Security war stories

Vulnerabilities can be fun!

whoami?

Ron Bowes

• UofM Co-op Graduate (2006)
• Information Security Engineer @ Google
• Security reviews
• Bug bounty
• Blog: https://www.skullsecurity.org/
• @iagox86 (Twitter, Github, etc)
• Founder of SkullSpace

SkullSpace you say!?

• Winnipeg's first and only and best hackerspace
• Founded a few years ago by me, Mak Kolybabi, and Andrew Orr
• Get involved!
• Weekly meetings �on Tuesdays @ 6pm
• Hacker Jeopardy �THIS SATURDAY!

Hacker Jeopardy!!!

• A fundraiser for SkullSpace
• Run by me, whenever I visit
• Being run THIS SATURDAY (Dec 6)!
• Tickets are $10! And I have a bunch to sell!
• http://tinyurl.com/hjeopardy

Okay, let's get started…

This talk?

Vulnerabilities I've…

• Found
• Seen
• Or read about

NDA…

• If I don't explicitly name a product on a slide, try not to share
• (I'm not under NDA for any of this, but I try to be polite)

Vulnerability?

What is a vulnerability?

• Unexpected input to a program that makes it behave badly
• Academically:
• "Violates confidentiality, integrity, or availability expectations"
• Colloquially:
• "Somebody screwed up"

I'll also talk about best practices, but only in Comic Sans :)

Web

Permit web application

Terrible application, but the best parts:

• Storing sensitive data in cookies
• SQL injection literally everywhere

Best practice: Remember, cookies can be read and written!

.git folders

Easy mistake to make

• When you upload your applications…
• … do you delete your .git folder?

Ref: https://blog.skullsecurity.org/2012/using-git-clone-to-get-pwn3d

Best practice: Don't serve random files

Stealing voicemail

Shell injection in a password field?

• I had to find out more…

Best practice: Be very, very careful if you're using system()

singles.org passwords stolen

… by 4chan, of all places. Oops?

Ref: http://blog.jimmyr.com/Singles_org_gets_hacked_23_2009.php

Best practice: Don't store passwords in plaintext

Speaking of passwords…

bcrypt() is a very secure password scheme:

Speaking of passwords…

crypt() is NOT:

Best practice: Use bcrypt() or scrypt() or something strong

Red Hat Satellite XSS

Own a network with cross-site scripting?

• Red Hat Satellite Server manages all your servers
• Can run code on them, for example
• Stored cross-site scripting means anybody can run code on every machine on the network
• Full. Network. Compromise.
• Spent months arguing with developers
• Why? They thought it was a moderate risk bug and refused to fix it

Ref: https://www.youtube.com/watch?v=GdvoCr93kRQ

Best practice: Don't make assumptions about vulnerabilities

Chrome extension XSS

Cross-site scripting in a privileged context!

• I found this during my first week at Google. :)
• Cross-site scripting vulnerability in the Chrome RSS plugin
• Running JavaScript code in the context of an extension is Bad

Best practice: Be careful when coding in a privileged context

Rosetta Flash

Universal cross-site scripting with Flash!?

• Adobe Flash is extremely generous when parsing files
• JSONP lets you sneak a file into any server (in a sense)
• Cross-site scripting on almost every site that used JSONP:
• accounts.google.com, www.google.com, maps.google.com, youtube.com, twitter.com, linkedin.com, yahoo.com, ebay.com, flickr.com, instagram.com, tumblr.com, and way, way more!

Ref: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

Best practice: NEVER let an untrusted user choose the first few bytes of a file

Also, parse files/network traffic as strictly as possible

Authentication

Bypass

Issues

Security camera ActiveX

This goes back a long, long time :)

Best practice: Don't use client-side authentication. Or ActiveX.

VNC security downgrade

VNC authentication could be chosen by the client

• The client could choose "no authentication". Oops?

Best practice: Never trust a client to be sane

RocketSoftware auth bypass

I honestly forgot what the product was called…

• Mak reminded me: it was UniData

But anyway, it used three packets to do stuff:

1. Negotiate
2. Authenticate
3. Do stuff

Best practice: Once again, never trust a client to be sane

Auth bypass in HP NNM

Let's talk about owning another network. :)

• Once again, the user is given the choice of how to authenticate…

Ref: https://blog.skullsecurity.org/2011/remote-control-manager-fail

Other

vulnerabilities

Format string vulnerabilities

Not a specific issue for a change!

