Ever wondered what could go wrong with using AES in ECB mode, well any block cipher with ECB mode is vulnerable.
In ECB the way it works is by splitting the plaintext into chunks of 16 bytes, padding the last one if necessary so that they all have the same length. Once that is done, each chunk is separately encrypted with the same key, so that a ciphertext block is obtained.
More explaination here.
- Suppose the attacker controls the beginning of a plaintext that is going to get encrypted: input + secretValue.
- Attacker can leverage this situation to align the bytes of the secretValue so that only one byte is in the first block and the others get encrypted in a different block. This method can be used to then recover one by one all the bytes by trial and error.
- Let's say Secret value is
ABCDthen for input{0}*47, message will be|0..0|0..0|0.00A|BCD+padding. for input{0}*47 + 'A'message will be|0..0|0..0|0.00A|ABCD+padding. We can see that since this is ECB mode both ciphertext will have same values from index 64 to 96 (3rd block).
Used pwntools to automate this for server.
See file for example.