AL­PA­CA: Ap­p­li­ca­ti­on Layer Pro­to­col Con­fu­si­on-Ana­ly­zing and Miti­ga­ting Cracks in TLS Au­then­ti­ca­ti­on

Mar­cus Brink­mann, Chris­ti­an Dre­sen, Ro­bert Mer­get, Da­mi­an Pod­debni­ak, Jens Mül­ler, Juraj So­mo­rovs­ky, Jörg Schwenk, Se­bas­ti­an Schin­zel

30th USE­NIX Se­cu­ri­ty Sym­po­si­um, Au­gust 11–13, 2021, Van­cou­ver, B.C., Ca­na­da


Ab­stract

TLS is wi­de­ly used to add con­fi­den­tia­li­ty, au­then­ti­ci­ty and in­te­gri­ty to ap­p­li­ca­ti­on layer pro­to­cols such as HTTP, SMTP, IMAP, POP3, and FTP. Howe­ver, TLS does not bind a TCP con­nec­tion to the in­ten­ded ap­p­li­ca­ti­on layer pro­to­col. This al­lows a man-in-the-midd­le at­ta­cker to re­di­rect TLS traf­fic to a dif­fe­rent TLS ser­vice end­point on ano­ther IP ad­dress and/or port. For ex­amp­le, if sub­do­mains share a wild­card cer­ti­fi­ca­te, an at­ta­cker can re­di­rect traf­fic from one sub­do­main to ano­ther, re­sul­ting in a valid TLS ses­si­on. This breaks the au­then­ti­ca­ti­on of TLS and cross-pro­to­col at­tacks may be pos­si­ble where the be­ha­vi­or of one ser­vice may com­pro­mi­se the se­cu­ri­ty of the other at the ap­p­li­ca­ti­on layer.

In this paper, we in­ves­ti­ga­te cross-pro­to­col at­tacks on TLS in ge­ne­ral and con­duct a sys­te­ma­tic case study on web ser­vers, re­di­rec­ting HTTPS re­quests from a victim’s web brow­ser to SMTP, IMAP, POP3, and FTP ser­vers. We show that in rea­lis­tic sce­na­ri­os, the at­ta­cker can extract ses­si­on cook­ies and other pri­va­te user data or exe­cu­te ar­bi­tra­ry Ja­va­Script in the con­text of the vul­nerable web ser­ver, the­re­fo­re by­pas­sing TLS and web ap­p­li­ca­ti­on se­cu­ri­ty.

We eva­lua­te the re­al-world at­tack sur­face of web brow­sers and wi­de­ly-de­ploy­ed email and FTP ser­vers in lab ex­pe­ri­ments and with in­ter­net-wi­de scans. We find that 1.​4M web ser­vers are ge­ne­ral­ly vul­nerable to cross-pro­to­col at­tacks, i.e., TLS ap­p­li­ca­ti­on data con­fu­si­on is pos­si­ble. Of these, 114k web ser­vers can be at­ta­cked using an ex­ploi­ta­ble ap­p­li­ca­ti­on ser­ver. Fi­nal­ly, we di­s­cuss the ef­fec­tiven­ess of TLS ex­ten­si­ons such as Ap­p­li­ca­ti­on Layer Pro­to­col Ne­go­tia­ti­on (ALPN) and Ser­ver Name In­di­cia­ti­on (SNI) in miti­ga­ting these and other cross-pro­to­col at­tacks.

[PDF] [WWW]

Tags: AL­PA­CA, at­tack, cer­ti­fi­ca­tes, cross-pro­to­col, email, ftp, imap, pop3, smtp, TLS, XSS