Post on 12-Jun-2015
description
THE BEST OF BLACKHAT 2009 & DEFCON 17
Grant Bugher
8/17/2009
AgendaAbout the Conferences
What’s Not NewXSRF (McRee, Bailey, Hamiel, Moyer)
Business Logic Flaws (Grossman, Ford)
De-Anonymization (RSnake)
What’s NewSSL Exploits (Kaminsky, Marlinspike, Zusman)
Cloud Computing Exploits (iSec, SensePost)
Firefox Addon Exploits (Freeman, Liverani)
About the ConferencesBlackHat Briefings 2009
Professional security conference
Training sessions followed by short presentations and tradeshow
DefCon 17Informal gathering of hackers
No tradeshow; many short presentations
Many people don’t even attend presentations
Contests and villages
What’s Not New
The same old threats are still 95% of web application securitySQL and Other Injection AttacksCross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Business Logic Flaws
Cross-Site Request Forgery “CSRF: Yeah, It Still Works,” Russ
McRee & Mike Bailey “Weaponizing the Web,” Nathan Hamiel
& Shawn Moyer Many recent attacks
StrongWebmail.comMcAfee Secure Web ScannerLinksys routers
Cross-Site Request Forgery More recent attacks
osCommerce and ZenCartcPanel and WHM (it’s a feature!)Marblecake, Also The Game
Advanced Dynamic CSRFMonkeyFist (http://hexsec.com/labs)
Cross-Site Request Forgery Defenses that Don’t Work
Require POSTCheck ReferrerRequire Multiple StepsURL Rewriting
Defenses that Do WorkGood CAPTCHAsRe-authenticationDynamic canary
Business Logic Flaws
“Mo’ money, Mo’ Problems,” Jeremiah Grossman and Trey Ford
Non-Technical HackseBay Holiday DoorbustersHacker Croll’s Twitter HackCookie stuffing & link manufactureGoogle Earth ReconiPod Advance ReplacementsTunecore iTunes/Amazon Fraud
De-Anonymization
“De-Anonymizing You,” Rsnake Variety of methods tried for anonymity
Anonymous proxies (CGI, SOCKS)Free emailHacked machinesOnion routing (TOR), anonymous remailers
Sites try to track and identify you anyway
De-Anonymization
SSLClient certificate identifies system name,
OS, username, certificate dates Browser Detection Tools (MrT, BeEF)
Enumerate plugins, history, screen resolution, VMware detection, keylogging…
IP DetectionJava, Flash, Word, Acrobat bugsscp: and itms: protocol handlers
De-Anonymization
File system enumerationres:// timing attack, SMBenum (in BeEF)
Google Safe BrowsingSends a unique ID automatically, 30 times
an hour, and obeys proxy settingsCan get all IP history for that cookie with a
subpoenaGoogle Chrome sends machine/user ID
every 5 hours
De-Anonymization
Onion Routing AttacksTOR actually works very well, albeit very
slowlyCompromised exit nodes get lots of data
○ Not very targeted○ Selected for confidentiality, though
Trojaned TOR clients on user machinesHackedTor.exe runs a malicious exit node
SSL Exploits
Multiple BlackHat & DefCon talks about attacks on SSLDan Kaminsky, “Black Ops of PKI”Moxie Marlinspike, “More Tricks for
Defeating SSL”Mike Zusman, “Criminal Charges Were Not
Pursued: Hacking PKI” More interesting in combination than
individually
SSL Exploits
SSL based on X.509 certificate PKI Server presents a leaf certificate…
…which is signed by an intermediate cert……which is signed by one of the root CAs
intrinsically trusted by your browser. Any intermediate cert can sign any leaf
Intermediates can also sign each other
Certificate Authorities
Anyone can run a CA, but to be trusted by browsers, it must chain to a trusted root
Certificate signing is not exclusionaryAny root can sign any certificateAny signed intermediate certificate can sign
any certificate, too This means there are 4,500 organizations
that can sign a cert for your bank’s web site
Weak Cryptography on CAs A VeriSign root certificate was self-signed
with MD2Actually no good reason to self-sign at allMD2 subject to preimage attack
○ Complexity of attack is 273
○ Current crypto attacks are up to 263
RapidSSL intermediate certificate was signed with MD5Researchers created an intermediate certificate
with a chosen prefix attack
PKCS#10 Certificate Signing How do you get a certificate?
