With great power comes great responsibility - om filosofi og (superhelte)tegneserier
With Great Power Comes Great Pwnage
Transcript of With Great Power Comes Great Pwnage
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
With Great Power Comes Great Pwnage
Area41 Security Conference Zürich, June 10th 2016
© Compass Security Schweiz AG Slide 2 www.compass-security.com
Hello
© Compass Security Schweiz AG Slide 3 www.compass-security.com
Agenda
Introduction to SAML
Use-Cases
Protocol Details
SAML Attacks
Demo
Remediation
© Compass Security Schweiz AG Slide 4 www.compass-security.com
Introduction: SAML
Security
Assertion
Markup
Language
© Compass Security Schweiz AG Slide 5 www.compass-security.com
Introduction: Components
Identity Provider (IdP) • Checks the identity of
subjects • Issues SAML assertions • Provides the result to
SPs
Client / User Entity that wants to assert a particular identity
Service Providers (SP) • Provides services to
subjects • Trusts the identification
from the IdP based on the assertions it receives
© Compass Security Schweiz AG Slide 6 www.compass-security.com
USE-CASES
© Compass Security Schweiz AG Slide 7 www.compass-security.com
Use-Case: IG B2B BrokerGate
21 Insurers (13 online) Broker portal as
Service Providers
941 Brokers, 4295 Users
Mirilex GmbH
Mentor Assekuranz
AG
Sfaeras SA
Tectron AG Finanzberatung
© Compass Security Schweiz AG Slide 8 www.compass-security.com
SAML 2.0 IdP
Use-Case: IG B2B BrokerGate
941 Brokers, 4295 Users
Mirilex GmbH
Mentor Assekuranz
AG
Sfaeras SA
Tectron AG Finanzberatung
21 Insurers (13 online) Broker portal as
Service Providers
© Compass Security Schweiz AG Slide 9 www.compass-security.com
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
Jan13
Mrz13
Mai13
Jul13
Sep13
Nov13
Jan14
Mrz14
Mai14
Jul14
Sep14
Nov14
Jan15
Mrz15
Mai15
Jul15
Sep15
Nov15
Logins per Month
User Accounts
Use-Case: IG B2B BrokerGate
© Compass Security Schweiz AG Slide 10 www.compass-security.com
Use-Case: SWITCHaai
University
Webmail eLearning
Student Admin
Hospital
Library
eJournals
Research DB
Where are you from?
© Compass Security Schweiz AG Slide 11 www.compass-security.com
Use-Case: SWITCHaai
© Compass Security Schweiz AG Slide 12 www.compass-security.com
Use-Case: SWITCHaai
On Average: 52 SAML authentication requests per minute
© Compass Security Schweiz AG Slide 13 www.compass-security.com
SAML 2.0 FUNDAMENTALS
© Compass Security Schweiz AG Slide 14 www.compass-security.com
SAML The Overall Picture
With an Assertion a IdP confirms to a
SP the identity of an subject including the
used authentication method
SAML defines a number of protocol
messages, e.g.
authentication request, artifact resolution
or single logout
Bindings specify how the various
messages can be carried over underlying
transport protocols, e.g. HTTP redirect or
POST
SAML profiles define how the SAML
assertions, protocols, and bindings are
combined and constrained to provide
greater interoperability in particular usage
scenarios, e.g. Web Browser SSO Profile
© Compass Security Schweiz AG Slide 15 www.compass-security.com
SP-Initiated SSO with Redirect and POST Bindings
Web Browser SSO Profile
© Compass Security Schweiz AG Slide 16 www.compass-security.com
Web Browser SSO Profile (Artifact)
SP-Initiated SSO with POST/Artifact Bindings
© Compass Security Schweiz AG Slide 17 www.compass-security.com
SAML Assertion
Security Assertion
Version AssertionID IssueInstant
Issuer
IdP EntityId
Subject
NameID
UserId
Conditions
AudienceRestriction
SP EntityID
NotBefore NotAfter
AuthnStatement
AuthnContext
AuthInstant
AuthnContextClassRef
Attribute
Attribute
Attribute
Digital Signature
X.509 Signing Certificate
Digest Signature Algorithm, Transforms Sig Value
© Compass Security Schweiz AG Slide 18 www.compass-security.com
XML Signature
c14n sha1
Digest Assertion
rsa
rsa
+
© Compass Security Schweiz AG Slide 19 www.compass-security.com
SAML ATTACKS
© Compass Security Schweiz AG Slide 20 www.compass-security.com
SAML Attacks
Technologies SAML
XML Signatures
X.509 Certificates
© Compass Security Schweiz AG Slide 21 www.compass-security.com
© Compass Security Schweiz AG Slide 22 www.compass-security.com
SAML Attacks - SAML
Log out other users due to a guessable IDs
Replay an eavesdropped SAML Message
Google for Messages, Stack Overflow
© Compass Security Schweiz AG Slide 23 www.compass-security.com
SAML Attacks - XML
Signature Exclusion (simply delete Signature)
XML Signature Wrapping Paper «On Breaking SAML: Be Whoever You Want to
Be», 2012
© Compass Security Schweiz AG Slide 24 www.compass-security.com
SAML Attacks - XML
Normal Message
© Compass Security Schweiz AG Slide 25 www.compass-security.com
SAML Attacks - XML
Manipulated Message (XSW)
© Compass Security Schweiz AG Slide 26 www.compass-security.com
SAML Attacks Certificate Tampering
Precondition: Certificate is embedded in the message
«clone» a certificate, generate new key material
Use a certificate signed by other official CA
Use a revoked certificate
© Compass Security Schweiz AG Slide 27 www.compass-security.com
Demo Exploit
Found in June 2015 by Compass Security
using SAML POST-Binding
not matching all attributes of the X.509 certificate embedded
in the assertion against the certificate from the identity provider (IdP)
© Compass Security Schweiz AG Slide 28 www.compass-security.com
Demo Exploit
+
© Compass Security Schweiz AG Slide 29 www.compass-security.com
SAMLRaider
SAMLRaider Extension for Burp
https://github.com/SAMLRaider/SAMLRaider
© Compass Security Schweiz AG Slide 30 www.compass-security.com
Demo Exploit
© Compass Security Schweiz AG Slide 31 www.compass-security.com
REMEDIATIONS
© Compass Security Schweiz AG Slide 32 www.compass-security.com
SAML Attacks - Mitigation
Configuration:
Use artifact binding (no content on client)
If POST-binding is necessary:
Use encrypted messages
Implementation:
Only process signed XML tree (delete other content)
Use key material on the SP or IdP and not embedded keys
© Compass Security Schweiz AG Slide 33 www.compass-security.com
Questions?
Credits and Links:
Emanuel Duss, Bachelor Thesis and SAMLRaider
Bachelor Thesis https://eprints.hsr.ch/464/
SAMLRaider on Github: https://github.com/SAMLRaider/SAMLRaider
© Compass Security Schweiz AG Slide 34 www.compass-security.com