Analyzing and Mitigating Cracks ALPACA: Application Layer Protocol Confusion in TLS Authentication
30th USENIX Security Symposium 2021 Marcus Brinkmann,1 Christian Dresen,2 Robert Merget,1 Damian Poddebniak,2 Jens Müller,1 Juraj Somorovsky,3 Jörg Schwenk,1 Sebastian Schinzel2 1 Ruhr University Bochum 2 Münster University of Applied Sciences 3 Paderborn University 1 TLS Authentication
FTP
bank.com www.bank.com
TLS
TLS HTTP
TLS bank.com www.bank.com
IMAP POP3
*.bank.com SMTP
2 TLS-Based Cross-Protocol Attacks
S
Server S
Client T
Server T
3 History and Potential of Cross-Protocol Attacks
Substitute Protocol
HTTP (w/o TLS)
Jochen Topf (2001), The HTML Form Protocol Attack With
TLS
HTTPS (w/ TLS) * HTTP SMTP IMAP POP3 FTP ... Jann Horn (2015), Two cross-protocol MitM attacks on browsers HTTP - This work. * SMTP - Mostly unexplored IMAP - attack surface POP3 -
Intended Protocol FTP Mostly - unexplored ... attack surface -
4 Reflection Attack on HTTPS Exploiting FTP (Jann Horn, 2015)
Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com HTTP HELP *.bank.com
Origin: ftp.bank.com:990 www.bank.com Cross-Protocol FTP Response
Unknown command: FTP reflect() *.bank.com
5 Download Attack on HTTPS Exploiting FTP (Jann Horn, 2015)
Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com HTTP PASV RETR stored.html *.bank.com
window.location = “https://www.bank.com” ftp.bank.com:990
FTP
Origin: *.bank.com www.bank.com Cross-Protocol FTP Response
HTTP/1.1 200 OK stored.html Data Port stored() HTTP/1.1 200 OK
6 Upload Attack on HTTPS Exploiting FTP
Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com Cookie: secret HTTP
USER mrcat PASS 1234 *.bank.com PASV STOR cookie.txt ftp.bank.com:990
window.location = “https://www.bank.com” FTP
*.bank.com
cookie.txt Data Port
GET / Host: www.bank.com Cookie: secret
7 Attack Methods and Protocols
Application Protocol
FTP SMTP IMAP POP3
Upload
Download
Reflection Attack Method
Some attacks are also possible in a pure web attacker model (no MitM). See Sec. 8 for details.
8 Research Questions
Are cross-protocol attacks still How many servers are affected How can cross-protocol possible today? by cross-protocol attacks? attacks be prevented?
9 Evaluation of Browsers and Application Servers
Not tolerant to protocol noise. Tolerant to protocol noise. 9/18
● FTP Upload Attack ● All attack methods. ● FTP Download Attack
13 out of 24 application servers can be exploited for at least one HTTPS cross-protocol attack method with at least one browser.
4/6 4/6 All evaluations, exploits, and proof-of-concept code are in the artifacts to our paper. 10 Internet-Wide Scan for Vulnerable Web Servers
FTP SMTP POP3 IMAP
Total number of application servers with TLS support (IPv4).
11 Internet-Wide Scan for Vulnerable Web Servers
FTP POP3
Total number of application servers with valid certificates.
12 Internet-Wide Scan for Vulnerable Web Servers
FTP POP3 ftp.bank.com email.bank.com *.bank.com pop.bank.com
Unique hostnames in the Common Name (CN) and Subject Alternative Name (SAN) fields of all valid certificates.
13 Internet-Wide Scan for Vulnerable Web Servers
FTP POP3 ftp.bank.com email.bank.com *.bank.com pop.bank.com
HTTP
www.bank.com
Total number of web servers on port 443 among unique names (*=www). 1.4M web servers are vulnerable to a general TLS cross-protocol attack with at least one application server (SMTP, IMAP, POP3, or FTP).
14 Vulnerable Web Servers with Exploitable Application Servers
For the 1.4M web servers, we tried to identify the application servers with a banner scan to FTP see they are exploitable based on our lab eval. ftp.bank.com *.bank.com 114,197 web servers can be attacked with at least one exploitable application server.
HTTP
www.bank.com
15 Application Layer Countermeasures
Detect Protocols Limit Syntax Errors Avoid Reflection
◂ 220 smtp.bank.com ESMTP ◂ 220 smtp.bank.com ESMTP ◂ 220 smtp.bank.com ESMTP Postfix Exim sendmail ▸ GET / ▸ GET / ▸ ◂ ◂ 221 2.7.0 Error: I can ◂ 500 unrecognized command 500 5.5.1 Command unrecognized: break rules, too. Goodbye. ▸ Host: bank.com ◂ “” Connection closed by 500 unrecognized command ▸ foreign host. Connection: keep-alive ◂ 500 unrecognized command ▸ Cache-Control: max-age=0 ◂ 500 Too many unrecognized commands Connection closed by foreign host.
16 Certificate-Based Countermeasures
No Wildcard Certificates No Multi-Domain Certificates No Shared Hostnames
*.bank.com www.bank.com bank.com:443 ftp.bank.com bank.com:21
17 TLS-Based Countermeasures: Application Layer Protocol Negotiation (ALPN)
Server implements strict ALPN: ALPN http/1.1 ● It can not be exploited for cross-protocol h2 attacks on clients with ALPN (e.g. browsers). HTTP ALPN ● It can still accept connections by clients h2 without ALPN (legacy compatibility).
Client and server implement strict ALPN:
FTP ● All known and unknown cross-protocol attacks ALPN on this connection are prevented.
18 TLS-Based Countermeasures: Server Name Indication (SNI)
Server implements strict SNI:
● Cross-hostname attacks are prevented. SNI www.bank.com HTTP Useful, because servers for different protocols are often SNI located on different hostnames: www.bank.com www.bank.com vs. ftp.bank.com
Also mitigates some same-protocol host confusion attacks, see Delignat-Lavaud et al. (2015), Zhang et al. (2020). FTP SNI
ftp.bank.com
19 Conclusions
Implementations of TLS authentication should be extended to prevent cross-protocol attacks.
Deployment of ALPN and SNI countermeasures requires a long-term community effort. Thank you for listening! Any questions? Measurements of the TLS landscape should include ALPN and SNI implementations.
Same-protocol, same-host, cross-port attacks can not be prevented with TLS at the current time.
Future research topics:
● Find more examples for cross-protocol attacks. ● Find similar attacks for other security layers, such alpaca-attack.com as DTLS, IPsec. lambdafu [email protected]
20