• Just an interesting design gotcha in libc
• printf-style strings look like "number: %d"
• The format string has codes with special significants
• What happens if we change:
• printf("%s", attacker_string)
• To:
• printf(attacker_string)
• (Hint: usually, full code execution!)

strings

• strings is a GNU tool for displaying strings from a file
• It has been around since 1991
• And yet…

​

$ strings ./strings-bfd-badptr.elf �Segmentation fault (core dumped)

Best practice: Don't have unexpected behaviour by default

"Shellshock"

On the topic of surprising behavior…

• There was problem�parsing Bash scripts
• Code being parsed�would mistakenly run
• Lots and lots of stuff�gets eventually passed�into bash (via system(),�for example)

"Heartbleed"

On the topic of�vulnerabilities�with names,�logos, theme�songs, and�breakfast�cereals…

Ref: https://xkcd.com/1354/

Best practice: Be very, very careful with length values

Speaking of trusting size…

When the WoW beta came out, they�didn't want pirate servers (eg, 'bnetd')

• After connecting, the server encrypts its own ip address and sends it to the client
• The client verifies the signature, and only connects if it's valid

Ref: https://github.com/wjlafrance/javaop2/blob/master/plugins/BNetLogin/src/main/java/com/javaop/BNetLogin/util/ServerSignature.java

private boolean compareSignatureToIp(byte[] sig, byte[] ip) {

byte[] result = modPow(key, mod);

​

for(int i = 0; i < 4; i++)

if(result[i] != ip[i])

return false;

​

return true

}

WoW signatures

Here's what it should look like:

private boolean compareSignatureToIp(byte[] sig, byte[] ip) {

byte[] result = modPow(key, mod);

​

for(int i = 0; i < 4; i++)

if(result[i] != ip[i])

return false;

​

+ for(int i = 4; i < 256; i++)

+ if(result[i] != 0xBB)

+ return false;

+

return true

}

Best practice: Be careful with lengths

Speaking of padding…

MS10-070: Padding Oracle vulnerability in IIS

• With some clever crypto stuff in hidden fields, you can download and change IIS's web.config file!

Ref: http://www.exploit-db.com/exploits/15213/

Best practices: a) Don't store sensitive data client-side .

b) When you require integrity, sign (+encrypt)

Speaking of Microsoft bulletins

ms08-068 - SMBRelay

Basically? We make the victim authenticate to itself

Ref: https://blog.skullsecurity.org/2008/ms08-068-preventing-smbrelay-attacks

Victim

Attacker

Authenticate

Authenticate

(Replay)

Speaking of old stuff

Payphones used to use in-band signalling

• That means you could re-configure phones by playing the right tones!
• Steve Wozniak once called up�The Pope with fake Caller ID

Speaking of in-band signalling...

Chat messages in Starcraft (and Warcraft 2)

• Colours, alignment, and newline were all in-line
• A clever player could send:
• "Player has left the game"
• "Nuclear launch detected"
• etc.

Ref: https://wiki.skullsecurity.org/index.php?title=MessageSpoofer

Novell path traversal

Novell had code that looked something vaguely like:

​

$file = $request['file'];

$file = "c:\\program files\\novell\\images\\" + $file;

​

send_to_user(read_file($file));

Ref: http://www.novell.com/support/kb/doc.php?id=7014663

Novell path traversal

After patching, it looked like:

$file = $request['file'];

$file = "c:\\program files\\novell\\images\\" + $file;

​

+if($file.startsWith("c:\\program files\\novell\\images\\"))

send_to_user(read_file($file));

+else

+ throw(error)

Completely unreachable!

Best practice: Canonicalize paths and test patches!

And finally…

• Let's talk about one�other questionable�security decision :)

Best practice: Once again, sign your data!

That's it!

None of these vulnerabilities�could have been found with a�scanner (tools are nearly�useless!)

Many of these can lead to full�code execution

A little bit of foresight�could have saved them!

Learn about security!

Questions?

Mail: ron@skullsecurity.net

Twitter/Github: @iagox86

IRC: #skullspace on freenode

In person:

SkullSpace 9-5 all next� week! Drop by for a tour� and say hi :)

This talk:

http://tinyurl.com/rbowes-uofm

http://tinyurl.com/hjeopardy