Bypassing Strong
Authentication... With
Passwords?!
Adam Goodman
akgood@duosecurity.com
Passwords13 - 2013-07-31
duosecuri...
0. Kill The Password?
duosecurity.com
2
duosecurity.com
3
duosecurity.com
4
duosecurity.com
5
1. Bypassing Google’s 2-Factor
Authentication
duosecurity.com
6
duosecurity.com
7
duosecurity.com
8
Google’s 2-Step Verification
duosecurity.com
9
Google’s 2-Step Verification
duosecurity.com
10
What About Non-Web-Based Logins?
Thick-Client Protocols
‣ IMAP
‣ CalDAV
‣ XMPP
‣ ...
Google Software (Interim
Solution)
‣ ...
Application-Specific Passwords
duosecurity.com
12
Application-Specific Passwords
‣ 16 lowercase letters
‣ Randomly-Generated by Google
‣ Individually Revokable
‣ Not intende...
ASPs vs. OAuth Tokens
‣ ASPs have to be generated manually
‣ ASPs aren’t actually Application-Specific!
duosecurity.com
14
Not-So-Application-Specific
“Another weakness of ASP is the misimpression that is provides
application-limited rather than ...
Detour: Android Auto-Login
Also:
‣ Chromebooks
‣ Desktop versions of Chrome (if enabled
in chrome://flags)
‣ ...?
duosecuri...
Detour: Android Auto-Login
Worked even for the most sensitive parts of
https://accounts.google.com:
‣ 2FA settings:
https:...
So...
‣ ASPs can link an Android device, and
‣ With auto-login, Android devices could - with no additional
authentication ...
Let’s Figure Out How This Works...
Android HTTPS Interception, v1
‣ Real Device (Google Nexus S) with a
custom default gat...
Let’s Figure Out How This Works...
Android HTTPS Interception, v2
‣ Android Emulator
‣ $ emulator -http-proxy localhost:80...
duosecurity.com
21
Basic Workflow
‣ POST to https://android.clients.google.com/auth
‣ Send Email, EncryptedPasswd, service=ac2dm
‣ Receive “To...
Step 1
POST /auth HTTP/1.1
Host: android.clients.google.com
...
accountType=HOSTED_OR_GOOGLE&Email=akgood
%40arbsec.org&ha...
Step 1
HTTP/1.1 200 OK
...
SID=DQAAANwAAAVMG4uYt2HaF...
Auth=DQAAAOAAAACRbLC5-dgM...
services=goanna_mobile,apps,...
Email...
Step 1: EncryptedPasswd?
POST /auth HTTP/1.1
Host: android.clients.google.com
...
accountType=HOSTED_OR_GOOGLE&Email=akgoo...
Step 2
POST /auth HTTP/1.1
Host: android.clients.google.com
...
accountType=HOSTED_OR_GOOGLE&Email=akgood
%arbsec.org&has_...
Step 2
HTTP/1.1 200 OK
...
Auth=https://accounts.google.com/MergeSession?args=continue
%3Dhttps%253A%252F%252Faccounts.goo...
Simplified Workflow
‣ POST to https://android.clients.google.com/auth
‣ Send Email, Passwd, service=urlquote(“weblogin:conti...
Timeline
‣ 2012/07/16: Duo researchers confirm presence of ASP weakness.
‣ 2012/07/18: Issue reported to security@google.co...
Google’s Fix
‣ Sensitive account-settings pages are no longer accessible via
auto-login (you must enter username/password/...
Multiple Discovery
‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security-
issue.html
‣ http://connect.ncircle.com/nci...
Evaluation
duosecurity.com
32
2-step Verification Still Helps...
‣ Phishing
‣ Password-sharing between services (with insecure password
databases)
duosec...
... But ASPs Can Be Stolen
HTTPS Man-In-The-Middle
‣ Thick-client applications are
notoriously bad at checking
SSL certific...
Case Study: Pidgin
‣ Plain-Text Passwords!
‣ https://developer.pidgin.im/wiki/PlainTextPasswords
‣ GTalk / “Hangouts” - (p...
Not Just Application-Specific Passwords
‣ Chrome on Windows / Mac /
Linux has the same “auto-
login” functionality
‣ ... bu...
Workflow
‣ POST to https://accounts.google.com/o/oauth2/token
‣ send refresh_token, client_id, client_secret (the latter tw...
How Is The Refresh Token Stored?
from (e.g.) ~/Library/Application Support/Google/Chrome/
Default/Preferences:
...
"oauth2...
OAuth2 Won’t (automagically) Save You
Unexpected threat models:
‣ Access to your tabs/bookmarks/history/etc. vs access to ...
2. Passing The Hash In Windows
Networks... Even When
Passwords Are “Disabled”
(borrowing in part from
http://www.foofus.ne...
Local vs Domain Logins
‣ Local
‣ Password hashes are stored on your
workstation
‣ Domain
‣ Password hashes stored on the D...
Authentication In Windows Networks
‣ NTLM Authentication
‣ Kerberos
‣ ...
duosecurity.com
42
NTLM Authentication
‣ Challenge-Handshake Protocol
‣ Uses NTLM Hash of user’s password, not the password itself!
‣ One-way...
Pass-The-Hash
NTLM Authentication only
requires the NTLM Hash!
‣ Gain local admin rights on a
single workstation (somehow....
What About Smart-Cards?
Public/Private Key-pair and Certificate stored on cryptographic
hardware
‣ Private Key can “never” ...
What About Smart-Cards?
“In order to support NTLM authentication [MS-NLMP] for
applications connecting to network services...
Evaluation
Smart-cards still can help...
‣ Weak Passwords
‣ Shared Passwords between accounts / systems
But Pass-The-Hash ...
3. Some Conclusions
duosecurity.com
48
Real-world ecosystems tend to have multiple, distinct
authentication scenarios...
... passwords (or similar stored-secret ...
Authentication Scenarios and Trust
Rights
‣ What is the maximum set of
permissions that should be
granted to a user?
Integ...
4. Amazon Web Services: Identity
and Access Management (IAM)
duosecurity.com
51
Identity And Access Management (IAM)
‣ A single AWS account can have multiple users
‣ Flexible Rights-Expression Language,...
IAM Policy Example
{
"Version":"2012-10-17",
Statement: [{
"Action":["ec2:StopInstances","ec2:TerminateInstances"],
"Effec...
2-Factor Authentication for API Clients
Amazon Secure Token Service
‣ Provide API credentials and a one-time-passcode to a...
Evaluation
AWS gives you all the tools to build strong, flexible authorization
policies...
... but you have to actually bui...
Questions?
duosecurity.com
56
Upcoming SlideShare
Loading in …5
×