Go to any CASubmit a request in a binary protocol called
PKCS#10Give them money
Certificate is created automatically based on data in the PKCS#10 package
Protocol is old and eccentric
PKCS#10 Certificate Signing Domain specified as a “Common Name” CN identifier (2.5.4.3) followed by
Pascal string (length-content, not null-terminated)02 05 04 03 [length] [bytes]
Protocol is remarkably fragileMultiple CNs in one packet?2.5.4.03? 2.5.4.(264+3)?Invalid characters in the CN? Null bytes?
Pascal and C Strings
IA5String (Pascal String)[length] [bytes]
○ “Hello World”○ 11 48 65 6C 6C 32 57 6F 72 6C 64○ Length is fixed; bytes can be anything
C String[bytes] [null terminator]
○ “Hello World”○ 48 65 6C 6C 32 57 6F 72 6C 64 00○ Length is unlimited; bytes can’t be null
Certificate Validation
Domain Validation for SSL certificatesSend a certificate signing request
(PCKS#10) to a CACA emails the contact address in WHOISAnswer the email, and the CA signs the cer
Can only register a certificate for a domain I own in WHOIS
Null Prefix Attack I can get a cert for perimetergrid.com (it’s
registered to me) I can’t get a cert for login.live.com What about login.live.com\0.perimetergrid.com?Perfectly valid Pascal string in PCKS#10
○ 33 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D 00 2E 70 65 72 69 6D 65 74 65 72 67 72 69 64 2E 63 6F 6D
Rather different as a C string○ 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D 00
Browsers Are Written in C IE, Firefox, Opera, Safari, and Chrome
areA = login.live.com\0.perimetergrid.comB = login.live.com
In C…strlen(A) == 14, strlen(B) == 14strcmp(A,B) == 0sprintf(A) == “login.live.com”
Indistinguishable in all standard functions
Browser Issues
Null byte issues*\0.perimetergrid.com
Inconsistent Treatment of multiple CNsFirst CN? Last? All of them?
No warnings for DV->EV transition BasicConstraints sometimes ignored OCSP Protocol Flaws Remote exploit the browser in the CN!
CA Issues
About 4,500 CAs chain to a valid root Not all of them have strong security
Each CA responsible for domain validationSome will sign null-byte certificatesWeb flaws can let you spoof email
addressesFor that matter, DV all depends on emailComodo will make you a CA for $200
○ An intermediate certificate of your very own○ Want a certificate for “*”?
The Net Result Moxie’s sslsniff 0.6
Automatic silent MitM attacks on all sessions○ Firefox, IE, Chrome, Thunderbird, Outlook,
Evolution, Pidgin, AIM, irssi, all CryptoAPI apps○ Anything built on NSS, GnuTLS, CryptoAPI –
VPNs!Signs with null prefix, * cert, basicConstraintsShuts down OCSP with ARP spoofingHijacks autoupdatesAuthority & targeted modes
No safe way to use SSL on open WiFi
EV Will Save Us?
EV (Extended Validation) certificates are not issued automaticallyHuman validation of certificate requestID checks, documentation, etc.Green bar in the browser
EV certificates are not exclusionary No warning switching from DV to EV Zusman’s SSL rebinding (sslstrip)
Cloud Computing Issues Multiple presentations, a full track at BlackHat
2009“Raining on the Trendy New Parade,” Alex
Stamos, Andrew Becherer, Nathon Wilcox (iSec Partners)
“Clobbering the Cloud,” Haroon Meer, Nick Advanitis, Marco Slaviero (SensePost)
Mostly issues with the cloud model in general Some specific attacks on Amazon Web
Services, particularly EC2
Cloud Computing Outsource your IT to a technology company!
