THE BEST OF BLACKHAT 2009 & DEFCON 17

Grant Bugher

8/17/2009

AgendaAbout the Conferences

What’s Not NewXSRF (McRee, Bailey, Hamiel, Moyer)

Business Logic Flaws (Grossman, Ford)

De-Anonymization (RSnake)

What’s NewSSL Exploits (Kaminsky, Marlinspike, Zusman)

Cloud Computing Exploits (iSec, SensePost)

Firefox Addon Exploits (Freeman, Liverani)

About the ConferencesBlackHat Briefings 2009

Professional security conference

Training sessions followed by short presentations and tradeshow

DefCon 17Informal gathering of hackers

No tradeshow; many short presentations

Many people don’t even attend presentations

Contests and villages

What’s Not New

The same old threats are still 95% of web application securitySQL and Other Injection AttacksCross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Business Logic Flaws

Cross-Site Request Forgery “CSRF: Yeah, It Still Works,” Russ

McRee & Mike Bailey “Weaponizing the Web,” Nathan Hamiel

& Shawn Moyer Many recent attacks

StrongWebmail.comMcAfee Secure Web ScannerLinksys routers

Cross-Site Request Forgery More recent attacks

osCommerce and ZenCartcPanel and WHM (it’s a feature!)Marblecake, Also The Game

Advanced Dynamic CSRFMonkeyFist (http://hexsec.com/labs)

Cross-Site Request Forgery Defenses that Don’t Work

Require POSTCheck ReferrerRequire Multiple StepsURL Rewriting

Defenses that Do WorkGood CAPTCHAsRe-authenticationDynamic canary

Business Logic Flaws

“Mo’ money, Mo’ Problems,” Jeremiah Grossman and Trey Ford

Non-Technical HackseBay Holiday DoorbustersHacker Croll’s Twitter HackCookie stuffing & link manufactureGoogle Earth ReconiPod Advance ReplacementsTunecore iTunes/Amazon Fraud

De-Anonymization

“De-Anonymizing You,” Rsnake Variety of methods tried for anonymity

Anonymous proxies (CGI, SOCKS)Free emailHacked machinesOnion routing (TOR), anonymous remailers

Sites try to track and identify you anyway

De-Anonymization

SSLClient certificate identifies system name,

OS, username, certificate dates Browser Detection Tools (MrT, BeEF)

Enumerate plugins, history, screen resolution, VMware detection, keylogging…

IP DetectionJava, Flash, Word, Acrobat bugsscp: and itms: protocol handlers

De-Anonymization

File system enumerationres:// timing attack, SMBenum (in BeEF)

Google Safe BrowsingSends a unique ID automatically, 30 times

an hour, and obeys proxy settingsCan get all IP history for that cookie with a

subpoenaGoogle Chrome sends machine/user ID

every 5 hours

De-Anonymization

Onion Routing AttacksTOR actually works very well, albeit very

slowlyCompromised exit nodes get lots of data

○ Not very targeted○ Selected for confidentiality, though

Trojaned TOR clients on user machinesHackedTor.exe runs a malicious exit node

SSL Exploits

Multiple BlackHat & DefCon talks about attacks on SSLDan Kaminsky, “Black Ops of PKI”Moxie Marlinspike, “More Tricks for

Defeating SSL”Mike Zusman, “Criminal Charges Were Not

Pursued: Hacking PKI” More interesting in combination than

individually

SSL Exploits

SSL based on X.509 certificate PKI Server presents a leaf certificate…

…which is signed by an intermediate cert……which is signed by one of the root CAs

intrinsically trusted by your browser. Any intermediate cert can sign any leaf

Intermediates can also sign each other

Certificate Authorities

Anyone can run a CA, but to be trusted by browsers, it must chain to a trusted root

Certificate signing is not exclusionaryAny root can sign any certificateAny signed intermediate certificate can sign

any certificate, too This means there are 4,500 organizations

that can sign a cert for your bank’s web site

Weak Cryptography on CAs A VeriSign root certificate was self-signed

with MD2Actually no good reason to self-sign at allMD2 subject to preimage attack

○ Complexity of attack is 273

○ Current crypto attacks are up to 263

RapidSSL intermediate certificate was signed with MD5Researchers created an intermediate certificate

with a chosen prefix attack

PKCS#10 Certificate Signing How do you get a certificate?

