全球主机交流论坛

 找回密码
 注册

QQ登录

只需一步,快速开始

CeraNetworks网络延迟测速工具IP归属甄别会员请立即修改密码
查看: 3568|回复: 11

[经验] 奇虎 360 研究员披露 Shadowsocks 流密码重定向攻击

[复制链接]
发表于 2020-2-15 19:01:10 | 显示全部楼层 |阅读模式
奇虎 360 的一位安全研究员披露了流行 SOCKS5 代理 Shadowsocks 的流密码重定向攻击漏洞。流密码是一种对称加密算法,加密和解密双方使用相同伪随机加密数据流作为密钥,明文数据每次与密钥数据流顺次对应加密,得到密文数据流。流行的流密码算法包括 ChaCha、RC4、A5/1、A5/2、Chameleon、FISH、Helix 等。研究人员发现 Shadowsocks 协议存在漏洞,会破坏流密码的保密性。利用重定向攻击被动攻击者可以轻松解密所有 Shadowsocks 的加密数据包。中间人攻击者还能实时修改流量,就好像加密根本不存在。受影响的版本包括 shadowsocks-py、shadowsocoks-go 和 shadowsocoks-nodejs,shadowsocks-libev 和 go-shadowsocks2 不受影响,研究人员还建议使用 AEAD 加密算法。漏洞是在 2018 年 12 月发现的,2019 年 3 月发布了概念验证攻击。
发表于 2020-2-15 20:50:11 | 显示全部楼层
360已经不在乎形象了

点评

点错了  发表于 2020-2-15 20:57
发表于 2020-2-15 19:11:10 | 显示全部楼层
写小说去 在这水什么水
发表于 2020-2-15 20:42:28 来自手机 | 显示全部楼层
叫妇 发表于 2020-2-15 19:11
写小说去 在这水什么水

具体测试文档是这样的,你可以测试一下
发表于 2020-2-15 20:45:00 来自手机 | 显示全部楼层
A23187 发表于 2020-2-15 20:43
你这图

Redirect attack on Shadowsocks stream ciphers
Zhiniang Peng from Qihoo 360 Core Security
we found a vulnerability in shadowsocks protocol which break the confdentiality of shadowsocks stream cipher. An attacker can easliy decrypt all the encrypted shadowsocks packet using our redirect attack. As the vulnerability is obvious and easy to exploit. I think the ** has already know it. So, using shadowsocks in steam cipher cannot hide yourself from surveillance.
How shadowsocks works:
The Shadowsocks local component (ss-local) acts like a traditional SOCKS5 server and provides proxy service to clients. It encrypts and forwards data streams and packets from the client to the Shadowsocks remote component (ss-remote), which decrypts and forwards to the target. Replies from target are similarly encrypted and relayed by ss-remote back to ss- local, which decrypts and eventually returns to the original client.
client <---> ss-local <--[encrypted]--> ss-remote <---> target
Official implementations of shadowsocks:
shadowsocks: The original Python implementation.
shadowsocks-libev: Lightweight C implementation for embedded devices and low end boxes. Very small footprint (several megabytes) for thousands of connections. shadowsocks-go: Go implementation with multi-port, multi-password,
user management and trafc statistics support for commercial deployments. go-shadowsocks2: Another Go implementation focusing on core features
and code reusability.
Shadowsocks-nodejs: Another shadowsocks implementation for nodejs. Although it’s deprecated, there still many people using it through npm.
Ciphers of shadowsocks:
Shadowsocks support the two kinds of ciphers: Steam ciphers (none-AEAD cipher):
Rc4-md5, salsa20,chacha20,chacha-ietf, aes-ctf, bf-cfb, camellia-cfb, aes-cfb AEAD ciphers:
aes-gcm,chacha-ietf-poly1305,xchacha20-ietf-poly1305
Normally, Stream ciphers provide only confdentiality, Data integrity and authenticity is not guaranteed. Users should use AEAD ciphers whenever possible. We audit all the official implementations of shadowsocks listed above. What surprised us was that only shadowsocks- libev support AEAD cipher. All other official implementation only support steam cipher. This means that the data integrity and authenticity of most SS users is not guaranteed from a Mitm attacker.
Shadowsocks is a secure split proxy loosely based on SOCKS5. It’s widely used in china.
However,

