Initial content

CREDITS.md

@@ -0,0 +1,19 @@
+Credits and Thanks
+====
+
+This tool goes along with Craig Young's research outlined at [Black Hat Asia 2019](https://www.blackhat.com/asia-19/briefings/schedule/index.html#zombie-poodle-goldendoodle-and-how-tlsv-can-save-us-all-13741)
+
+I would like to thank the following people for their collaboration and feedback throughout this research:
+* Hanno Böck
+* Juraj Somorovsky (Ruhr-University Bochum)
+* Robert Merget (Ruhr-University Bochum)
+* Nimrod Aviram (Department of Electrical Engineering, Tel Aviv University)
+* Tyler Reguly (Tripwire)
+* Bob Thomas (Tripwire)
+
+This tool was based on Adam Langley's original POODLE TLS scan tool.
+His [original source](https://www.imperialviolet.org/binary/scanpadding.go) and [Go patch](https://www.imperialviolet.org/binary/poodle-tls-go.patch) were published on https://www.imperialviolet.org
+
+Docker support was added by Bob Thomas.
+
+The underlying padding oracle attack technique was [published by Serge Vaudenay in 2002.](https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf)

Dockerfile

@@ -0,0 +1,106 @@
+# Copied from https://github.com/docker-library/golang/blob/ff7c350f62/1.11/alpine3.9/Dockerfile
+# and modified to apply a patch to the tls library and build padcheck.go
+# LICENSE notice from https://github.com/docker-library/golang/blob/ff7c350f62/LICENSE follows:
+
+# Copyright (c) 2014 Docker, Inc. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+
+#    * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#    * Neither the name of Docker, Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+FROM alpine:3.9
+
+RUN apk add --no-cache \
+		ca-certificates
+
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
+# - docker run --rm debian:stretch grep '^hosts:' /etc/nsswitch.conf
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+
+COPY ./paddingmodes-go1.11.diff /tmp/paddingmodes-go1.11.diff
+
+ENV GOLANG_VERSION 1.11.5
+
+RUN set -eux; \
+	apk add --no-cache --virtual .build-deps \
+		bash \
+		gcc \
+		musl-dev \
+		openssl \
+		go \
+	; \
+	export \
+# set GOROOT_BOOTSTRAP such that we can actually build Go
+		GOROOT_BOOTSTRAP="$(go env GOROOT)" \
+# ... and set "cross-building" related vars to the installed system's values so that we create a build targeting the proper arch
+# (for example, if our build host is GOARCH=amd64, but our build env/image is GOARCH=386, our build needs GOARCH=386)
+		GOOS="$(go env GOOS)" \
+		GOARCH="$(go env GOARCH)" \
+		GOHOSTOS="$(go env GOHOSTOS)" \
+		GOHOSTARCH="$(go env GOHOSTARCH)" \
+	; \
+# also explicitly set GO386 and GOARM if appropriate
+# https://github.com/docker-library/golang/issues/184
+	apkArch="$(apk --print-arch)"; \
+	case "$apkArch" in \
+		armhf) export GOARM='6' ;; \
+		x86) export GO386='387' ;; \
+	esac; \
+	\
+	wget -O go.tgz "https://golang.org/dl/go$GOLANG_VERSION.src.tar.gz"; \
+	echo 'bc1ef02bb1668835db1390a2e478dcbccb5dd16911691af9d75184bbe5aa943e *go.tgz' | sha256sum -c -; \
+	tar -C /usr/local -xzf go.tgz; \
+	rm go.tgz; \
+	\
+	cd /usr/local/go/src; \
+	patch -p2 < /tmp/paddingmodes-go1.11.diff; \
+	rm /tmp/paddingmodes-go1.11.diff; \
+	./make.bash; \
+	\
+	rm -rf \
+# https://github.com/golang/go/blob/0b30cf534a03618162d3015c8705dd2231e34703/src/cmd/dist/buildtool.go#L121-L125
+		/usr/local/go/pkg/bootstrap \
+# https://golang.org/cl/82095
+# https://github.com/golang/build/blob/e3fe1605c30f6a3fd136b561569933312ede8782/cmd/release/releaselet.go#L56
+		/usr/local/go/pkg/obj \
+	; \
+	apk del .build-deps; \
+	\
+	export PATH="/usr/local/go/bin:$PATH"; \
+	go version
+
+ENV GOPATH /go
+ENV GOBIN $GOPATH/bin
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
+WORKDIR $GOPATH
+
+COPY padcheck.go /go/src
+RUN cd /go/src && go install padcheck.go
+
+ENTRYPOINT ["/go/bin/padcheck"]
+CMD ["-h"]

LICENSE

@@ -0,0 +1,21 @@
+Copyright 2019 Tripwire, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -1,6 +1,76 @@
-# padcheck
-TLS CBC Padding Oracle Checker
+# Padcheck: A TLS CBC Padding Oracle Scanner
 
-This repository is a placeholder for materials associated with the research referenced here: https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/
+This tool tests how a server responds to various CBC padding errors.
 
-Check back after the Black Hat Asia 2019 presentation: https://www.blackhat.com/asia-19/briefings/schedule/index.html#zombie-poodle-goldendoodle-and-how-tlsv-can-save-us-all-13741
+The tool makes a series of connections where the TLS record containing an HTTP request is malformed. Servers should respond uniformly to all malformed records. If the server responds differently to certain types of errors, an attacker may be able to construct a padding oracle for use in an adaptive chosen ciphertext attack.
+
+There are currently five malformed record test cases: 
+1. Invalid MAC with Valid Padding (0-length pad)
+2. Missing MAC with Incomplete Padding (255-length pad)
+3. Valid MAC with Inconsistent Padding (SSLv3 style padding)
+4. Missing MAC with Valid Padding (Entire record is padding)
+5. Invalid MAC with Valid Padding (0-length record)
+
+## Usage
+
+|              |        |                                                                                        |
+| ------------ | ------ | -------------------------------------------------------------------------------------- |
+| -h           |        | Show help                                                                              |
+| -hosts       | string | Filename containing hosts to query                                                     |
+| -iterations  | int    | Number of iterations required to confirm oracle (default 3)                            |
+| -keylog      | string | Path to a file NSS key log export (needed to decrypt pcap files) (default "/dev/null") |
+| -v           | int    | Specify verboseness level (default: 1, max: 5) (default 1)                             |
+| -workerCount | int    | Desired number of workers for testing lists (default 32)                               |
+
+The basic usage is to run ```padcheck hostname```
+A list of hosts can also be read from a file ```padcheck -hosts hostnames.txt```
+
+Vulnerable hosts are indicated in the tool output with a line similar to:
+
+*Hostname (ip:443)* is VULNERABLE with a *Observable MAC Validity (Zombie POODLE)* oracle when using cipher *0xc027* with TLS *0x0303*. The fingerprint is *6867b5*
+
+The fingerprint produced by this tool is a hash of the server responses. These values are subject to change with changes to the tool or with environmental variation which may influence the error message text. The fingerprint value should therefore be primarily used for correlating similar vulnerabilities within a specific environment.
+
+
+## Building (manual)
+
+This tool requires first building a patched Go toolchain. See [Installing Go from source](https://golang.org/doc/install/source) for compiler requirements.
+
+Run `./build.sh` to pull the appropriate version of the Go source, patch it, build it, then use it to build the `padcheck` binary.
+
+## Docker build (recommended)
+
+Building with Docker is easier and cross-platform.
+
+Run `docker build . -t padcheck` to build the patched Go toolchain and the `padcheck` tool in a container.
+
+Run with: `docker run --rm -it padcheck [args]`
+
+If you want to use a hosts file or keylog file, you will need to mount them in the container:
+
+```sh
+docker run --rm -it \
+    -v /path/to/hosts:/tmp/hosts \
+    -v /path/to/keylog:/tmp/keylog \
+    padcheck -hosts /tmp/hosts -keylog /tmp/keylog
+```
+
+## Credits
+
+The original idea for this padding check tool was a very simple tool for checking for POODLE issues in TLS servers, by Adam Langley (`agl` AT `imperialviolet` DOT `org`). See:
+
+- https://www.imperialviolet.org/2014/12/08/poodleagain.html
+- https://www.imperialviolet.org/binary/poodle-tls-go.patch
+- https://www.imperialviolet.org/binary/scanpadding.go
+
+## Additional Resources
+
+More information about scanning for TLS CBC padding oracles on the Internet can be found in this repo: https://github.com/RUB-NDS/TLS-Padding-Oracles
+
+
+## License
+
+Original tool copyright 2014 Adam Langley, released under a BSD license.
+
+Copyright 2019 Tripwire, Inc. All rights reserved.
+Released under a [BSD 2-Clause License](./LICENSE).

build.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+wget https://github.com/golang/go/archive/go1.11.tar.gz && tar xf go1.11.tar.gz && cd go-go1.11 && patch -p1 < ../paddingmodes-go1.11.diff && cd src/ && ./make.bash && cd ../ && ./bin/go build -o ../padcheck ../padcheck.go