Go to any CASubmit a request in a binary protocol called

PKCS#10Give them money

Certificate is created automatically based on data in the PKCS#10 package

Protocol is old and eccentric

PKCS#10 Certificate Signing Domain specified as a “Common Name” CN identifier (2.5.4.3) followed by

Pascal string (length-content, not null-terminated)02 05 04 03 [length] [bytes]

Protocol is remarkably fragileMultiple CNs in one packet?2.5.4.03? 2.5.4.(264+3)?Invalid characters in the CN? Null bytes?

Pascal and C Strings

IA5String (Pascal String)[length] [bytes]

○ “Hello World”○ 11 48 65 6C 6C 32 57 6F 72 6C 64○ Length is fixed; bytes can be anything

C String[bytes] [null terminator]

○ “Hello World”○ 48 65 6C 6C 32 57 6F 72 6C 64 00○ Length is unlimited; bytes can’t be null

Certificate Validation

Domain Validation for SSL certificatesSend a certificate signing request

(PCKS#10) to a CACA emails the contact address in WHOISAnswer the email, and the CA signs the cer

Can only register a certificate for a domain I own in WHOIS

Null Prefix Attack I can get a cert for perimetergrid.com (it’s

registered to me) I can’t get a cert for login.live.com What about login.live.com\0.perimetergrid.com?Perfectly valid Pascal string in PCKS#10

○ 33 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D 00 2E 70 65 72 69 6D 65 74 65 72 67 72 69 64 2E 63 6F 6D

Rather different as a C string○ 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D 00

Browsers Are Written in C IE, Firefox, Opera, Safari, and Chrome

areA = login.live.com\0.perimetergrid.comB = login.live.com

In C…strlen(A) == 14, strlen(B) == 14strcmp(A,B) == 0sprintf(A) == “login.live.com”

Indistinguishable in all standard functions

Browser Issues

Null byte issues*\0.perimetergrid.com

Inconsistent Treatment of multiple CNsFirst CN? Last? All of them?

No warnings for DV->EV transition BasicConstraints sometimes ignored OCSP Protocol Flaws Remote exploit the browser in the CN!

CA Issues

About 4,500 CAs chain to a valid root Not all of them have strong security

Each CA responsible for domain validationSome will sign null-byte certificatesWeb flaws can let you spoof email

addressesFor that matter, DV all depends on emailComodo will make you a CA for $200

○ An intermediate certificate of your very own○ Want a certificate for “*”?

The Net Result Moxie’s sslsniff 0.6

Automatic silent MitM attacks on all sessions○ Firefox, IE, Chrome, Thunderbird, Outlook,

Evolution, Pidgin, AIM, irssi, all CryptoAPI apps○ Anything built on NSS, GnuTLS, CryptoAPI –

VPNs!Signs with null prefix, * cert, basicConstraintsShuts down OCSP with ARP spoofingHijacks autoupdatesAuthority & targeted modes

No safe way to use SSL on open WiFi

EV Will Save Us?

EV (Extended Validation) certificates are not issued automaticallyHuman validation of certificate requestID checks, documentation, etc.Green bar in the browser

EV certificates are not exclusionary No warning switching from DV to EV Zusman’s SSL rebinding (sslstrip)

SSL Rebinding Demohttp://stub.bz/sslrebinding/

Cloud Computing Issues Multiple presentations, a full track at BlackHat

2009“Raining on the Trendy New Parade,” Alex

Stamos, Andrew Becherer, Nathon Wilcox (iSec Partners)

“Clobbering the Cloud,” Haroon Meer, Nick Advanitis, Marco Slaviero (SensePost)

Mostly issues with the cloud model in general Some specific attacks on Amazon Web

Services, particularly EC2

Cloud Computing Outsource your IT to a technology company!

