ABUSING CERTIFICATETRANSPARENCY

OR HOW TO HACK WEB APPLICATIONS BEFOREINSTALLATION.

Hanno Böck https://hboeck.de/

1

https://hboeck.de/

HTTPS

2

CERTIFICATE AUTHORITIES (CAS)

3

CAN WE TRUST CERTIFICATEAUTHORITIES?

4

NOMany cases of illegitimate certificates in the past.

5

IMPROVE OR REPLACE?Popular Infosec opinion:

CAs are bad, we need to get rid of them.

6

HOW?Reality: Nobody has a feasible plan how to replaceCAs.

7

IMPROVING THE CA ECOSYSTEM

8

BASELINE REQUIREMENTS

9

HTTP PUBLIC KEY PINNING(HPKP)

10

CERTIFICATE AUTHORITYAUTHORIZATION (CAA)

11

CERTIFICATE TRANSPARENCY(CT)

12

PUBLIC LOGSLet's put all certificates into public logs that everyonecan read.

13

CT DETAILSMerkle Hash Trees, Signed Certificate Timestamps(SCT), Signed Tree Head (STH), Precertificates,Monitors, Gossip, ...

It's complicated, but not relevant for this talk.

14

CERTIFICATE LOGGINGIn the future logging will be required (April 2018).

15

CT TODAYMost certificates already get logged.

16

WATCHING THE CASCertificate Transparency means everyone can checklogs for suspicious activity.

17

https://crt.sh

18

https://crt.sh/

19

CERTIFICATE TRANSPARENCY ISA DATA SOURCE

For researchers.

For search engines.

For attackers?

20

FEED OF NEW HOST NAMESCertificates contain hostnames.

In other words: Certificate Transparency provides afeed of newly created HTTPS host names.

21

SELF-HOSTED WEBAPPLICATIONS

Wordpress, Joomla, Drupal etc.

22

WEB APPLICATION INSTALLERS

23

INSTALLERSUpload files to hoster, open in browser.

Installer asks for some settings (initial user account,database credentials, ...).

24

INSTALLER (IN)SECURITYUsually installing needs no authentication!

25

GOOGLE DORKING WEBINSTALLERS

Old idea: Use Google to find unprotected installers.

26

ATTACK IDEADuring installation there is a time window betweenuploading files and completing the installer withoutany protection.

27

Remember: We have a stream of newly created hostnames.

28

HTTPS AND CERTIFICATESHTTPS is becoming more popular and many hostersautomatically issue certificates.

29

ATTACK (1)Attacker monitors CT logs, extracts host names.

Compares web pages with common installers.

30

ATTACK (2)Insaller found: Install the application.

Upload a plugin with code execution backdoor.

Revert installation, leave backdoor.

31

DATABASE CREDENTIALSInstallers o�en require Database credentials forMySQL.

But the database server can be external.

https://www.freemysqlhosting.net/

32

https://www.freemysqlhosting.net/

DEMO

33

CHALLENGESLogged certificates aren't immediately public. Lagaround 30 minutes - 1 hour.

Still: You'll hit plenty of vulnerable installers.

34

OPTIMIZATIONSInstead of checking sites once one could check themmultiple times.

35

NUMBERSI could've taken over around 4000 Wordpressinstallations within a month.

Much lower numbers for other apps, Joomla (~400)and Owncloud/Nextcloud (each ~100) may still beworth attacking.

36

PROTECTION

37

INSTALLERS NEEDAUTHENTICATION

38

CHALLENGEApplication programmers want easy installations.

39

SECURITY TOKENSWebapp creates token, writes it to file.

User has to read token to perform installation.

40

VENDORSDrupal

Typo3

Owncloud

... no reaction at all.

41

VENDORSWordpress, Nextcloud, Serendipity participated incross-vendor discussion, but no action.

42

JOOMLASecurity token if database server is not localhost.

43

WHITELISTING LOCALHOSTThis was my idea, but I don't like it.

Attacker could already own database credentials forlocalhost.

44

WHAT CAN USERS DO?

45

BE FASTHowever there's no way of knowing how fast CT logsare.

Future CT logs could be faster.

46

.HTACCESSUser can create .htaccess with password protectionbefore installation.

Some webapps create .htaccess themselve.

47

TAKEAWAY (1)Unauthenticated installers need to go away.

Majority of web application developers ignored theissue so far.

48

TAKEAWAY (2)Certificate Transparency is a powerful tool tostrengthen the HTTPS/TLS and PKI ecosystem.

As a side effect it provides an interesting data source.

Attackers have that data source, too.

49

TAKEAWAY (3)Certificate Transparency means TLS host names are nolonger secret.

People need to be aware of that.

50

THANKS FOR LISTENING!Questions?

https://hboeck.de/

51

https://hboeck.de/