cbc-mac-ii
CBC-MAC II
CBC-MAC is a message authentication code based on block ciphers (e.g., AES).
Correct usage requirements:
- Fixed-length messages or
- Strict domain separation
- NULL IV (all-zero IV)
CBC-MAC is designed to provide integrity, not confidentiality.
Root Cause
-
CBC-MAC implementation incorrectly uses a user-controlled IV
-
First block integrity depends on:
IV ⊕ First_Block
* Changing the IV allows controlled modification of the first plaintext block **without invalidating the MAC**
***
#### Exploitation Strategy
1. Register a username **similar in length** to target (e.g. `bdmin`)
2. Obtain:
* CBC-MAC signature
* IV (from cookie)
3. Compute XOR **delta** between:
* Original username block
* Desired username block (`admin`)
```python
delta = ord('b') ^ ord('a')
- XOR this delta with the IV
import base64
old_iv = base64.b64decode("9sw72AFSCCU=")
delta = ord('b') ^ ord('a')
print(old_iv[0]) # <-- THIS is the first byte
### XOR the first byte of the IV
new_iv = bytearray(old_iv)
new_iv[0] = old_iv[0] ^ delta
### This applies IV′ = IV ⊕ (b ⊕ a)\
new_iv_b64 = base64.b64encode(new_iv).decode()
print(new_iv_b64)
- Replace IV in cookie and also change the first byte of main cookie to make it from bdministrator to administrator.
hex(ord('a')) - Send modified cookies. Both IV and Main Cookie modified.
- Server authenticates attacker as target user