They probably have more security experts than you do.

But you also get to outsource all your data What could possibly go wrong?

Perimeter control, endpoint management, multifactor authentication, credential quality controls, password reset process, realtime anomaly detection, logging & auditing

If someone can read your email, they control your entire datacenter

Legal Concerns Liability

EULAs promise nothing, disclaim everythingForbids malicious traffic, even yours

Search and SeizureNo Constitutional protectionStatutory protection only for “communications”No warrants, probable cause, notice

○ Can’t fight seizure before it happens○ Google promises to notify in case of a seizure…

…if not forbidden to by law……and their EULA says they won’t.

EC2 Issues Amazon Web Services

Most-used IaaS cloud platformLikely the major alternative to Windows Azure

Elastic Compute Cluster (EC2)Based on a modified Xen hypervisor47 Amazon-provided VM images72,000 user-provided VM images

DevPayCan make custom images & charge others for

their use

EC2 Issues Scanning is prohibited

But you can scan through an SSH tunnelOr just have the VM scan itself

Issues with Amazon’s images646 Nessus Critical vulnerabilitiesCan steal Amazon’s Windows license keys

Issues with user-provided imagesAll sorts of cruft in them…like credentialsCan alter DevPay information in the manifest

EC2 Issues Pre-Owned Virtual Machines!

Create a new, free image with a good name○ “Ubuntu 9.04, Official, All Patches”

Add your own Trojan horsesRegister repeatedly until you have a good AMIProfit!

Using Cloud Services for EvilFlexible, inexpensive, scalable spam serversBotnet-in-a-box with a stolen credit card

Entropic Principles Cryptography relies on randomness

Computers are deterministicRandomness comes from the physical world

Entropy PoolsKeyboard input & mouse movementBlock device eventsSaved entropy pool on disk

None of these exist in the cloudDon’t run your poker server in EC2 or AzureQuantum-based RNG service in the cloud?

Firefox Addon Exploits “Exploiting Firefox Addons,” Nick Freeman,

Roberto Liverani Firefox Extensions

Extend, modify, and control browser behavior Components

XUL – XML User Interface LanguageXBL – XML Binding LanguageXPCOM – Cross-platform Component Object

ModelXPConnect – XPCOM JavaScript interface

Firefox Addon Exploits Addon Security Model

None. Can modify each other or the system at willXPCOM can be extended in C++

Human FactorsAddons are trusted implicitly by users

○ Even unsigned onesNoScript and AdBlockPlus do nothingaddons.mozilla.org reviews addons…

○ But experimental addons are publicly available,○ and they look for maliciousness, not vulnerability.

Addon Vulnerabilities XUL and XBL are markup, like HTML Addons get data from web pages Cross-site scripting into chrome:// URLs?

Yes!And it’s arbitrary native code execution!

Updates are not reviewedBait and switch attacks, as with Facebook appsDNS or MitM attacks

Are Addons Exploitable? Skype

XSS: make arbitrary phone calls CoolPreviews

XSS: execute arbitrary code UpdateScanner

XSS: execute arbitrary code with JS events FireFTP

XSS: Evaluates the banner in the chrome FeedSidebar

XSS: IFRAMES in RSS description ScribeFire

XSS: Executes events on images

Developer Awareness Security a totally new idea for most addon

developersNo established processNo contact information for disclosures

Need to follow web security practices Code signing needs to be enforced

Browser should require itDon’t download unknown addons

Remember this for other gadget architectures!

Conclusions Another year, another vulnerability X.509 fundamentally flawed

Non-exclusionaryDNSSEC the only fix for SSL

○ It’s only been around for 15 yearsNo way to browse securely on open WiFi

○ And most WiFi is open WiFi

Cloud is still too new to predict

Q&A