Jeroen van Beek - OS3Many application protect sensitive information In the end protected by an...
34
Jeroen van Beek 1
Transcript of Jeroen van Beek - OS3Many application protect sensitive information In the end protected by an...
Jeroen van Beek
1
Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
2
Inadequate OS and application security:◦ Data abuse Stolen information
◦ Bandwidth abuse (botnets) Host illegal media
DDoS
◦ Legal issues White house hacked
with on of your IPs
◦ You are responsible!
3
4
Many application protect sensitive information◦ In the end protected by an authentication token Today mostly account + password
A chain is as strong as it’s weakest link◦ Default passwords◦ Password reset procedures
Some real-life examples
6
7
Just a cheap internet router
Just a global ERPsoftware vendor
8
Just a global network equipment vendor
9
Just a nuclearmissle
10
loenix:/tmp# cat pass.c
#include <iostream>
#include <string>
using namespace std;
int main ()
{
string secret = "reAlly_c0mpl3x_Passw0rd!", user = "";
cout << "Please enter the password: ";
cin >> user;
if(secret.compare(user) != 0)
cout << "wrong password\n";
else
cout << "welcome!\n";
return 0;
}
loenix:/tmp# g++ pass.c -o pass
loenix:/tmp# strings pass
/lib/ld-linux.so.2
..
..
[^_]
reAlly_c0mpl3x_Passw0rd!
Please enter the password:
wrong password
welcome!
11
Detection:◦ Compile a list of default passwords of all applications◦ Put the list in your IDS◦ Lots of false positives (e.g. web page containing
example /etc/shadow), false negatives (e.g. encryption)
Prevention:◦ Perform source code reviews (if possible)◦ Use application baseline standards https://benchmarks.cisecurity.org/
12
One of the most abused software flaws Caused by improper bounds checking◦ Writing >n or more bytes to a n bytes buffer
Typically a C / C++ problem In many cases exploitable Overwrite memory◦ Overwrite stack / heap with jump to malicious code
Create account Open shell …
13
bofh@tunnel:~/ot$ cat overflow.c
#include <iostream>
using namespace std;
int main ()
{
char c[12]; // 11 characters + 0x00
cout << "What would you like me to echo? ";
cin >> c;
cout << "You said: " << c << "\n";
return 0;
}
bofh@tunnel:~/ot$ ./overflow
What would you like me to echo? hello
You said: hello
bofh@tunnel:~/ot$ ./overflow
What would you like me to echo? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
You said: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault
bofh@tunnel:~/ot$
14
15
Detection (more or less):◦ Static source code analysis◦ Fuzzing
Prevention (more or less):◦ Programming language: Try to avoid C and C++ for security-critical applications If possible…
◦ Use trusted secure libraries (and keep them up-to-date!): A vulnerable library might also affect your safe code!
◦ ASLR◦ NX◦ Use secure coding standards http://www.securecoding.cert.org/
16
Address Space Layout Randomization Buffer overflows are exploited by shell code◦ Shell code typically uses system calls◦ System calls, stack, heap, libraries are located on fixed positions◦ ASLR places them at random locations◦ Shell code calls wrong addresses
Crash (== secure)
Enabled on recent OSs in some form:◦ Windows: Vista+: full ASLR by default◦ Linux: 2.6+: weak ASLR by default, distro specific◦ OS X 10.8+: full ASLR by default
Creating a reliable exploit is more difficult◦ Not impossible!
17
ASLR needs to be used to be effective◦ Example for Linux: OS + apache2 + mysql + php5
+sshd (PIE = Position Independant Executable)
Similar for other Oss OT project?
18
No eXecute Buffer overflows are exploited by shell code◦ Shell code often executes code in data memory◦ NX prevent execution of code from data memory
Shell code is not executed
Enabled on recent OSs in some form:◦ Windows: XP SP2+: DEP by default◦ Linux 2.6+: depend on distribution and version◦ OS X 10.5+: W^X on stack and heap by default
Creating a reliable exploit is more difficult◦ Not impossible!
19
Write random value before stack return pointer Check value on return Buffer overflow exploit overwrites value alert Creating a reliable exploit is more difficult◦ Not impossible!
20
In many cases authentication mechanisms are:◦ Closed source◦ Based on proprietary protocols◦ Backward compatible with older versions◦ Not using key / hash diversification◦ Poorly tested
Important risks:◦ Authentication bypass◦ Reduced key entropy Decode / crack complex passwords
22
Well-known example: MS LanManager (LM):◦ Really 0ldskewl: OS/2 & MS-DOS era◦ Enabled by default until Windows Vista For all passwords < 15 positions Backward compatibility What’s the problem?
24
Password complexity:◦ Character set ^ length◦ 14 position password using [a-z][A-Z][0-9] 62 ^ 14 = 12.401.769.434.657.526 giga combinations Brute force cracking takes… forever
LAN manager◦ 14 position password using [A-Z][0-9]◦ Divides the password in two 7 position parts◦ Uppercase only 36 ^ 7 = 78 gig combinations Brute force cracking takes… hours
25
If a password hash is the same on every system, you can pre-calculate hashes◦ Large look-up table
The art is perfected: rainbow tables◦ Time versus storage trade-off◦ http://lasecwww.epfl.ch/pub/lasec/doc/Oech03.pdf
Crack complex passwords within minutes◦ Free tables for LM, NTLM, MD5, SHA-1, …
GPU based cracking◦ https://hashcat.net/
26
Detection:◦ Detect known downgrade attacks◦ Besides that quite difficult…
Prevention:◦ Review the used algorithms before using them If possible… Use proven open standards
◦ Use salting Do not use: hash(password) Instead use: random + hash(password + random) Attack time will grow (depending on number of salts used) Generic rainbow tables won’t work anymore
27
Program flow manipulation: Skip / manipulate checks:◦ Games◦ Password checks◦ Bank transfer integrity checks◦ …
Static: Change the file on disk
E.g. IDA Pro http://www.hex-rays.com/idapro/
Dynamic: Don’t change the file on disk
Change program flow in run-time
E.g. OllyDbg http://www.ollydbg.de/
28
Attacks on SWIFT environments http://baesystemsai.blogspot.nl/2016/04/tw
o-bytes-to-951m.html
29
Example bypassing a security check◦ In then end it’s just a 0 or a 1… In this case: Boolean expression Let’s swap yes and no!
◦ OllyDbg
30
Detection:◦ Static analysis: none?◦ Dynamic analysis: check for debuggers Cat and mouse game
◦ Application ‘patches’ (cracks, backdoors, …): Application whitelisting: verify checksums: Windows AppLocker, SELinux
Look for changes (good or bad): https://github.com/Tripwire/tripwire-open-source
Prevention:◦ Application signing◦ Obfuscate / encrypt the application code Only slows an attacker down!
31
32
J.C.vanBeek uva.nl
34
