Dec 25 2013

4096-bit RSA Key Extraction Attack via Acoustic Cryptanalysis

A trio of scientists have verified that results they first presented nearly 10 years ago are in fact valid, proving that they can extract a 4096-bit RSA key from a laptop using an acoustic side-channel attack that enables them to record the noise coming from the laptop during decryption, using a smartphone placed nearby. The attack, laid out in a new paper, can be used to reveal a large RSA key in less than an hour.

Acoustic Cryptanalysis
Parabolic microphone extracting an RSA key from a target laptop

The attack relies on a number of factors, including proximity to the machine performing the decryption operation and being able to develop chosen ciphertexts that incite certain observable numerical cancellations in the GnuPG algorithm. Over several thousand repetitions of the algorithm’s operation, the researchers discovered that there was sound leakage they could record over the course of fractions of a second and interpret, resulting in the discovery of the RSA key in use.

Their attack works against a number of laptop models and they said that there are a number of ways that they could implement it, including through a malicious smartphone app running on a device near a target machine. They could also implement it through software on a compromised mobile device of through the kind of eavesdropping bugs used by intelligence agencies and private investigators.

The developers of GnuPG have developed a patch for the vulnerability that the Israeli researchers used, implementing a technique known as blinding. The patch is included in version 1.4.16 of GnuPG. Shamir and his co-authors, Daniel Genkin and Eran Tromer, said that they also could perform their attack from a greater distance using a parabolic microphone and may also work with a laser microphone or vibrometer.

Research Paper: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Dec 15 2013

EBay Remote Code Execution Vulnerability Demonstrated

EBay Exploit
A German Security researcher has demonstrated a critical vulnerability on Ebay website.

He found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax.

In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the web page, just by modifying the URL and injecting code in that.

According to an explanation on his blog, he noticed a legitimate URL on EBay:

https://sea.ebay.com/search/?q=david&catidd=1

and modified the URL to pass any array values including a payload:

https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

Video Demonstration:

David has already reported the flaw responsibly to the Ebay Security Team and they have patched it early this week.

Source: eBay : Remote Code Execution