They probably have more security experts than you do.
But you also get to outsource all your data What could possibly go wrong?
Perimeter control, endpoint management, multifactor authentication, credential quality controls, password reset process, realtime anomaly detection, logging & auditing
If someone can read your email, they control your entire datacenter
Legal Concerns Liability
EULAs promise nothing, disclaim everythingForbids malicious traffic, even yours
Search and SeizureNo Constitutional protectionStatutory protection only for “communications”No warrants, probable cause, notice
○ Can’t fight seizure before it happens○ Google promises to notify in case of a seizure…
…if not forbidden to by law……and their EULA says they won’t.
EC2 Issues Amazon Web Services
Most-used IaaS cloud platformLikely the major alternative to Windows Azure
Elastic Compute Cluster (EC2)Based on a modified Xen hypervisor47 Amazon-provided VM images72,000 user-provided VM images
DevPayCan make custom images & charge others for
their use
EC2 Issues Scanning is prohibited
But you can scan through an SSH tunnelOr just have the VM scan itself
Issues with Amazon’s images646 Nessus Critical vulnerabilitiesCan steal Amazon’s Windows license keys
Issues with user-provided imagesAll sorts of cruft in them…like credentialsCan alter DevPay information in the manifest
EC2 Issues Pre-Owned Virtual Machines!
Create a new, free image with a good name○ “Ubuntu 9.04, Official, All Patches”
Add your own Trojan horsesRegister repeatedly until you have a good AMIProfit!
Using Cloud Services for EvilFlexible, inexpensive, scalable spam serversBotnet-in-a-box with a stolen credit card
Entropic Principles Cryptography relies on randomness
Computers are deterministicRandomness comes from the physical world
Entropy PoolsKeyboard input & mouse movementBlock device eventsSaved entropy pool on disk
None of these exist in the cloudDon’t run your poker server in EC2 or AzureQuantum-based RNG service in the cloud?
Firefox Addon Exploits “Exploiting Firefox Addons,” Nick Freeman,
Roberto Liverani Firefox Extensions
Extend, modify, and control browser behavior Components
XUL – XML User Interface LanguageXBL – XML Binding LanguageXPCOM – Cross-platform Component Object
ModelXPConnect – XPCOM JavaScript interface
Firefox Addon Exploits Addon Security Model
None. Can modify each other or the system at willXPCOM can be extended in C++
Human FactorsAddons are trusted implicitly by users
○ Even unsigned onesNoScript and AdBlockPlus do nothingaddons.mozilla.org reviews addons…
○ But experimental addons are publicly available,○ and they look for maliciousness, not vulnerability.
Addon Vulnerabilities XUL and XBL are markup, like HTML Addons get data from web pages Cross-site scripting into chrome:// URLs?
Yes!And it’s arbitrary native code execution!
Updates are not reviewedBait and switch attacks, as with Facebook appsDNS or MitM attacks
Are Addons Exploitable? Skype
XSS: make arbitrary phone calls CoolPreviews
XSS: execute arbitrary code UpdateScanner
XSS: execute arbitrary code with JS events FireFTP
XSS: Evaluates the banner in the chrome FeedSidebar
XSS: IFRAMES in RSS description ScribeFire
XSS: Executes events on images
Developer Awareness Security a totally new idea for most addon
developersNo established processNo contact information for disclosures
Need to follow web security practices Code signing needs to be enforced
Browser should require itDon’t download unknown addons
Remember this for other gadget architectures!
Conclusions Another year, another vulnerability X.509 fundamentally flawed
Non-exclusionaryDNSSEC the only fix for SSL
○ It’s only been around for 15 yearsNo way to browse securely on open WiFi
○ And most WiFi is open WiFi
Cloud is still too new to predict
Q&A