AES
MITKRB5-SA-2009-004
MIT krb5 Security Advisory 2009-004
Original release: 2010-01-12
Topic: integer underflow in AES and RC4 decryption
CVE-2009-4212
integer underflow in AES and RC4 decryption
CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
HSP version: 3.4(3) (PRODUCTION)
Time running: 00:00:10
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 5120
Maximum SA index: 5120
Maximum Flow index: 10230
An almost 150 Megabyte sized executable program, using shared libraries. Actually it has 17 shared library dependencies. The other shared libraries provided by Oracle, which are actually linked dynamically by other executables shipped with Oracle 11g, were statically linked into the oracle executable at compile time. We are talking libraries of 30 Megabytes and more linked in as well as sitting next to the binary, just in case.
The first approach of the analysis was to narrow down the relevant cryptographic algorithm and its implementation. Therefore, different techniques were used to find relevant methods and instructions within the executable. Most cryptographic algorithms like ciphers and checksum calculations expose some kind of "signature" or individual tokens like S-Boxes, transformation tables or constant values. Thus it might be easy to detect automatically within the binary, using tools like the FindCrypt IDA plugin or other scripts we developed for our own purposes.
At least 57 places with crypto were found by FindCrypt: DES, MD4, MD5, SHA1, just to name a few. We found at least two independently implemented AES cipher constants, all algorithms were double and triple implemented.
Another obstacle is the fact that the Intel Compiler, which was used to compile the Oracle executable, uses an optimization which led in having no cross references (XREFs) to code or data in several segments. Thus we could not see wherefrom for example an S-Box is accessed in the code. So we used the IDA API to implement a tool which automatically finds these PC-relative offset calculations and adds XREFs to the IDB. One can only assume that Oracle uses the Intel compiler because no other compiler would produce efficient enough code to run this behemoth of a binary in acceptable speed.
We also combined the static analysis by disassembling the Oracle executable with a runtime analysis using ltrace and the precious GNU debugger GDB. Have you ever tried to attach more than two dozens processes with GDB and set a few hundred breakpoints in batch mode? It's real fun.
errors. In this case, it might be possible to recover as much as 14 bits
of plaintext per hour (assuming a very fast 10 connections per second).
Implementing a limit on the number of connection retries (e.g. 256) is
sufficient to render the attack infeasible for this case.
AES CTR mode and arcfour ciphers are not vulnerable to this attack at
all. These may be preferentially selected by placing the following
directive in sshd_config and ssh_config:
Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc
Debian-specific: no
CVE IDs : CVE-2009-4212
Debian Bug : none
It was discovered that krb5, a system for authenticating users and services on a
network, is prone to integer underflow in the AES and RC4 decryption operations of
the crypto library. A remote attacker can cause crashes, heap corruption, or,
under extraordinarily unlikely conditions, arbitrary code execution.
For the old stable distribution (etch), this problem has been fixed in
Background
Rsyncrypto[1] is a file encryption tool. It has a single RSA key that
encrypts symmetric AES keys per file. The files themselves are subject
to an encryption method that is based on CBC, but does a
security-performance trade off. In particular, the files are encrypted
in such a way that re-encrypting, using the same key, a file that was
slightly modified will result in slightly modified cypher text. This is
needed so that the file will retain wire efficiency when transferred
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that Kerberos did not correctly handle invalid AES
blocks. An unauthenticated remote attacker could send specially crafted
traffic that would crash the KDC service, leading to a denial of service,
or possibly execute arbitrary code with root privileges.
Problem Description:
A vulnerability has been found and corrected in krb5:
Multiple integer underflows in the (1) AES and (2) RC4 decryption
functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3
through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause
a denial of service (daemon crash) or possibly execute arbitrary code
by providing ciphertext with a length that is too short to be valid
(CVE-2009-4212).
archives.
* Data redundancy is provided via recovery records and recovery
volumes, allowing reconstruction of damaged archives.
* Support for advanced NTFS file system options and Unicode in file
names.
* Optional archive encryption using AES (Advanced Encryption Standard)
with a 128-bit key.
I. Vulnerability Summary:
=========================
Kerberos is a network authentication protocol. It is designed to
provide strong authentication for client/server applications by
using secret-key cryptography.
Multiple integer underflows in the AES and RC4 functionality in the
crypto library could allow remote attackers to cause a denial of
service (daemon crash) or possibly execute arbitrary code by
providing ciphertext with a length that is too short to be valid.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
........
function checkpass($handle,$pass){
require_once($home."mysqlinfo.php");
include("i_aeskey.php");
$query="SELECT AES_DECRYPT(password,'$AES_key') FROM users WHERE
(handle='$handle')";
$result = mysql_query($query);
if(mysql_num_rows($result))
Description:
In previous versions of openssh, the default cipher order preferred a
block cipher algorithm in Cipher Block Chaining (CBC) mode, which is
suspectible to a plaintext recovery attack. This update changes the
cipher order to prefer the AES CTR modes, and adds countermeasures
to mitigate attacks against CBC modes.
http://wiki.rpath.com/Advisories:rPSA-2010-0011
Copyright 2010 rPath, Inc.
Severity: High
CVE-2009-1472: Java client arbitrary code execution
The java client program connects to the kvm switch on port 9002 and
downloads and runs a new java class. This connection is encrypted
using AES. However, the encryption key is hardcoded in the client
program. So a man in the middle attacker can inject an other java
class file which can execute arbitrary java code on the client
computer. This java code is not protected by a sandbox as the client
isn't run as a java applet. It is also possible to use this
vulnerability to do a man in the middle attack to gain access to the
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
ECMT B.05.00 running on HP-UX B.11.23 (11i v2) or HP-UX B.11.31 (11i v3).
Note: ECMT B.05.00 is available for Serviceguard A.11.18 and A.11.19 only. The exploit could allow unauthorized
access to a database managed by Oracle 9i, 10gR1, 10gR2, 11gR1 or Sybase AES 15.0.2 or later.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
|
