Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5 - Metasploit


This page contains detailed information about how to use the auxiliary/scanner/ssl/bleichenbacher_oracle metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
Module: auxiliary/scanner/ssl/bleichenbacher_oracle
Source code: modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
Disclosure date: 2009-06-17
Last modification time: 2018-08-27 16:06:07 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 443
List of CVEs: CVE-2012-5081, CVE-2016-6883, CVE-2017-6168, CVE-2017-12373, CVE-2017-13098, CVE-2017-13099, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-1000385

This module is also known as ROBOT or Adaptive chosen-ciphertext attack.

Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

This module is a scanner module, and is capable of testing against multiple hosts.

msf > use auxiliary/scanner/ssl/bleichenbacher_oracle
msf auxiliary(bleichenbacher_oracle) > show options
    ... show and set options ...
msf auxiliary(bleichenbacher_oracle) > set RHOSTS ip-range
msf auxiliary(bleichenbacher_oracle) > exploit

Other examples of setting the RHOSTS option:

Example 1:

msf auxiliary(bleichenbacher_oracle) > set RHOSTS 192.168.1.3-192.168.1.200

Example 2:

msf auxiliary(bleichenbacher_oracle) > set RHOSTS 192.168.1.1/24

Example 3:

msf auxiliary(bleichenbacher_oracle) > set RHOSTS file:/tmp/ip_list.txt

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.

Vulnerable Application

  • F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
  • Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
  • Radware Alteon firmware 31.0.0.0-31.0.3.0 (CVE 2017-17427)
  • Cisco ACE (CVE 2017-17428)
  • Cisco ASA 5500 series (CVE 2017-12373)
  • Bouncy Castle TLS < 1.0.3 configured to use the Java Cryptography Engine (CVE 2017-13098)
  • Erlang < 20.1.7, < 19.3.6.4, < 18.3.4.7 (CVE 2017-1000385)
  • WolfSSL < 3.12.2 (CVE 2017-13099)
  • MatrixSSL 3.8.3 (CVE 2016-6883)
  • Oracle Java <= 7u7, <= 6u35, <= 5u36, <= 1.4.2_38 (CVE 2012-5081)
  • IBM Domino
  • Palo Alto PAN-OS

(source: https://robotattack.org/#patches)

Extra requirements

This module requires a working Python 3 install with the cryptography and gmpy2 packages installed (e.g. via pip3 install cryptography gmpy2).

Verification Steps

Perhaps the easiest way to reproduce is to install an older version of Erlang on Linux (the stock erlang package on Ubuntu 17.10 and before is unpatched), and run the ssl_hello_world example from Cowboy (additionally requires git and make, be sure to use the 1.1.x branch for Erlang < 19).

msf4 > use auxiliary/scanner/ssl/robot 
msf4 auxiliary(scanner/ssl/robot) > set RHOSTS 192.168.244.128
RHOSTS => 192.168.244.128
msf4 auxiliary(scanner/ssl/robot) > set RPORT 8443
RPORT => 8443
msf4 auxiliary(scanner/ssl/robot) > set VERBOSE true
VERBOSE => true
msf4 auxiliary(scanner/ssl/robot) > run

[*] Running for 192.168.244.128...
[*] 192.168.244.128:8443 - Scanning host for Bleichenbacher oracle
[*] 192.168.244.128:8443 - RSA N: 0xcdb5b51a3102cc751cfd6493a8b8801aa8c235c711e6c6954beca8cf648f461a68c9fd3fa81ad7e41634b739a0a33a138917c4e300a2543f7d09cf83ae9fc5338f6be04a59768708a2fa6b98e9affe0c24a23f79cda03a3ca367d4e7660e9da1c09b17d999b79296c65194f18c392471c9a051be048cbeea347abbb1a42d8af5
[*] 192.168.244.128:8443 - RSA e: 0x10001
[*] 192.168.244.128:8443 - Modulus size: 1024 bits, 128 bytes
[+] 192.168.244.128:8443 - Vulnerable: (strong) oracle found TLSv1.2 with standard message flow
[*] 192.168.244.128:8443 - Result of good request:                        TLS alert 10 of length 7
[*] 192.168.244.128:8443 - Result of bad request 1 (wrong first bytes):   TLS alert 51 of length 7
[*] 192.168.244.128:8443 - Result of bad request 2 (wrong 0x00 position): TLS alert 10 of length 7
[*] 192.168.244.128:8443 - Result of bad request 3 (missing 0x00):        TLS alert 51 of length 7
[*] 192.168.244.128:8443 - Result of bad request 4 (bad TLS version):     TLS alert 10 of length 7
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf4 auxiliary(scanner/ssl/robot) >

Options

The scanner takes the normal RHOSTS and RPORT options to specify the hosts to scan on the port on which to scan them. In addition, it takes two options for the TLS behaviour: cipher_group and timeout.

The cipher_group option:

Select the ciphers to use to negotiate: all TLS_RSA ciphers (all, the default), TLS_RSA_WITH_AES_128_CBC_SHA (cbc), or TLS-RSA-WITH-AES-128-GCM-SHA256 (gcm).

set cipher_group gcm

The timeout option:

Set the interval to wait before considering the TLS connection timed out. The default is 5 seconds.

set timeout 10

Go back to menu.

