ABUSING CERTIFICATE TRANSPARENCY CON 25/DEF CON 25...(HPKP) 10 CERTIFICATE AUTHORITY AUTHORIZATION...
Transcript of ABUSING CERTIFICATE TRANSPARENCY CON 25/DEF CON 25...(HPKP) 10 CERTIFICATE AUTHORITY AUTHORIZATION...
-
ABUSING CERTIFICATETRANSPARENCY
OR HOW TO HACK WEB APPLICATIONS BEFOREINSTALLATION.
Hanno Böck https://hboeck.de/
1
https://hboeck.de/
-
HTTPS
2
-
CERTIFICATE AUTHORITIES (CAS)
3
-
CAN WE TRUST CERTIFICATEAUTHORITIES?
4
-
NOMany cases of illegitimate certificates in the past.
5
-
IMPROVE OR REPLACE?Popular Infosec opinion:
CAs are bad, we need to get rid of them.
6
-
HOW?Reality: Nobody has a feasible plan how to replaceCAs.
7
-
IMPROVING THE CA ECOSYSTEM
8
-
BASELINE REQUIREMENTS
9
-
HTTP PUBLIC KEY PINNING(HPKP)
10
-
CERTIFICATE AUTHORITYAUTHORIZATION (CAA)
11
-
CERTIFICATE TRANSPARENCY(CT)
12
-
PUBLIC LOGSLet's put all certificates into public logs that everyonecan read.
13
-
CT DETAILSMerkle Hash Trees, Signed Certificate Timestamps(SCT), Signed Tree Head (STH), Precertificates,Monitors, Gossip, ...
It's complicated, but not relevant for this talk.
14
-
CERTIFICATE LOGGINGIn the future logging will be required (April 2018).
15
-
CT TODAYMost certificates already get logged.
16
-
WATCHING THE CASCertificate Transparency means everyone can checklogs for suspicious activity.
17
-
https://crt.sh
18
https://crt.sh/
-
19
-
CERTIFICATE TRANSPARENCY ISA DATA SOURCE
For researchers.
For search engines.
For attackers?
20
-
FEED OF NEW HOST NAMESCertificates contain hostnames.
In other words: Certificate Transparency provides afeed of newly created HTTPS host names.
21
-
SELF-HOSTED WEBAPPLICATIONS
Wordpress, Joomla, Drupal etc.
22
-
WEB APPLICATION INSTALLERS
23
-
INSTALLERSUpload files to hoster, open in browser.
Installer asks for some settings (initial user account,database credentials, ...).
24
-
INSTALLER (IN)SECURITYUsually installing needs no authentication!
25
-
GOOGLE DORKING WEBINSTALLERS
Old idea: Use Google to find unprotected installers.
26
-
ATTACK IDEADuring installation there is a time window betweenuploading files and completing the installer withoutany protection.
27
-
Remember: We have a stream of newly created hostnames.
28
-
HTTPS AND CERTIFICATESHTTPS is becoming more popular and many hostersautomatically issue certificates.
29
-
ATTACK (1)Attacker monitors CT logs, extracts host names.
Compares web pages with common installers.
30
-
ATTACK (2)Insaller found: Install the application.
Upload a plugin with code execution backdoor.
Revert installation, leave backdoor.
31
-
DATABASE CREDENTIALSInstallers o�en require Database credentials forMySQL.
But the database server can be external.
https://www.freemysqlhosting.net/
32
https://www.freemysqlhosting.net/
-
DEMO
33
-
CHALLENGESLogged certificates aren't immediately public. Lagaround 30 minutes - 1 hour.
Still: You'll hit plenty of vulnerable installers.
34
-
OPTIMIZATIONSInstead of checking sites once one could check themmultiple times.
35
-
NUMBERSI could've taken over around 4000 Wordpressinstallations within a month.
Much lower numbers for other apps, Joomla (~400)and Owncloud/Nextcloud (each ~100) may still beworth attacking.
36
-
PROTECTION
37
-
INSTALLERS NEEDAUTHENTICATION
38
-
CHALLENGEApplication programmers want easy installations.
39
-
SECURITY TOKENSWebapp creates token, writes it to file.
User has to read token to perform installation.
40
-
VENDORSDrupal
Typo3
Owncloud
... no reaction at all.
41
-
VENDORSWordpress, Nextcloud, Serendipity participated incross-vendor discussion, but no action.
42
-
JOOMLASecurity token if database server is not localhost.
43
-
WHITELISTING LOCALHOSTThis was my idea, but I don't like it.
Attacker could already own database credentials forlocalhost.
44
-
WHAT CAN USERS DO?
45
-
BE FASTHowever there's no way of knowing how fast CT logsare.
Future CT logs could be faster.
46
-
.HTACCESSUser can create .htaccess with password protectionbefore installation.
Some webapps create .htaccess themselve.
47
-
TAKEAWAY (1)Unauthenticated installers need to go away.
Majority of web application developers ignored theissue so far.
48
-
TAKEAWAY (2)Certificate Transparency is a powerful tool tostrengthen the HTTPS/TLS and PKI ecosystem.
As a side effect it provides an interesting data source.
Attackers have that data source, too.
49
-
TAKEAWAY (3)Certificate Transparency means TLS host names are nolonger secret.
People need to be aware of that.
50
-
THANKS FOR LISTENING!Questions?
https://hboeck.de/
51
https://hboeck.de/