More seriously, we found a vulnerability in shadowsocks protocol which break the confdentiality of shadowsocks stream cipher. An attacker can decrypt all the encrypted shadowsocks packet using our redirect attack.
Redirect attack on Shadowsocks stream cipher:
Here we first invest how shadowsocks initiates a connection.
Initiating a TCP connection:
ss-local initiates a TCP connection to ss-remote by sending an encrypted data stream starting with the target address followed by payload data. The exact encryption scheme differs depending on the cipher used.
[target address][payload]
ss-remote receives the encrypted data stream, decrypts and parses the leading target address. It then establishes a new TCP connection to the target and forwards payload data to it. ss- remote receives reply from the target, encrypts and forwards it back to the ss-local, until ss- local disconnects.
By the way, the UDP packet of shadowsocks has the same struct.
Address format:
Addresses used in Shadowsocks follow the SOCKS5 address format:
[1-byte type][variable-length host][2-byte port]
The following address types are defned:
0x01: host is a 4-byte IPv4 address.
0x03: host is a variable length string, starting with a 1-byte length, followed by up to 255-byte domain name.
0x04: host is a 16-byte IPv6 address
The port number is a 2-byte big-endian unsigned integer.
Essentially, ss-remote is performing Network Address Translation for ss-local.
Stream Encryption/Decryption:
Stream_encrypt is a function that takes a secret key, an initialization vector, a message, and produces a ciphertext with the same length as the message.
Stream_encrypt(key, IV, message) => ciphertext
Stream_decrypt is a function that takes a secret key, an initializaiton vector, a ciphertext, and produces the original message.
Stream_decrypt(key, IV, ciphertext) => message
The key can be input directly from user or generated from a password. The key derivation is following EVP_BytesToKey(3) in OpenSSL. The detailed spec can be found here.
The key can be input directly from user or generated from a password. The key derivation is following EVP_BytesToKey(3) in OpenSSL. The detailed spec can be found here.
[IV][encrypted payload]
The key can be input directly from user or generated from a password. The key derivation is following EVP_BytesToKey(3) in OpenSSL. The detailed spec can be found here.

Cleverly, attacker can brute force your password and then decrypt your packet. Which means there is no forward security for shadowsocks. You can easily protect yourself from the brute force attack by using a strong password.
Redirect attack on Shadowsocks
Is there anyway we can decrypt shadowsocks without brute force the password? Yes, there is. As we mentioned, stream cipher in shadowsocks does not provide data integrity. So we can create a new ciphertext by modifying the existed one. If we know the plaintext of some particular ciphertext, we can even completely control the content of the plaintext. In particular, if we make new ciphertext encrypting the following content:
[target address] [payload]
And the target IP address is controlled by you. We can prevent to be a valid ss-local to create a redirect tunnel like this:
ss-local(fake one) <--[encrypted]--> ss-remote <---> target(controlled) Any encrypted packet we send in the [encrypted] tunnel, the ss-remote will decrypt it and redirect the plaintext to the target IP address your control. Then we can decrypt every encrypted shadowsocks packet by using this tunnel.
Demo: AES-256-CFB
Here we take AES-256-CFB as an example, to show the power of redirect attack on shadowsocks stream cipher. Give any ciphertext [IV][encrypted payload]. The AES-CFB decryption work like this:
As we can see, if we modify the first block of ciphertext from c1 to c1’. We can change the first block of plaintext from p1 to p1’. The relation is the following:
c1’=Xor(c1,r)
p1’=Xor(p1,r)
To construct a valid [target address]=[0x01,IP(4bytes),Port(2bytes)] , we only need to
control the first 7 byte the p1’. If we know the first 7bytes of p1, we can create redirect tunnel to decrypt every encrypted packet.
So the problem becomes: How can we get ciphertext [IV][encrypted payload] with known first 7 bytes. It’s easy, we can get it in many ways. In this example, we use the common pattern in
发表于 2020-2-15 20:46:08 来自手机 | 显示全部楼层
图床不行,有分享的吗
发表于 2020-2-15 20:58:06 | 显示全部楼层
搞得好像今天才知道360一样
发表于 2020-2-15 21:05:50 | 显示全部楼层
漏洞不披露那就不是漏洞了呗
发表于 2020-2-15 21:10:43 | 显示全部楼层
vagrant 发表于 2020-2-15 20:45
Redirect attack on Shadowsocks stream ciphers
Zhiniang Peng from Qihoo 360 Core Security
we found  ...

