CBC Bit-flipping Attack


Overview

Given an encrypted value, CBC Bit Flipping can be used to alter the decrypted plain text. If the plain text is used by the system to make decisions (such as the user privilege level), the system can be influenced by CBC bit flipping.

Discovery Methodology

Toggle bits and bytes of initialization vectors and observe changes to the plain text.

Exploitation

Alter the initialization vector only in the bits or bytes that affect the target plain text. Small amounts of plain text can be brute forced. For better results, calculate the value of initialization vector needed to produce the plain text desired.

Example

The view user privilege level page is vulnerable to cipher block chaining (CBC) bit flipping. The initialization vector is passed in URL parameter "IV". Three fields are encrypted then XOR'ed with the IV. While the encryption key used cannot be determined easily the IV is under the control of the user.

The goal is to modify the initialization vector (IV) in order to cause the user ID and group ID to both be "000". When this occurs a message will appear indicating the user has root privileges.

First, determine which of the bytes affects the user ID and group ID respectively. Changing the first byte of the IV changes the first character of the Application ID. Changing the first byte from 6B to 00 results in the letter "A" changing to an asterisk ("*"). However the goal is to change the user ID and group ID.

Modify each byte until the user ID and group ID are affected. Note the position of the bytes carefully. One byte in the IV will affect the "1" in the user ID and another byte will affect the "1" in the group ID. After methodically testing each byte of the IV, it will be found that bytes 5-7 affect the 3 bytes of the UID By extension bytes 8-10 affect the 3 bytes of the GID

Note that in security level 0 the user ID and group ID are already "100". Only the first character ("1") needs to be modified. Try to leave the "00" alone.

Recall byte 5 of the IV (0xAB) maps to the first character of the user ID ("1") Bytes 6 and 7 map to characters 2 and 3 of the UID so those should be left alone since those characters are already 0 Byte 8 of the IV (0x25) maps to the first character of the GID ("1")

A byte can only have 255 distinct values. One way to solve this problem is to brute force the answer by trying all 255 bytes until a "0" appears where the "1" is currently shown.

A much better way is to XOR the value you input with the value that appears in the User ID or Group ID. This is the respective byte of the cipher text. Next, XOR this byte of cipher text with the byte you want to appear; "0" which is 0X30.

Although the encryption key is not known, it can be seen that the encrypted value XOR with byte 5 of the IV (0xAB) equals "1" (0X31). Therefore 0xAB XOR 0x31 = encrypted value. We cannot decrypt the encrypted value but we can determine the encrypted value.
? XOR 0XAB = 0x31 therefore 0XAB XOR 0x31 = ? 0xAB: 1010 1011 Current IV 0x31: 0011 0001 Current value --------------- (xor) 0x9A: 1001 1010 Encrypted value
XOR is communicative (A xor B implies B xor A) The IV needed to make the first character "0" (0x30) can be calculated by XOR'ing the encrypted value with the desire character
0x9A XOR 0x31 = ? 0x9A: 1001 1010 Encrypted value 0x30: 0011 0000 Desired value --------------- (xor) 0xAA: 1010 1010 Needed IV
Injecting 0xAA as byte 5 changes the user ID to "0" (0x30).

By extension, Byte 8 of the IV (0x25) causes the first character of the GID to be "1" (0X31). The needed IV value can be calculated using same technique used for UID.
0x25: 0010 0101 Current IV 0x31: 0011 0001 Current value --------------- (xor) 0x14: 0001 0100 Encrypted value 0x30: 0011 0000 Desired value --------------- (xor) 0x24: 0010 0100 Needed IV (byte 8)
Injecting 0x24 as byte 8 changes the group ID to "0" (0x30)

The final answer is "6bc24fc1aa650b24b4114e93a98f1eba" for security level 0 but not for security level 1. Note the initial user ID in security level 1 is more challenging to change correctly.

Videos


Warning: Could not reach YouTube via network connection. Failed to embed video.

Click here to watch Introduction to CBC Bit Flipping Attack