Suning Tesco server supports EXP cipher suite for ssl freak attacks to decrypt communication traffic (including poc)

Suning Tesco server supports EXP cipher suite for ssl freak attacks to decrypt communication traffic (including poc)

Suning Tesco server is vulnerable to ssl freak attacks because of its support for EXP cipher suites. intermediary users can decrypt communication traffic online (obtain sensitive information such as login creden)

The server accepts three export-level cipher suites: EXP-DES-CBC-SHA (SSLv3, TLSv1), EXP-RC2-CBC-MD5 (SSLv3, TLSv1), and EXP-RC4-MD5 (SSLv3, TLSv1.

When a client (such as IE, Chrome, Safari, and Opera on Mac OS) that is affected by this vulnerability is accessed on the login page https://passport.suning.com/ids/login, a man-in-the-middle initiates a FREAK attack, change the cipher suite in the client hello Message to the EXP type. Then the server will use the EXP-level cipher suite for communication and send the 512bitRSA Public Key to the client. The client uses the 512bit public key to encrypt the Pre Master Secret. After receiving the data, the server decrypts the Pre Master Secret with the private key. The two parties simultaneously calculate the subsequent communication key based on the Secret information. For man-in-the-middle, if the man-in-the-middle can break down the 512bit public key sent by the server, the private key can be calculated, and the Pre Master Secret can also be obtained to calculate the communication key, decrypts the communication content between the client and the server.

For suning.com servers, there are currently 18 servers supporting the EXP cipher suite, each with a fixed-bit public key. For attackers, as long as one of the public keys is decomposed, no matter which host is queried by the client DNS, the man-in-the-middle can connect to the host with the decomposed public key to obtain necessary information sent to the client, in this way, the communication with the client and the server is successfully established. The public key corresponding to the server is as follows:

*****ode**********.85.**********3ce7f782a7344e46a3201db8578fac**********133.**********d2faec9d6e974dec41a21bf6ad08b1**********107.**********3e3089fb7af21cbad09d080138af54**********.64.**********b7193899ec88f54233b145bf6f8166**********.139**********d3091c167ff0aee3e98f22ad1f7d12**********.53.**********7ba74a6b27ea10ef70bb96652324ca**********.53.**********a937dab7656e0d4da1e5cbac356ead**********196.**********aa5f4ac2be86d8353717228a0f2294**********.53.**********554aaa40b03287599f6b20192679a6**********151.**********2588038e35d16438e3b01e3515067b**********.22.**********8eafddcff67bf0d5b72853b559349a**********.226**********d67faa7b81355295a48e6ec3554903**********.64.**********32b093eb36d6ca0ccc64c819e5ef7f**********7.102**********f38d6e9e42a1fd350a722e464f89a0**********252.**********d2f73d8cd108fcc992011f64022aaa**********151.**********c2136e2f7c94fcb1faf4a64a6a9e4b**********196.**********0a417bf330856f8ad20e72307805ed**********.230**********f6198b52e90bb2f2cf9442f67083be**********cod*****

We used two days to break down the 512bit public key corresponding to the host whose ip address is 119.188.139.98.

* ***** The corresponding private key is 57c07aa7e7b8fd4f12094b6e7b173c78e3ef4ebc28f87 *****

After obtaining the private key, you can use the self-developed FREAK man-in-the-middle attack tool to successfully establish communications with the client and server and decrypt subsequent communications. We have successfully obtained the login information of a user, the username is gossip and the password is loccs @ sjtu. For details, see
 

 

Solution:

The server stops supporting the EXP-level cipher suite. If so, A-bit public key is generated in real time during communication or a batch of keys are generated in advance and changed after a while. In short, make sure that the key usage cycle does not exceed the time required for 512bit key decomposition.