2014 – Year of Broken Name Generator(s)
-
Upload
miroslav-stampar -
Category
Internet
-
view
365 -
download
4
Transcript of 2014 – Year of Broken Name Generator(s)
![Page 1: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/1.jpg)
2014 – Year of Broken Name Generator(s)
Miroslav Štampar([email protected])
2014 – Year of Broken Name Generator(s)
Miroslav Štampar([email protected])
![Page 2: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/2.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 2
Introduction(.jpg)
![Page 3: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/3.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 3
goto fail (1)
CVE-2014-1266 (6.8)Discovered by @CrowdStrike by reverse
engineering security update for iOS (7.0.6)Public disclosure on February 21, 2014SSL/TLS vulnerability in iOS and OS XSignature is inaccurately being verified in ServerKeyExchange message
Allows MiTM attacks with full transparent interception of HTTPS traffic
The bug has been in the wild for more than a yearLater, a similar bug has been found in GnuTLS
![Page 4: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/4.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 4
goto fail (2)Attacker has to be in position to intercept and
change traffic between victim and target (MiTM)Attacker sends fake (chosen) Diffie-Hellman
parameters to victim, along with valid server's certificate and forced Ephemeral Diffie Hellman (EDH/DHE) cipher suite – triggering vulnerable code
Provided parameters' signature is not properly being checked against server's certificate
Allows attacker to generate same session key(s) as the client (purpose of Diffie-Hellman)
Once the secure connection is established between victim and attacker, attacker plays MiTM proxy role
![Page 5: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/5.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 5
goto fail (3)
Vulnerable piece of code:
![Page 6: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/6.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 6
goto fail (4)
mitmproxy --ciphers="DHE-RSA-AES256-SHA" --cert-forward
![Page 7: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/7.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 7
Heartbleed (1)
CVE-2014-0160 (5.0)Discovered independently by Neel Mehta
(@Google) and @Codenomicon in rough the same time (while bug was there for years :)
Public disclosure on April 7, 2014OpenSSL's (1.0.1 before 1.0.1g) TLS heartbeat
extension (RFC6520) buffer over-read vulnerabilityAllows attackers to retrieve private cryptographic
keys and private user data It is estimated that 24-55% HTTPS servers in Alexa
Top 1 Million were initially vulnerable
![Page 8: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/8.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 8
Heartbleed (2)
Heartbeat extension provides a mean to test and keep alive the secure communication connections
“Heartbeat Request” message is being sent consisting of a payload (typically a text value), while the receiver has to send exactly the same payload back to sender
Message returned is based on length field (max. 64KB in case of attack) in the requesting message, without properly checking the actual payload's length (e.g. “foobar”)
![Page 9: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/9.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 9
Heartbleed (3)
Response consists of payload, followed by whatever else happened to be in the allocated memory buffer (in case of faked payload length)
Attack is performed repeatedly in hope to read a chunk previously used by OpenSSL (e.g. server private key, session cookies, credentials, etc.)
OpenSSL uses custom memory allocator making exploitation far easier (non-random/reusable memory chunks are being allocated)
Lots of criticism followed, especially against OpenSSL's “sloppy coding” style (e.g. LibreSSL developers removed half of the OpenSSL source tree in a week)
![Page 10: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/10.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 10
Heartbleed (4)
![Page 11: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/11.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 11
Heartbleed (5) python heartbleed.py www.target.com
![Page 12: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/12.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 12
Rosetta Flash (1)CVE-2014-4671 (6.8) and CVE-2014-5333 (6.8)Discovered by Michele Spagnuolo (@Google)Public disclosure on July 8, 2014 JSONP (JSON with padding) is a communication
technique used in JavaScript programs to request data from a server in a different domain
Basically, it's a script tag injection method passing the response from the server in to a user specified function “callback” (different domain context)
Website with a JSONP endpoint accepting only alphanumeric callback (for security reasons) can be abused (against client's Adobe Flash Player) with specially crafted SWF files
![Page 13: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/13.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 13
Rosetta Flash (2) It can be used to serve (echo back) a provided
malicious alphanumeric SWF object that steals the content(s) of a same-domain URL inside user's browser
SWF (Flash) file is executed in context of the target domain, so CSRF (Cross-Site Request Forgery) attack can be performed
Required “patching” at both client(s) side (Adobe Flash Player 14.0.0.176) and at the server side for successful mitigation
Many high profile sites were affected (Google, Youtube, Twitter, LinkedIn, Yahoo, eBay, Flickr, Baidu, Instagram, Tumblr, etc.)
