Upload
miroslav-stampar
View
365
Download
4
Tags:
Embed Size (px)
Citation preview
2014 – Year of Broken Name Generator(s)
Miroslav Štampar([email protected])
2014 – Year of Broken Name Generator(s)
Miroslav Štampar([email protected])
FER 2015, Zagreb (Croatia) January 16th, 2015 2
Introduction(.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 3
goto fail (1)
CVE-2014-1266 (6.8)Discovered by @CrowdStrike by reverse
engineering security update for iOS (7.0.6)Public disclosure on February 21, 2014SSL/TLS vulnerability in iOS and OS XSignature is inaccurately being verified in ServerKeyExchange message
Allows MiTM attacks with full transparent interception of HTTPS traffic
The bug has been in the wild for more than a yearLater, a similar bug has been found in GnuTLS
FER 2015, Zagreb (Croatia) January 16th, 2015 4
goto fail (2)Attacker has to be in position to intercept and
change traffic between victim and target (MiTM)Attacker sends fake (chosen) Diffie-Hellman
parameters to victim, along with valid server's certificate and forced Ephemeral Diffie Hellman (EDH/DHE) cipher suite – triggering vulnerable code
Provided parameters' signature is not properly being checked against server's certificate
Allows attacker to generate same session key(s) as the client (purpose of Diffie-Hellman)
Once the secure connection is established between victim and attacker, attacker plays MiTM proxy role
FER 2015, Zagreb (Croatia) January 16th, 2015 5
goto fail (3)
Vulnerable piece of code:
FER 2015, Zagreb (Croatia) January 16th, 2015 6
goto fail (4)
mitmproxy --ciphers="DHE-RSA-AES256-SHA" --cert-forward
FER 2015, Zagreb (Croatia) January 16th, 2015 7
Heartbleed (1)
CVE-2014-0160 (5.0)Discovered independently by Neel Mehta
(@Google) and @Codenomicon in rough the same time (while bug was there for years :)
Public disclosure on April 7, 2014OpenSSL's (1.0.1 before 1.0.1g) TLS heartbeat
extension (RFC6520) buffer over-read vulnerabilityAllows attackers to retrieve private cryptographic
keys and private user data It is estimated that 24-55% HTTPS servers in Alexa
Top 1 Million were initially vulnerable
FER 2015, Zagreb (Croatia) January 16th, 2015 8
Heartbleed (2)
Heartbeat extension provides a mean to test and keep alive the secure communication connections
“Heartbeat Request” message is being sent consisting of a payload (typically a text value), while the receiver has to send exactly the same payload back to sender
Message returned is based on length field (max. 64KB in case of attack) in the requesting message, without properly checking the actual payload's length (e.g. “foobar”)
FER 2015, Zagreb (Croatia) January 16th, 2015 9
Heartbleed (3)
Response consists of payload, followed by whatever else happened to be in the allocated memory buffer (in case of faked payload length)
Attack is performed repeatedly in hope to read a chunk previously used by OpenSSL (e.g. server private key, session cookies, credentials, etc.)
OpenSSL uses custom memory allocator making exploitation far easier (non-random/reusable memory chunks are being allocated)
Lots of criticism followed, especially against OpenSSL's “sloppy coding” style (e.g. LibreSSL developers removed half of the OpenSSL source tree in a week)
FER 2015, Zagreb (Croatia) January 16th, 2015 10
Heartbleed (4)
FER 2015, Zagreb (Croatia) January 16th, 2015 11
Heartbleed (5) python heartbleed.py www.target.com
FER 2015, Zagreb (Croatia) January 16th, 2015 12
Rosetta Flash (1)CVE-2014-4671 (6.8) and CVE-2014-5333 (6.8)Discovered by Michele Spagnuolo (@Google)Public disclosure on July 8, 2014 JSONP (JSON with padding) is a communication
technique used in JavaScript programs to request data from a server in a different domain
Basically, it's a script tag injection method passing the response from the server in to a user specified function “callback” (different domain context)
Website with a JSONP endpoint accepting only alphanumeric callback (for security reasons) can be abused (against client's Adobe Flash Player) with specially crafted SWF files
FER 2015, Zagreb (Croatia) January 16th, 2015 13
Rosetta Flash (2) It can be used to serve (echo back) a provided
malicious alphanumeric SWF object that steals the content(s) of a same-domain URL inside user's browser
SWF (Flash) file is executed in context of the target domain, so CSRF (Cross-Site Request Forgery) attack can be performed
Required “patching” at both client(s) side (Adobe Flash Player 14.0.0.176) and at the server side for successful mitigation
Many high profile sites were affected (Google, Youtube, Twitter, LinkedIn, Yahoo, eBay, Flickr, Baidu, Instagram, Tumblr, etc.)
