When TLS Hacks You
Conference: Defcon 28
2020-08-01
Summary
The presentation discusses the exploitation of TLS session-based SSRF vulnerabilities and the use of DNS rebinding to deliver payloads to internal servers.
- TLS provides a session ID field that can be used to deliver payloads to internal servers
- Session IDs and session tickets can be used to persist data for later use
- DNS rebinding can be used to resolve the first request to a server controlled by the attacker and the second request to an internal server
- Arbitrary characters can be sent using TLS and DNS rebinding, allowing interaction with local services like memcached
- Built-in serialization methods like pickle can be used to execute shell commands
- Testing infrastructure was set up to perform these exploits
Abstract
Lots of people try to attack the security of TLS. But what if we use
TLS to attack other things? It's a huge standard, and it turns out
that features intended to make TLS fast have also made it useful as an
attack vector.
Among other things, these features provide a lot of flexibility for
Server-Side Request Forgery (SSRF). While past work using HTTPS URLs
in SSRF has relied upon platform-specific bugs such as SNI injection,
we can go further. In this talk, I present a novel, cross-platform
way of leveraging TLS to target internal services.
Uniquely, these attacks are more effective the more comprehensively a
platform supports modern TLS, so won't go away with library upgrades.
It is also unlikely that the TLS spec will change overnight at the
whim of a random security researcher. Instead, we need to walk
through scenarios and dispel common assumptions so the audience can
know what to look out for. Of course, the best way to do so is with
demos!
Materials:
Tags: