what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PayPal Padding Oracle Flaw

PayPal Padding Oracle Flaw
Posted Sep 3, 2013
Authored by Timothy D. Morgan | Site vsecurity.com

The main PayPal web site sets a cookie named "aksession" which contains a blob of base64-encoded ciphertext. This ciphertext is encrypted using a 64-bit block cipher in CBC mode and does not have any other integrity protection. Naturally, this means the aksession cookie is vulnerable to a padding oracle attack allowing full decryption and forgery.

tags | advisory, web
SHA-256 | ba96e4f85c1954558a6465548df5a7c14c4b67362f6c526a4c2c191b176d6879

PayPal Padding Oracle Flaw

Change Mirror Download
The main PayPal web site sets a cookie named "aksession" which
contains a blob of base64-encoded ciphertext. This ciphertext is
encrypted using a 64-bit block cipher in CBC mode and does not have
any other integrity protection. Naturally, this means the aksession
cookie is vulnerable to a padding oracle attack allowing full
decryption and forgery.

Here's an example of an aksession cookie:

1371856787~id=cookieMOF13DX8hKxMUVKWTDJ4Mp6lam2TdbUs44BJ7iduOubp9+zII2ZAWPz9C9HM3GQDGNhUPxyHZ9eHF9kkF6BYdLaRYxMIpGlMYgobM+FYnB8//iMqth8sT/wrigUy4jnV1OLnkkE2g4x=

The ciphertext begins immediately after the "cookie" string. The
base64 value's first 8 bytes is the random initialization vector. The
decrypted plaintext contains:

expiretime=1371856787&sessionip=61.183.192.0&strategy=0&scriptid=&challenge=0&seedid=PRI

This flaw currently still exists in the PayPal site. PayPal was
notified through their bug bounty program, but they determined that
this flaw is "invalid" and does not deserve a bounty. They said it
would be fine to publish it.

To be fair, this cookie does indeed contain no sensitive information.
However, I think it may be a bit short-sighted of PayPal to discount
this issue, since there are several potentially interesting parameters
in the plaintext that could be forged by an attacker. I have only
ever observed plaintext values like the one above (that is, with
several parameters blank or "0"), so I can't tell for sure what they
are used for. PayPal never confirmed for me whether or not they
investigated attack scenarios involving modification of the parameters.
(In general, their responses were incredibly terse and unhelpful.)
I've decided it isn't worth more of my time trying to fuzz these
parameters, but perhaps someone else will get lucky.


I figured I could at least use this issue as an educational
opportunity-- I've created a short video which demonstrates how to
identify and exploit this problem using the Bletchley[1] took kit:
http://youtu.be/qqNgcc9v_DQ

If you are interested in learning more, note that I'll be giving a
2-day training course[2] at AppSecUSA 2013 which will cover exploitation of a
wide variety of common cryptography implementation problems, including
padding oracle flaws.


Finally, for those keeping score, here's a disclosure timeline:

2013-06-22
Initial notification with vulnerability details

2013-06-24
Form-letter response from PayPal

2013-06-28
Sent follow up with exploit script.

2013-07-12
Asked for an update from PayPal. PayPal responded that the evaluation
is still "in process".

2013-07-15
PayPal indicated that the bug is not eligible for a bounty because:
"This cookie doesnt contain any sensitive information."

2013-07-15
Responded to PayPal urging them to investigate the possibility of
malicious modification of parameters within the cookie, since doing
this exhaustively in a black box way requires a great deal of effort.

2013-08-06
After being ignored in the prior email, asked PayPal if it would be ok
to publish this flaw.

2013-08-07
PayPal responded with:
"This bug does not contain any sensitive data and we have determined it
is invalid. You may publish your findings regarding this bug."


Enjoy,
tim
@ecbftw


1. https://code.google.com/p/bletchley/

2. http://sched.co/19n00R5
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close