A group of researchers from several universities in Germany has developed a new HTTPS MITM attack that can extract session ID cookies and other sensitive data, as well as execute arbitrary JavaScript code in the context of another site. The attack is called ALPACA and can be applied to TLS servers that implement different application layer protocols (HTTPS, SFTP, SMTP, IMAP, POP3) but use common TLS certificates.
The essence of the attack is that, if there is control over a network gateway or wireless access point, an attacker can redirect web traffic to another network port and establish a connection with an FTP or mail server that supports TLS encryption and uses a TLS certificate shared with the HTTP server , and the user's browser will assume that a connection has been established to the requested HTTP server. Since the TLS protocol is universal and not tied to application layer protocols, the establishment of an encrypted connection for all services is identical, and the error of sending a request to the wrong service can only be determined after an encrypted session has been established during processing of the sent request commands.
Accordingly, if, for example, you redirect a user connection originally addressed to HTTPS to a mail server that uses a certificate shared with the HTTPS server, the TLS connection will be successfully established, but the mail server will not be able to process the transmitted HTTP commands and will return a response with error code. This response will be treated by the browser as the response of the requested site, transmitted within a correctly established encrypted communication channel.
Three attack options have been proposed:
- "Upload" to retrieve Cookie with authentication options. The method is applicable if the FTP server covered by the TLS certificate allows you to download and extract its data. In this variant of the attack, the attacker can achieve the preservation of parts of the user's original HTTP request, such as the contents of the Cookie header, for example, if the FTP server interprets the request as a file to save or completely logs incoming requests. For a successful attack, the attacker then needs to extract the stored content somehow. The attack is applicable to Proftpd, Microsoft IIS, vsftpd, filezilla and serv-u.
- "Download" for organizing cross-site scripting (XSS). The method implies that an attacker, as a result of some separate manipulations, can place data in a service that uses a common TLS certificate, which can then be issued in response to a user request. The attack is applicable to the above mentioned FTP servers, IMAP servers and POP3 servers (courier, cyrus, kerio-connect and zimbra).
- "Reflection" to run JavaScript in the context of another site. The method is based on returning to the client a part of the request that contains the JavaScript code sent by the attacker. The attack is applicable to the above mentioned FTP servers, cyrus, kerio-connect and zimbra IMAP servers, as well as to the sendmail SMTP server.
For example, when a user opens a page controlled by an attacker, this page may initiate a request for a resource from a site on which the user has an active account (for example, bank.com). In a MITM attack, this request to the bank.com website can be redirected to a mail server that shares a TLS certificate with bank.com. Since the mail server does not terminate the session after the first error, service headers and commands such as "POST / HTTP/1.1" and "Host:" will be treated as unknown commands (the mail server will return "500 unrecognized command" for each header).
The mail server does not parse the peculiarities of the HTTP protocol and for it the service headers and the POST request data block are processed in the same way, therefore, in the body of the POST request, you can specify a line with a command to the mail server. For example, you can pass: MAIL FROM: alert(1); to which the mail server will return a 501 error message alert(1); : malformed address: alert(1); may not follow
This response will be received by the user's browser, which will execute the JavaScript code in the context not of the attacker's originally opened site, but of the bank.com site to which the request was sent, since the response arrived within a valid TLS session, the certificate of which confirmed the authenticity of the bank.com response.
Scanning the global network showed that about 1.4 million web servers are generally affected by the problem, for which an attack with mixing requests using different protocols is possible. The possibility of a real attack was determined for 119 web servers for which there were accompanying TLS servers based on other application protocols.
Exploit examples are prepared for pureftpd, proftpd, microsoft-ftp, vsftpd, filezilla and serv-u ftp servers, dovecot, courier, exchange, cyrus, kerio-connect and zimbra IMAP and POP3 servers, postfix, exim SMTP servers, sendmail, mailenable, mdaemon and opensmtpd. Researchers have studied the possibility of attacking only in combination with FTP, SMTP, IMAP and POP3 servers, while it is possible that the problem may also occur for other application protocols using TLS.
To block the attack, it is proposed to use the ALPN (Application Layer Protocol Negotiation) extension to negotiate a TLS session taking into account the application protocol and the SNI (Server Name Indication) extension to bind to a host name in the case of using TLS certificates spanning several domain names. On the application side, it is recommended to limit the limit on the number of errors when processing commands, after reaching which the connection will be disconnected. The process of developing measures to block the attack began in October last year. Similar security measures have already been taken in Nginx 1.21.0 (mail proxy), Vsftpd 3.0.4, Courier 5.1.0, Sendmail, FileZill, crypto/tls (Go) and Internet Explorer.
Source: opennet.ru