![Page 14: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/14.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 14
Rosetta Flash (3)
Vulnerable JSONP sample application:
Sample malicious alphanumeric SWF:
![Page 15: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/15.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 15
Rosetta Flash (4)
Sample malicious web page:
![Page 16: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/16.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 16
Rosetta Flash (5) msfconsole (flash_rosetta_jsonp_url_disclosure)
![Page 17: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/17.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 17
Shellshock (1)
CVE-2014-6271 (10.0), CVE-2014-6277 (10.0), CVE-2014-6278 (10.0), CVE-2014-7169 (10.0), CVE-2014-7186 (10.0) and CVE-2014-7187 (10.0)
Discovered by Stéphane ChazelasPublic disclosure on September 24, 2014Remote code execution through BashMany *nix and *BSD Internet-facing systems
expose Bash to client requests (e.g. HTTP (CGI), DHCP, SSH, CUPS, etc.)
Bash supports exporting not just shell variables, but also shell functions to other bash instances
![Page 18: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/18.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 18
Shellshock (2)
Sample function definition in Bash:
Commands are unintentionally being executed (on vulnerable machine) when concatenated to function definitions stored as environment variables:
![Page 19: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/19.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 19
Shellshock (3)
HTTP requests to CGI scripts have been identified as the major attack vector
The CGI specification maps all parts of requests to environment variables (e.g. Host header to $REMOTE_HOST variable)
CGI programs written in Perl, PHP, Python, Ruby and Bash itself are potentially vulnerable
Sample vulnerable script:
![Page 20: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/20.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 20
Shellshock (4)
Sample attack:
![Page 21: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/21.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 21
POODLE (1)CVE-2014-3566 (4.3)Discovered by Bodo Möller, Thai Duong and
Krzysztof Kotowicz (@Google)Public disclosure on October 14, 2014“Padding Oracle On Downgraded Legacy
Encryption”Padding Oracle attack against CBC mode of
operation in SSL 3.0 (exploiting same flaw as in BEAST attack)
In case of TLS usage, forced version downgrade from TLS to SSL 3.0 MiTM attack is performed
Major browsers voluntary downgrade to SSL 3.0 if TLS handshakes fail
![Page 22: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/22.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 22
POODLE (2)
SSL 3.0 (deprecated 15 years ago) uses non-deterministic CBC padding, which makes padding oracle attacks possible in MiTM environment
Padding is performed to make input plaintext length equal to a multiple of the cipher's block size (e.g. 8 bytes in case of 3DES and 16 bytes in case of AES)
SSL 3.0 adds padding filled with single byte denoting the length of padding itself
In padding oracle attack server leaks data whether the padding of an encrypted message is correct or not
![Page 23: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/23.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 23
POODLE (3)
CBC mode decryption:
![Page 24: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/24.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 24
POODLE (4) In POODLE attack presumption is that victim runs
malicious Javascript in a browser which causes the browser to make attacker controlled requests (with cookies) to the origin of interest (e.g. google.com)
Attacker intercepts one such controlled encrypted request, takes block which contains value of interest (e.g. one “shifted” cookie byte followed by spaces), replaces last (padding) block with its content and forwards it to the server
If server doesn't drop such “skewed” request, it can be concluded that the last byte of decrypted block that was duplicated, XORed with the ciphertext of the previous block, equals to the known padding block
![Page 25: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/25.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 25
Sandworm (1)CVE-2014-4114 (9.3) Identified by @iSIGHT from same named “cyber-
attack” campaignPublic disclosure on October 15, 2014Microsoft Windows OLE arbitrary code executionWindows Vista SP2, Windows 7/8, Windows Server
2008/2012 are known to be vulnerableProblem lies in how Object Packager 2 component
(packager.dll) handles an INF file that contains malicious registry changes (e.g. RunOnce)
INF can't be loaded (and executed) directly but can be forced by embedding the file path as a remote share in an OLE object
![Page 26: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/26.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 26
Sandworm (2) msfconsole (ms14_060_sandworm)
![Page 27: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/27.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 27
Sandworm (3)
![Page 28: 2014 – Year of Broken Name Generator(s)](https://reader034.fdocuments.us/reader034/viewer/2022042701/55a9292b1a28abbd768b47c8/html5/thumbnails/28.jpg)
FER 2015, Zagreb (Croatia) January 16th, 2015 28
Questions?