Using the protocol as an attack vector, as demonstrated at Black Hat 2020
Security researchers often attack the Transport Layer Security (TLS) encryption protocol, but one engineer has turned that approach on its head by using TLS as a mechanism to attack web-based systems.
Joshua Maddux of security firm Latacora discovered that features intended to make TLS fast have also made it useful as an attack vector.
“You wouldn’t think that TLS would be particularly useful because its packets are mostly just encrypted data, binary flags, and other stuff an attacker doesn’t have much control over, but it’s not all that limited,” Maddux said.
“As Orange Tsai noticed, the SNI (Server Name Information), which is basically just the domain name, is part of the URL so if you can trick the victim into accepting a weird domain name and parsing it incorrectly you can include stuff like arbitrary bytes in there and smuggle stuff like SMTP (Simple Mail Transfer Protocol) commands.”
The attack technique involves exploiting technologies involved with TLS session caching, Maddux explained:
If you establish a TLS session with jmaddux.com, whether it resolves to something on the internet or your own machine, your HTTPS client will not know the difference. Since I, as an attacker, own jmaddux.com, I can combine all this TLS stuff with a concept called DNS rebinding, so I resolve the first request to 35.x.x.x, some server I control.
Then the target server picks up the payload from 35.x.x in the form of a session ticket. After some time, I send the exact same URL except the DNS entry has expired. Again, since I control the DNS server, this time around I resolved jmaddux.com to something internal that I wouldn’t normally have access to from the outside.
The practical upshot of this, Maddux explained, is that you can “manipulate whatever you’re attacking to send a TLS session ID ticket or psk [pre-shared key] identity like this to itself.”
By “combining TLS with DNS rebinding, you can get arbitrary characters to be sent which includes new lines” that allow an attacker to interact with local services.
DNS rebinding is a technique that allows an attacker to manipulate the resolution of domain names.
The technique works because “SMTP is a newline delimited protocol so, just like memcached [a popular memory-caching system], you can embed working commands within the TLS ticket”.
“The goals are similar to SNI injection [PDF] but this new method uses inherent behaviors of TLS, instead of depending upon bugs in a particular implementation,” Maddux said.
TLS attack vector remediation
Maddux offered various tips to guard against potential attacks that harness TLS.
“The biggest remediation is for web applications that communicate with the outside world - instead of assuming that https URLs are safe to visit, external requests should be delegated to something like squid or smokescreen,” the security researcher told The Daily Swig.
He added: “Another thing some may be interested in exploring, specifically for the CSRF-like phishing scenarios against developers, is to enable DNS rebinding protections in pfsense or similar:”
Maddux was previously well known in the security community for SSRF attacks against Apple Pay, among other targets, unveiled at previous editions of Black Hat.