虽然差不多能看懂,但懒得手打,贴Google机翻:


对Shadowsocks流密码的重定向攻击
奇虎360 Core Security的Zhinang Peng
我们发现了shadowsocks协议中的一个漏洞,该漏洞打破了shadowsocks流密码的机密性。攻击者可以使用我们的重定向攻击轻松解密所有加密的shadowsocks数据包。由于该漏洞很明显并且易于利用。我认为**已经知道了。因此,在蒸汽密码中使用影s不能使自己免受监视。
影s的工作原理:
Shadowsocks本地组件(ss-local)的作用类似于传统的SOCKS5服务器,并为客户端提供代理服务。它对来自客户端的数据流和数据包进行加密并将其转发到Shadowsocks远程组件(ss-remote),后者将对其进行解密并将其转发给目标。对目标的答复进行类似的加密,然后通过ss-remote中继回ss-local,由ss-local解密并最终返回到原始客户端。
客户端<---> ss-local <-[已加密]-> ss-remote <--->目标
Shadowsocks的官方实现:
shadowsocks:原始的Python实现。
shadowsocks-libev:嵌入式设备和低端盒的轻量级C实现。数千个连接的占用空间非常小(几兆字节)。 shadowsocks-go:使用多端口,多密码,
用户管理和交通统计支持商业部署。 go-shadowsocks2:另一个侧重于核心功能的Go实现
和代码可重用性。
Shadowsocks-nodejs:nodejs的另一个shadowsocks实现。尽管已弃用,但仍有很多人通过npm使用它。
影s的密码:
Shadowsocks支持两种密码:Steam密码(无AEAD密码):
Rc4-md5,salsa20,chacha20,chacha-ietf,aes-ctf,bf-cfb,camellia-cfb,aes-cfb AEAD密码:
aes-gcm,chacha-ietf-poly1305,xchacha20-ietf-poly1305
通常,流密码仅提供机密性,不能保证数据完整性和真实性。用户应尽可能使用AEAD密码。我们审核上面列出的shadowsocks的所有正式实现。让我们感到惊讶的是,只有shadowsocks-libev支持AEAD密码。所有其他官方实施仅支持蒸汽密码。这意味着Mitm攻击者无法保证大多数SS用户的数据完整性和真实性。
Shadowsocks是一个松散地基于SOCKS5的安全拆分代理。在中国广泛使用。
然而,

更严重的是,我们发现了shadowsocks协议中的一个漏洞,该漏洞打破了shadowsocks流密码的机密性。攻击者可以使用我们的重定向攻击来解密所有加密的shadowsocks数据包。
对Shadowsocks流密码的重定向攻击:
在这里,我们首先投资Shadowsocks如何启动连接。
启动TCP连接:
ss-local通过发送以目标地址开头和有效负载数据开头的加密数据流来启动与ss-remote的TCP连接。确切的加密方案取决于所使用的密码。
[目标地址] [有效载荷]
ss-remote接收加密的数据流,解密并解析前导目标地址。然后,它与目标建立新的TCP连接,并将有效载荷数据转发给目标。 ss-remote从目标接收答复,对其进行加密并将其转发回ss-local,直到ss-local断开连接。
顺便说一句,shadowsocks的UDP数据包具有相同的结构。
地址格式:
Shadowsocks中使用的地址遵循SOCKS5地址格式:
[1字节类型] [可变长度主机] [2字节端口]
定义了以下地址类型:
0x01:主机是一个4字节的IPv4地址。
0x03:主机是可变长度的字符串,从1字节长度开始,后跟最多255字节域名。
0x04:主机为16字节的IPv6地址
端口号是2字节的big-endian无符号整数。
本质上,ss-remote正在为ss-local执行网络地址转换。
流加密/解密:
Stream_encrypt是一个函数,该函数需要一个秘密密钥,一个初始化向量,一个消息,并生成与消息长度相同的密文。
Stream_encrypt(key,IV,message)=>密文
Stream_decrypt是一个函数,该函数需要一个秘密密钥,一个初始化向量,一个密文,并产生原始消息。
Stream_decrypt(key,IV,密文)=>消息
密钥可以直接从用户输入,也可以从密码生成。密钥派生遵循OpenSSL中的EVP_BytesToKey(3)。详细规格可在此处找到。
密钥可以直接从用户输入,也可以从密码生成。密钥派生遵循OpenSSL中的EVP_BytesToKey(3)。详细规格可在此处找到。
[IV] [加密的有效负载]
密钥可以直接从用户输入,也可以从密码生成。密钥派生遵循OpenSSL中的EVP_BytesToKey(3)。详细规格可在此处找到。

攻击者可以巧妙地强行使用您的密码,然后解密您的数据包。这意味着Shadowsocks没有前向安全性。您可以使用Stron轻松保护自己免受暴力攻击
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|小黑屋|全球主机交流论坛

GMT+8, 2024-3-29 02:07 , Processed in 0.074247 second(s), 8 queries , Gzip On, MemCache On.

Powered by Discuz! X3.4

© 2001-2023 Discuz! Team.

快速回复 返回顶部 返回列表