Msfconsole Usage

Here is how the scanner/ssl/bleichenbacher_oracle auxiliary module looks in the msfconsole:

msf6 > use auxiliary/scanner/ssl/bleichenbacher_oracle

msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show info

       Name: Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5
     Module: auxiliary/scanner/ssl/bleichenbacher_oracle
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2009-06-17

Provided by:
  Hanno B��ck
  Juraj Somorovsky
  Craig Young
  Daniel Bleichenbacher
  Adam Cammack <adam_cammack[AT]rapid7.com>

Check supported:
  No

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  THREADS       1                yes       The number of concurrent threads (max one per host)
  cipher_group  all              yes       Use TLS_RSA ciphers with AES and 3DES ciphers, or only TLS_RSA_WITH_AES_128_CBC_SHA or TLS-RSA-WITH-AES-128-GCM-SHA256 (Accepted: all, cbc, gcm)
  rport         443              yes       The target port
  timeout       5                yes       The delay to wait for TLS responses

Description:
  Some TLS implementations handle errors processing RSA key exchanges 
  and encryption (PKCS #1 v1.5 messages) in a broken way that leads an 
  adaptive chosen-chiphertext attack. Attackers cannot recover a 
  server's private key, but they can decrypt and sign messages with 
  it. A strong oracle occurs when the TLS server does not strictly 
  check message formatting and needs less than a million requests on 
  average to decode a given ciphertext. A weak oracle server strictly 
  checks message formatting and often requires many more requests to 
  perform the attack. This module requires Python 3 with the gmpy2 and 
  cryptography packages to be present.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2017-6168
  https://nvd.nist.gov/vuln/detail/CVE-2017-17382
  https://nvd.nist.gov/vuln/detail/CVE-2017-17427
  https://nvd.nist.gov/vuln/detail/CVE-2017-17428
  https://nvd.nist.gov/vuln/detail/CVE-2017-12373
  https://nvd.nist.gov/vuln/detail/CVE-2017-13098
  https://nvd.nist.gov/vuln/detail/CVE-2017-1000385
  https://nvd.nist.gov/vuln/detail/CVE-2017-13099
  https://nvd.nist.gov/vuln/detail/CVE-2016-6883
  https://nvd.nist.gov/vuln/detail/CVE-2012-5081
  https://robotattack.org
  https://eprint.iacr.org/2017/1189
  https://github.com/robotattackorg/robot-detect

Also known as:
  ROBOT
  Adaptive chosen-ciphertext attack

Module Options

This is a complete list of options available in the scanner/ssl/bleichenbacher_oracle auxiliary module:

msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show options

Module options (auxiliary/scanner/ssl/bleichenbacher_oracle):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS       1                yes       The number of concurrent threads (max one per host)
   cipher_group  all              yes       Use TLS_RSA ciphers with AES and 3DES ciphers, or only TLS_RSA_WITH_AES_128_CBC_SHA or TLS-RSA-WITH-AES-128-GCM-SHA256 (Accepted: all, cbc, gcm)
   rport         443              yes       The target port
   timeout       5                yes       The delay to wait for TLS responses

Advanced Options

Here is a complete list of advanced options supported by the scanner/ssl/bleichenbacher_oracle auxiliary module:

msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show advanced

Module advanced options (auxiliary/scanner/ssl/bleichenbacher_oracle):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   ShowProgress         true             yes       Display progress messages during a scan
   ShowProgressPercent  10               yes       The interval in percent that progress should be shown
   VERBOSE              false            no        Enable detailed status messages
   WORKSPACE                             no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the scanner/ssl/bleichenbacher_oracle module can do:

msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the scanner/ssl/bleichenbacher_oracle auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(scanner/ssl/bleichenbacher_oracle) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

ConnectionResetError

Here is a relevant code snippet related to the "ConnectionResetError" error message:

148:	                    return ("TLS alert was truncated (%s)" % (repr(alert)))
149:	                return ("TLS alert %i of length %i" % (alert[6], len(alert)))
150:	            else:
151:	                return "Received something other than an alert (%s)" % (alert[0:10])
152:	        except ConnectionResetError as e:
153:	            return "ConnectionResetError"
154:	        except socket.timeout:
155:	            return ("Timeout waiting for alert")
156:	        s.close()
157:	    except Exception as e:
158:	        return str(e)

Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue

Here is a relevant code snippet related to the "Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue" error message:

158:	        return str(e)
159:	
160:	
161:	def run(args):
162:	    if dependencies_missing:
163:	        module.log("Module dependencies (gmpy2 and cryptography python libraries) missing, cannot continue", level='error')
164:	        return
165:	
166:	    target = (args['rhost'], int(args['rport']))
167:	    timeout = float(args['timeout'])
168:	    cipher_handshake = cipher_handshakes[args['cipher_group']]

{}:{} - Cannot establish SSL connection: {}

Here is a relevant code snippet related to the "{}:{} - Cannot establish SSL connection: {}" error message:

170:	    module.log("{}:{} - Scanning host for Bleichenbacher oracle".format(*target), level='debug')
171:	
172:	    N, e = get_rsa_from_server(target, timeout)
173:	
174:	    if not N:
175:	        module.log("{}:{} - Cannot establish SSL connection: {}".format(*target, e), level='error')
176:	        return
177:	
178:	    modulus_bits = int(math.ceil(math.log(N, 2)))
179:	    modulus_bytes = (modulus_bits + 7) // 8
180:	    module.log("{}:{} - RSA N: {}".format(*target, hex(N)), level='debug')

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • Hanno Böck
  • Juraj Somorovsky
  • Craig Young
  • Daniel Bleichenbacher
  • Adam Cammack <adam_cammack[AT]rapid7.com>

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.