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

2,739 views

Published on

Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new method of exploiting Google Chrome's OAuth2 tokens.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,739
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

  1. 1. Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
  2. 2. 0. Kill The Password? duosecurity.com 2
  3. 3. duosecurity.com 3
  4. 4. duosecurity.com 4
  5. 5. duosecurity.com 5
  6. 6. 1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
  7. 7. duosecurity.com 7
  8. 8. duosecurity.com 8
  9. 9. Google’s 2-Step Verification duosecurity.com 9
  10. 10. Google’s 2-Step Verification duosecurity.com 10
  11. 11. What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
  12. 12. Application-Specific Passwords duosecurity.com 12
  13. 13. Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
  14. 14. ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
  15. 15. Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
  16. 16. Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
  17. 17. Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
  18. 18. So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
  19. 19. Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
  20. 20. Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
  21. 21. duosecurity.com 21
  22. 22. Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
  23. 23. Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
  24. 24. Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
  25. 25. Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
  26. 26. Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
  27. 27. Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
  28. 28. Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
  29. 29. Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
  30. 30. Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
  31. 31. Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
  32. 32. Evaluation duosecurity.com 32
  33. 33. 2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
  34. 34. ... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
  35. 35. Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
  36. 36. Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
  37. 37. Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
  38. 38. How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
  39. 39. OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
  40. 40. 2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
  41. 41. Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
  42. 42. Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
  43. 43. NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
  44. 44. Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
  45. 45. What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
  46. 46. What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
  47. 47. Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
  48. 48. 3. Some Conclusions duosecurity.com 48
  49. 49. Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
  50. 50. Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
  51. 51. 4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
  52. 52. Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
  53. 53. IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
  54. 54. 2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
  55. 55. Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55
  56. 56. Questions? duosecurity.com 56

×