert")
156: s.close()
157: except Exception as e:
158: return str(e)
Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue
Here is a relevant code snippet related to the "Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue" error message:
158: return str(e)
159:
160:
161: def run(args):
162: if dependencies_missing:
163: module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error')
164: return
165:
166: target = (args['rhost'], int(args['rport']))
167: timeout = float(args['timeout'])
168: cipher_handshake = cipher_handshakes[args['cipher_group']]
{}:{} - Cannot establish SSL connection: {}
Here is a relevant code snippet related to the "{}:{} - Cannot establish SSL connection: {}" error message:
170: module.log("{}:{} - Scanning host for Bleichenbacher oracle".format(*target), level='debug')
171:
172: N, e = get_rsa_from_server(target, timeout)
173:
174: if not N:
175: module.log("{}:{} - Cannot establish SSL connection: {}".format(*target, e), level='error')
176: return
177:
178: modulus_bits = int(math.ceil(math.log(N, 2)))
179: modulus_bytes = (modulus_bits + 7) // 8
180: module.log("{}:{} - RSA N: {}".format(*target, hex(N)), level='debug')
Go back to menu.
Related Pull Requests
- #10570 Merged Pull Request: AKA Metadata Refactor
- #9733 Merged Pull Request: Change External Module Type Names
- #9604 Merged Pull Request: Fix a couple of logged errors when running without Python 3.6 / gmpy2
- #9489 Merged Pull Request: Add scanner for the Bleichenbacker oracle (AKA: ROBOT)
References
- CVE-2017-6168
- CVE-2017-17382
- CVE-2017-17427
- CVE-2017-17428
- CVE-2017-12373
- CVE-2017-13098
- CVE-2017-1000385
- CVE-2017-13099
- CVE-2016-6883
- CVE-2012-5081
- https://robotattack.org
- https://eprint.iacr.org/2017/1189
- https://github.com/robotattackorg/robot-detect
See Also
Check also the following modules related to this module:
- auxiliary/scanner/ssl/openssl_ccs
- auxiliary/scanner/ssl/openssl_heartbleed
- auxiliary/scanner/ssl/ssl_version
- auxiliary/dos/ssl/dtls_changecipherspec
- auxiliary/dos/ssl/dtls_fragment_overflow
- auxiliary/dos/ssl/openssl_aesni
- exploit/windows/ssl/ms04_011_pct
- auxiliary/scanner/http/oracle_demantra_database_credentials_leak
- auxiliary/scanner/http/oracle_demantra_file_retrieval
- auxiliary/scanner/http/oracle_ilom_login
- auxiliary/scanner/oracle/emc_sid
- auxiliary/scanner/oracle/isqlplus_login
- auxiliary/scanner/oracle/isqlplus_sidbrute
- auxiliary/scanner/oracle/oracle_hashdump
- auxiliary/scanner/oracle/oracle_login
- auxiliary/scanner/oracle/sid_brute
- auxiliary/scanner/oracle/sid_enum
- auxiliary/scanner/oracle/spy_sid
- auxiliary/scanner/oracle/tnslsnr_version
- auxiliary/scanner/oracle/tnspoison_checker
- auxiliary/scanner/oracle/xdb_sid
- auxiliary/scanner/oracle/xdb_sid_brute
Related Nessus plugins:
- Oracle Java SE Multiple Vulnerabilities (October 2012 CPU)
- Mac OS X : Java for Mac OS X 10.6 Update 11
- Mac OS X : Java for OS X 2012-006
- CentOS 6 : java-1.7.0-openjdk (CESA-2012:1386) (ROBOT)
- RHEL 6 : java-1.7.0-openjdk (RHSA-2012:1386) (ROBOT)
- RHEL 6 : java-1.7.0-oracle (RHSA-2012:1391)
- RHEL 5 / 6 : java-1.6.0-sun (RHSA-2012:1392)
- Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT)
- Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1619-1) (ROBOT)
- Scientific Linux Security Update : java-1.6.0-sun on SL5.x i386/x86_64 (20121018) (ROBOT)
Authors
- Hanno Böck
- Juraj Somorovsky
- Craig Young
- Daniel Bleichenbacher
- Adam Cammack <adam_cammack[AT]rapid7.com>
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.