A group of researchers from several German universities developed New MITM attack method on HTTPS, which makes it possible to remove cookies with session identifiers and Other confidential data, as well as achieve the execution of an arbitrary JavaScript code in the context of another site. The attack was named Alpaca and can be applied to TLS servers implementing different application level protocols (HTTPS, SFTP, SMTP, IMAP, POP3) but using common TLS certificates.
The essence of the attack is that if there is control over a network gateway or wireless access point, an attacker can redirect traffic to another network port and organize a connection setting is not with an HTTP server, but with an FTP or mail server that support TLS encryption. Since the TLS protocol is universal and is not tied to application-level protocols, setting the encrypted connection for all services is identical and an error of sending a request cannot be defined only after installing the encrypted session during the processing of the sent request commands.
, respectively, if, for example, redirect the user’s connection, initially addressed to HTTPS, to the mail server in which the certificate is common to the HTTPS server, the TLS connection will be successfully installed, but the mail server will not be able to handle the transferred HTTP commands and will return the answer with the error code. This answer will be processed by the browser as the answer of the requested site, transmitted inside the correctly installed encrypted communication channel.
three options for attack are proposed:
- “Upload” to extract cookies with authentication parameters. The method is applicable if the FTP server covered by the TLS certificate allows you to download and remove your data. In this embodiment, the attacking can be saved by the parts of the initial HTTP request, such as the contents of the cookie header, for example, if the FTP server interprets the request as a file to save or completely logs incoming requests. For a successful attack, an attacker needs to somehow extract the saved content. The attack is applicable to PROFTPD, Microsoft IIS, VSFTPD, FileZilla and Serv-U.
- “download” for the organization of cross-site scripting (XSS).
The method implies that the attacker can prepare data on the service using a common TLS certificate, which can then be downloaded in response to the customer’s request. The attack is applicable to the above-mentioned FTP servers, IMAP servers and POP3 servers (Curier, Cyrus, Kerio-Connect and Zimbra). - “reflection” to run JavaScript in the context of another site. The method is based on the client returns a part of the query, which contains the JavaScript-code attacker. The attack is applicable to the above-mentioned FTP servers, IMAP servers Cyrus, Kerio-Connect and Zimbra, as well as SMTP Server Sendmail.