Your SlideShare is downloading. ×
0
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

1,651

Published on

Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new …

Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new method of exploiting Google Chrome's OAuth2 tokens.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,651
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
  • 2. 0. Kill The Password? duosecurity.com 2
  • 3. duosecurity.com 3
  • 4. duosecurity.com 4
  • 5. duosecurity.com 5
  • 6. 1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
  • 7. duosecurity.com 7
  • 8. duosecurity.com 8
  • 9. Google’s 2-Step Verification duosecurity.com 9
  • 10. Google’s 2-Step Verification duosecurity.com 10
  • 11. What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
  • 12. Application-Specific Passwords duosecurity.com 12
  • 13. Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
  • 14. ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
  • 15. Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
  • 16. Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
  • 17. Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
  • 18. So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
  • 19. Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
  • 20. Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
  • 21. duosecurity.com 21
  • 22. Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
  • 23. Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
  • 24. Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
  • 25. Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
  • 26. Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
  • 27. Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
  • 28. Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
  • 29. Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
  • 30. Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
  • 31. Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
  • 32. Evaluation duosecurity.com 32
  • 33. 2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
  • 34. ... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
  • 35. Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
  • 36. Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
  • 37. Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
  • 38. How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
  • 39. OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
  • 40. 2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
  • 41. Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
  • 42. Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
  • 43. NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
  • 44. Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
  • 45. What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
  • 46. What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
  • 47. Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
  • 48. 3. Some Conclusions duosecurity.com 48
  • 49. Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
  • 50. Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
  • 51. 4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
  • 52. Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
  • 53. IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
  • 54. 2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
  • 55. Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55
  • 56. Questions? duosecurity.com 56

×