2014 – Year of Broken Name Generator(s)

2014 – Year of Broken Name Generator(s)

Miroslav Štampar([email protected])

2014 – Year of Broken Name Generator(s)

Miroslav Štampar([email protected])

FER 2015, Zagreb (Croatia) January 16th, 2015 2

Introduction(.jpg)


goto fail (1)

CVE-2014-1266 (6.8)Discovered by @CrowdStrike by reverse

engineering security update for iOS (7.0.6)Public disclosure on February 21, 2014SSL/TLS vulnerability in iOS and OS XSignature is inaccurately being verified in ServerKeyExchange message

Allows MiTM attacks with full transparent interception of HTTPS traffic

The bug has been in the wild for more than a yearLater, a similar bug has been found in GnuTLS


goto fail (2)Attacker has to be in position to intercept and

change traffic between victim and target (MiTM)Attacker sends fake (chosen) Diffie-Hellman

parameters to victim, along with valid server's certificate and forced Ephemeral Diffie Hellman (EDH/DHE) cipher suite – triggering vulnerable code

Provided parameters' signature is not properly being checked against server's certificate

Allows attacker to generate same session key(s) as the client (purpose of Diffie-Hellman)

Once the secure connection is established between victim and attacker, attacker plays MiTM proxy role


goto fail (3)

Vulnerable piece of code:


goto fail (4)

mitmproxy --ciphers="DHE-RSA-AES256-SHA" --cert-forward

https://mitmproxy.org/


Heartbleed (1)

CVE-2014-0160 (5.0)Discovered independently by Neel Mehta

(@Google) and @Codenomicon in rough the same time (while bug was there for years :)

Public disclosure on April 7, 2014OpenSSL's (1.0.1 before 1.0.1g) TLS heartbeat

extension (RFC6520) buffer over-read vulnerabilityAllows attackers to retrieve private cryptographic

keys and private user data It is estimated that 24-55% HTTPS servers in Alexa

Top 1 Million were initially vulnerable


Heartbleed (2)

Heartbeat extension provides a mean to test and keep alive the secure communication connections

“Heartbeat Request” message is being sent consisting of a payload (typically a text value), while the receiver has to send exactly the same payload back to sender

Message returned is based on length field (max. 64KB in case of attack) in the requesting message, without properly checking the actual payload's length (e.g. “foobar”)


Heartbleed (3)

Response consists of payload, followed by whatever else happened to be in the allocated memory buffer (in case of faked payload length)

Attack is performed repeatedly in hope to read a chunk previously used by OpenSSL (e.g. server private key, session cookies, credentials, etc.)

OpenSSL uses custom memory allocator making exploitation far easier (non-random/reusable memory chunks are being allocated)

Lots of criticism followed, especially against OpenSSL's “sloppy coding” style (e.g. LibreSSL developers removed half of the OpenSSL source tree in a week)


Heartbleed (4)


Heartbleed (5) python heartbleed.py www.target.com

https://gist.github.com/eelsivart/10174134


Rosetta Flash (1)CVE-2014-4671 (6.8) and CVE-2014-5333 (6.8)Discovered by Michele Spagnuolo (@Google)Public disclosure on July 8, 2014 JSONP (JSON with padding) is a communication

technique used in JavaScript programs to request data from a server in a different domain

Basically, it's a script tag injection method passing the response from the server in to a user specified function “callback” (different domain context)

Website with a JSONP endpoint accepting only alphanumeric callback (for security reasons) can be abused (against client's Adobe Flash Player) with specially crafted SWF files


Rosetta Flash (2) It can be used to serve (echo back) a provided

malicious alphanumeric SWF object that steals the content(s) of a same-domain URL inside user's browser

SWF (Flash) file is executed in context of the target domain, so CSRF (Cross-Site Request Forgery) attack can be performed

Required “patching” at both client(s) side (Adobe Flash Player 14.0.0.176) and at the server side for successful mitigation

Many high profile sites were affected (Google, Youtube, Twitter, LinkedIn, Yahoo, eBay, Flickr, Baidu, Instagram, Tumblr, etc.)


