When TLS Hacks You

Conference:  Defcon 28



The presentation discusses the exploitation of TLS session-based SSRF vulnerabilities and the use of DNS rebinding to deliver payloads to internal servers.
  • TLS provides a session ID field that can be used to deliver payloads to internal servers
  • Session IDs and session tickets can be used to persist data for later use
  • DNS rebinding can be used to resolve the first request to a server controlled by the attacker and the second request to an internal server
  • Arbitrary characters can be sent using TLS and DNS rebinding, allowing interaction with local services like memcached
  • Built-in serialization methods like pickle can be used to execute shell commands
  • Testing infrastructure was set up to perform these exploits
The presenter reported a vulnerability in YouTrack that allowed for local SMTP and payload delivery. They were able to use TLS session-based SSRF vulnerabilities and DNS rebinding to deliver the payload to an internal server. They were also able to execute shell commands using built-in serialization methods like pickle. The presenter set up testing infrastructure to perform these exploits.


Lots of people try to attack the security of TLS. But what if we use TLS to attack other things? It's a huge standard, and it turns out that features intended to make TLS fast have also made it useful as an attack vector. Among other things, these features provide a lot of flexibility for Server-Side Request Forgery (SSRF). While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further. In this talk, I present a novel, cross-platform way of leveraging TLS to target internal services. Uniquely, these attacks are more effective the more comprehensively a platform supports modern TLS, so won't go away with library upgrades. It is also unlikely that the TLS spec will change overnight at the whim of a random security researcher. Instead, we need to walk through scenarios and dispel common assumptions so the audience can know what to look out for. Of course, the best way to do so is with demos!



Post a comment

Related work

Conference:  BlackHat USA 2020

Conference:  Defcon 31
Authors: Aapo Oksman Senior Security Specialist, Nixu Corporation

Conference:  Defcon 29