ALPACA gnaws through TLS protection to snarf cookies and steal data

Academics from three German universities have found a vulnerability in the Transport Layer Security (TLS) protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks.

Dubbed ALPACA, which is short for “Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication,” the researcher’s findings are described in an academic paper [PDF] that’s scheduled to be presented in August at Black Hat USA 2021 and the USENIX Security Symposium 2021.

The researchers – Marcus Brinkmann, Robert Merget, Jörg Schwenk, Jens Müller of Ruhr University Bochum, Christian Dresen, Damian Poddebniak, and Sebastian Schinzel of Münster University of Applied Sciences, Juraj Somorovsky of Paderborn University – have discovered that TLS, because it’s independent from the application layer in the standard networking model, is vulnerable to certificate confusion where wildcard or multi-domain certificates have been deployed.

Because TLS does not bind TCP connections to the desired application layer protocol (e.g. HTTP, SMTP, IMAP, POP3, and FTP), there’s an opportunity for a miscreant-in-the-middle (MitM) attack to redirect TLS traffic to a different endpoint at another IP address or port.

“We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security,” the boffins’ paper explains.

The first such attack, described two decades ago by Jochen Topf [PDF], details how browsers could be duped into sending arbitrary data to any TCP port using HTML forms. The ALPACA attack makes this technique generic across multiple protocols.

In circumstances where an MitM attack is possible (such as a local network or a compromised network system), an attacker-controlled website could initiate a cross-origin HTTPS request with a malicious FTP payload. By redirecting the request to an FTP server with a certificate that’s compatible with the web server, the attacker could set a specific cookie via FTP, download a malicious JavaScript file via FTP, or reflect malicious JavaScript in the request.

Yes, it works

The researchers demonstrated that their technique works by registering an account with email provider Mailfence. To conduct a miscreant-in-the-browser (MitB) attack, they “posted HTML form data to to log into [their] account and retrieve the content of an HTML email (download attack), resulting in JavaScript execution in the context of for browsers that ignore the port number in the SOP [same-origin policy], such as Internet Explorer. The issue was acknowledged by the vendor as stored XSS.”

They say they found similar exploitable issues at a major Bitcoin exchange, the website of a large university, and the Government of India’s webmail service.

The researchers identified 1.4 million web servers that are potentially vulnerable to protocol confusion of this sort and 119,000 of these that are open to attack by an exploitable application server. PoC code has been posted to GitHub.

Since October last year, the researchers have been discussing their findings with various open source projects like OpenSSL, the maintainers of various TLS libraries, projects like nginx and Apache, and various FTP and email server projects.

The boffins argue there’s no reason to panic because the ALPACA attack requires a number of prerequisites to work and depends on the complicated interplay between applications, protocols, and browsers. At the same time, ALPACA should not be ignored.

Among the vulnerable application and browser combinations identified are: Sendmail SMTP (Internet Explorer) over STARTTLS; Cyrus, Kerio Connect and Zimbra IMAP enabled download and reflection attacks (Internet Explorer); Courier, Cyrus, Kerio Connect and Zimbra allowed download attacks (Internet Explorer); Microsoft IIS, vsftpd, FileZilla Server and Serv-U FTP servers made reflection attacks possible (Internet Explorer); and these same FTP servers permitted upload and download attacks in any browser.

The suggested mitigations involve implementing Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions to TLS as a barrier to cross-protocol attacks. The problem is that deploying these protections could shut out legacy clients and servers that haven’t been updated yet.

The fix for this bug is not a simple patch; rather it requires updates to multiple libraries and applications. The researchers say that they expect ALPACA will be keeping us company for many years to come. ®