Rosetta Flash (3)

Vulnerable JSONP sample application:

Sample malicious alphanumeric SWF:


Rosetta Flash (4)

Sample malicious web page:


Rosetta Flash (5) msfconsole (flash_rosetta_jsonp_url_disclosure)

http://www.rapid7.com/db/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure


Shellshock (1)

CVE-2014-6271 (10.0), CVE-2014-6277 (10.0), CVE-2014-6278 (10.0), CVE-2014-7169 (10.0), CVE-2014-7186 (10.0) and CVE-2014-7187 (10.0)

Discovered by Stéphane ChazelasPublic disclosure on September 24, 2014Remote code execution through BashMany *nix and *BSD Internet-facing systems

expose Bash to client requests (e.g. HTTP (CGI), DHCP, SSH, CUPS, etc.)

Bash supports exporting not just shell variables, but also shell functions to other bash instances


Shellshock (2)

Sample function definition in Bash:

Commands are unintentionally being executed (on vulnerable machine) when concatenated to function definitions stored as environment variables:


Shellshock (3)

HTTP requests to CGI scripts have been identified as the major attack vector

The CGI specification maps all parts of requests to environment variables (e.g. Host header to $REMOTE_HOST variable)

CGI programs written in Perl, PHP, Python, Ruby and Bash itself are potentially vulnerable

Sample vulnerable script:


Shellshock (4)

Sample attack:


POODLE (1)CVE-2014-3566 (4.3)Discovered by Bodo Möller, Thai Duong and

Krzysztof Kotowicz (@Google)Public disclosure on October 14, 2014“Padding Oracle On Downgraded Legacy

Encryption”Padding Oracle attack against CBC mode of

operation in SSL 3.0 (exploiting same flaw as in BEAST attack)

In case of TLS usage, forced version downgrade from TLS to SSL 3.0 MiTM attack is performed

Major browsers voluntary downgrade to SSL 3.0 if TLS handshakes fail


POODLE (2)

SSL 3.0 (deprecated 15 years ago) uses non-deterministic CBC padding, which makes padding oracle attacks possible in MiTM environment

Padding is performed to make input plaintext length equal to a multiple of the cipher's block size (e.g. 8 bytes in case of 3DES and 16 bytes in case of AES)

SSL 3.0 adds padding filled with single byte denoting the length of padding itself

In padding oracle attack server leaks data whether the padding of an encrypted message is correct or not


POODLE (3)

CBC mode decryption:


POODLE (4) In POODLE attack presumption is that victim runs

malicious Javascript in a browser which causes the browser to make attacker controlled requests (with cookies) to the origin of interest (e.g. google.com)

Attacker intercepts one such controlled encrypted request, takes block which contains value of interest (e.g. one “shifted” cookie byte followed by spaces), replaces last (padding) block with its content and forwards it to the server

If server doesn't drop such “skewed” request, it can be concluded that the last byte of decrypted block that was duplicated, XORed with the ciphertext of the previous block, equals to the known padding block


Sandworm (1)CVE-2014-4114 (9.3) Identified by @iSIGHT from same named “cyber-

attack” campaignPublic disclosure on October 15, 2014Microsoft Windows OLE arbitrary code executionWindows Vista SP2, Windows 7/8, Windows Server

2008/2012 are known to be vulnerableProblem lies in how Object Packager 2 component

(packager.dll) handles an INF file that contains malicious registry changes (e.g. RunOnce)

INF can't be loaded (and executed) directly but can be forced by embedding the file path as a remote share in an OLE object


Sandworm (2) msfconsole (ms14_060_sandworm)

http://www.rapid7.com/db/modules/exploit/windows/fileformat/ms14_060_sandworm


Sandworm (3)


Questions?