Analyzing and Mitigating Cracks ALPACA: Application Layer Protocol Confusion in TLS Authentication 30th USENIX Security Symposium 2021 Marcus Brinkmann,1 Christian Dresen,2 Robert Merget,1 Damian Poddebniak,2 Jens Müller,1 Juraj Somorovsky,3 Jörg Schwenk,1 Sebastian Schinzel2 1 Ruhr University Bochum 2 Münster University of Applied Sciences 3 Paderborn University 1 TLS Authentication FTP bank.com www.bank.com TLS TLS HTTP TLS bank.com www.bank.com IMAP POP3 *.bank.com SMTP 2 TLS-Based Cross-Protocol Attacks S Server S Client T Server T 3 History and Potential of Cross-Protocol Attacks Substitute Protocol HTTP (w/o TLS) Jochen Topf (2001), The HTML Form Protocol Attack With TLS HTTPS (w/ TLS) * HTTP SMTP IMAP POP3 FTP ... Jann Horn (2015), Two cross-protocol MitM attacks on browsers HTTP - This work. * SMTP - Mostly unexplored IMAP - attack surface POP3 - Intended Protocol FTP Mostly - unexplored ... attack surface - 4 Reflection Attack on HTTPS Exploiting FTP (Jann Horn, 2015) Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com HTTP HELP <script>reflect()</script> *.bank.com Origin: ftp.bank.com:990 www.bank.com Cross-Protocol FTP Response Unknown command: FTP reflect() <script>reflect()</script> *.bank.com 5 Download Attack on HTTPS Exploiting FTP (Jann Horn, 2015) Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com HTTP PASV RETR stored.html *.bank.com window.location = “https://www.bank.com” ftp.bank.com:990 FTP Origin: *.bank.com www.bank.com Cross-Protocol FTP Response HTTP/1.1 200 OK stored.html Data Port stored() <script>stored()</script> HTTP/1.1 200 OK <script>stored()</script> 6 Upload Attack on HTTPS Exploiting FTP Origin: Cross-Origin HTTPS Request MitM attacker.com www.bank.com:443 POST / Host: www.bank.com Cookie: secret HTTP USER mrcat PASS 1234 *.bank.com PASV STOR cookie.txt ftp.bank.com:990 window.location = “https://www.bank.com” FTP *.bank.com cookie.txt Data Port GET / Host: www.bank.com Cookie: secret 7 Attack Methods and Protocols Application Protocol FTP SMTP IMAP POP3 Upload Download Reflection Attack Method Some attacks are also possible in a pure web attacker model (no MitM). See Sec. 8 for details. 8 Research Questions Are cross-protocol attacks still How many servers are affected How can cross-protocol possible today? by cross-protocol attacks? attacks be prevented? 9 Evaluation of Browsers and Application Servers Not tolerant to protocol noise. Tolerant to protocol noise. 9/18 ● FTP Upload Attack ● All attack methods. ● FTP Download Attack 13 out of 24 application servers can be exploited for at least one HTTPS cross-protocol attack method with at least one browser. 4/6 4/6 All evaluations, exploits, and proof-of-concept code are in the artifacts to our paper. 10 Internet-Wide Scan for Vulnerable Web Servers FTP SMTP POP3 IMAP Total number of application servers with TLS support (IPv4). 11 Internet-Wide Scan for Vulnerable Web Servers FTP POP3 Total number of application servers with valid certificates. 12 Internet-Wide Scan for Vulnerable Web Servers FTP POP3 ftp.bank.com email.bank.com *.bank.com pop.bank.com Unique hostnames in the Common Name (CN) and Subject Alternative Name (SAN) fields of all valid certificates. 13 Internet-Wide Scan for Vulnerable Web Servers FTP POP3 ftp.bank.com email.bank.com *.bank.com pop.bank.com HTTP www.bank.com Total number of web servers on port 443 among unique names (*=www). 1.4M web servers are vulnerable to a general TLS cross-protocol attack with at least one application server (SMTP, IMAP, POP3, or FTP). 14 Vulnerable Web Servers with Exploitable Application Servers For the 1.4M web servers, we tried to identify the application servers with a banner scan to FTP see they are exploitable based on our lab eval. ftp.bank.com *.bank.com 114,197 web servers can be attacked with at least one exploitable application server. HTTP www.bank.com 15 Application Layer Countermeasures Detect Protocols Limit Syntax Errors Avoid Reflection ◂ 220 smtp.bank.com ESMTP ◂ 220 smtp.bank.com ESMTP ◂ 220 smtp.bank.com ESMTP Postfix Exim sendmail ▸ GET / ▸ GET / ▸ <script>alert(1);</script> ◂ ◂ 221 2.7.0 Error: I can ◂ 500 unrecognized command 500 5.5.1 Command unrecognized: break rules, too. Goodbye. ▸ Host: bank.com ◂ “<script>alert(1);</script>” Connection closed by 500 unrecognized command ▸ foreign host. Connection: keep-alive ◂ 500 unrecognized command ▸ Cache-Control: max-age=0 ◂ 500 Too many unrecognized commands Connection closed by foreign host. 16 Certificate-Based Countermeasures No Wildcard Certificates No Multi-Domain Certificates No Shared Hostnames *.bank.com www.bank.com bank.com:443 ftp.bank.com bank.com:21 17 TLS-Based Countermeasures: Application Layer Protocol Negotiation (ALPN) Server implements strict ALPN: ALPN http/1.1 ● It can not be exploited for cross-protocol h2 attacks on clients with ALPN (e.g. browsers). HTTP ALPN ● It can still accept connections by clients h2 without ALPN (legacy compatibility). Client and server implement strict ALPN: FTP ● All known and unknown cross-protocol attacks ALPN on this connection are prevented. 18 TLS-Based Countermeasures: Server Name Indication (SNI) Server implements strict SNI: ● Cross-hostname attacks are prevented. SNI www.bank.com HTTP Useful, because servers for different protocols are often SNI located on different hostnames: www.bank.com www.bank.com vs. ftp.bank.com Also mitigates some same-protocol host confusion attacks, see Delignat-Lavaud et al. (2015), Zhang et al. (2020). FTP SNI ftp.bank.com 19 Conclusions Implementations of TLS authentication should be extended to prevent cross-protocol attacks. Deployment of ALPN and SNI countermeasures requires a long-term community effort. Thank you for listening! Any questions? Measurements of the TLS landscape should include ALPN and SNI implementations. Same-protocol, same-host, cross-port attacks can not be prevented with TLS at the current time. Future research topics: ● Find more examples for cross-protocol attacks. ● Find similar attacks for other security layers, such alpaca-attack.com as DTLS, IPsec. lambdafu [email protected] 20.