A padding oracle attack represents an attack performed using the padding bites of a cryptographic message. Plain text messages that have variable length often have to be expanded (padded) in order to be compatible with the cryptographic primitive. To understand this attack, first we need to look at what block ciphers are, how block ciphers operate, and specifically how CBC (Cipher Block Chaining) works.
The block cipher is an algorithm that operates on fixed-length groups of bits (blocks), with a transformation that is no variable and it is specified by a symmetric key. Block ciphers are widely used to encrypt data.
The mode of operation is an algorithm that uses a block cipher to provide an information service such as authenticity or confidentiality. Block cipher modes operate on whole blocks, and require that the last part of the data be padded to a full block if it’s smaller than the current block size.
The CBC (Cipher Block Chaining) mode of operation
The mode of encryption is about adding XOR each plaintext block to the ciphertext block that was produced previously. The result is then encrypted using the cipher algorithm. Each ciphertext block depends on the previous one. Since the first block does not have a previous block to XOR with, a random initialization vector (IV) with the same size as the plaintext block is used.
How OpenSSL records are encrypted
OpenSSL records can be encrypted via a Message Authentication Code (MAC). This is done by first authenticating the plaintext data and then encrypting it, or MAC-then-encrypt. A record has the following format:
A valid padding looks like a number preceded by that number of copies of itself. This means that if the number is 0x02, it is repeated 2 times:
Decoding the block means decrypting the entire message, have a look at the last byte, remove it and remove also that many bites of padding. This will give you the location of the MAC (which is exactly 20 bytes). To compute the MAC, take the sequence number, the 5 byte header, and the message, then HMAC them using a shared integrity key.
Padding Oracle Attack
A padding oracle is a way for an attacker with the ability to modify ciphertext sent to a server to extract the value of the plaintext. If the attacker is on the same local network as the victim, he can use a technique to trick the victim’s machine to forward data to the attacker’s machine instead of the router. The attacker can then read, modify and measure the time it takes for every encrypted message sent from the browser to the server.
If the server behaves differently when decrypting ciphertext that has correct padding vs. incorrect padding, the attacker can carefully craft ciphertexts that provide enough information to reveal the plaintext data.
You can test if a specific hostname is vulnerable against CVE-2016-2107 here.