Bodo Möller, Thai Duong and Krzysztof Kotowicz

The attacker wants to read a secure cookie sent by the user.

When encrypting a connection over SSL using CBC the information that is encrypted is split in blocks of 16 bytes. The way the client specifies to the server the exact length of the packet is by storing in the last byte of the block the number of unused bytes. When the whole block is unused, the last byte is 15, since it's specifying that it had 15 unused bytes. Since the decrypted content is authenticated, the padding must always be correct, otherwise, if the last byte is greater than the block size, or if the value is smaller, then the decrypted data would be different and decryption would fail.

To perform the attack, the attacker replaces the last block with another block in the request. The server will always reject the request except when the last byte is decrypted as 15. When the server decides not to reject the request, the attacker knows that the last byte in the block that was substituted decrypts as 15. Note, however, that this doesn't mean the original content in that position was 15, it just means that when decrypted as the last block the value decrypts to 15. With this information the attacker can calculate the original value of the last byte in the replaced block, which the attacker positioned so that it is the first byte of the cookie value (and then the attack is repeated to steal the other bytes).
About In Security Bugs Gallery you will find drawings of different stories inspired by software security vulnerabilities.
Creative Commons License