FER 2015, Zagreb (Croatia) January 16th, 2015 14
Rosetta Flash (3)
Vulnerable JSONP sample application:
Sample malicious alphanumeric SWF:
FER 2015, Zagreb (Croatia) January 16th, 2015 15
Rosetta Flash (4)
Sample malicious web page:
FER 2015, Zagreb (Croatia) January 16th, 2015 16
Rosetta Flash (5) msfconsole (flash_rosetta_jsonp_url_disclosure)
FER 2015, Zagreb (Croatia) January 16th, 2015 17
Shellshock (1)
CVE-2014-6271 (10.0), CVE-2014-6277 (10.0), CVE-2014-6278 (10.0), CVE-2014-7169 (10.0), CVE-2014-7186 (10.0) and CVE-2014-7187 (10.0)
Discovered by Stéphane ChazelasPublic disclosure on September 24, 2014Remote code execution through BashMany *nix and *BSD Internet-facing systems
expose Bash to client requests (e.g. HTTP (CGI), DHCP, SSH, CUPS, etc.)
Bash supports exporting not just shell variables, but also shell functions to other bash instances
FER 2015, Zagreb (Croatia) January 16th, 2015 18
Shellshock (2)
Sample function definition in Bash:
Commands are unintentionally being executed (on vulnerable machine) when concatenated to function definitions stored as environment variables:
FER 2015, Zagreb (Croatia) January 16th, 2015 19
Shellshock (3)
HTTP requests to CGI scripts have been identified as the major attack vector
The CGI specification maps all parts of requests to environment variables (e.g. Host header to $REMOTE_HOST variable)
CGI programs written in Perl, PHP, Python, Ruby and Bash itself are potentially vulnerable
Sample vulnerable script:
FER 2015, Zagreb (Croatia) January 16th, 2015 20
Shellshock (4)
Sample attack:
FER 2015, Zagreb (Croatia) January 16th, 2015 21
POODLE (1)CVE-2014-3566 (4.3)Discovered by Bodo Möller, Thai Duong and
Krzysztof Kotowicz (@Google)Public disclosure on October 14, 2014“Padding Oracle On Downgraded Legacy
Encryption”Padding Oracle attack against CBC mode of
operation in SSL 3.0 (exploiting same flaw as in BEAST attack)
In case of TLS usage, forced version downgrade from TLS to SSL 3.0 MiTM attack is performed
Major browsers voluntary downgrade to SSL 3.0 if TLS handshakes fail
FER 2015, Zagreb (Croatia) January 16th, 2015 22
POODLE (2)
SSL 3.0 (deprecated 15 years ago) uses non-deterministic CBC padding, which makes padding oracle attacks possible in MiTM environment
Padding is performed to make input plaintext length equal to a multiple of the cipher's block size (e.g. 8 bytes in case of 3DES and 16 bytes in case of AES)
SSL 3.0 adds padding filled with single byte denoting the length of padding itself
In padding oracle attack server leaks data whether the padding of an encrypted message is correct or not
FER 2015, Zagreb (Croatia) January 16th, 2015 23
POODLE (3)
CBC mode decryption:
FER 2015, Zagreb (Croatia) January 16th, 2015 24
POODLE (4) In POODLE attack presumption is that victim runs
malicious Javascript in a browser which causes the browser to make attacker controlled requests (with cookies) to the origin of interest (e.g. google.com)
Attacker intercepts one such controlled encrypted request, takes block which contains value of interest (e.g. one “shifted” cookie byte followed by spaces), replaces last (padding) block with its content and forwards it to the server
If server doesn't drop such “skewed” request, it can be concluded that the last byte of decrypted block that was duplicated, XORed with the ciphertext of the previous block, equals to the known padding block
FER 2015, Zagreb (Croatia) January 16th, 2015 25
Sandworm (1)CVE-2014-4114 (9.3) Identified by @iSIGHT from same named “cyber-
attack” campaignPublic disclosure on October 15, 2014Microsoft Windows OLE arbitrary code executionWindows Vista SP2, Windows 7/8, Windows Server
2008/2012 are known to be vulnerableProblem lies in how Object Packager 2 component
(packager.dll) handles an INF file that contains malicious registry changes (e.g. RunOnce)
INF can't be loaded (and executed) directly but can be forced by embedding the file path as a remote share in an OLE object
FER 2015, Zagreb (Croatia) January 16th, 2015 26
Sandworm (2) msfconsole (ms14_060_sandworm)
FER 2015, Zagreb (Croatia) January 16th, 2015 27
Sandworm (3)
FER 2015, Zagreb (Croatia) January 16th, 2015 28
Questions?