This is a short summary of some selected talks from the first day of this year’s Hack in the Box conference in Amsterdam.
Abusing Twitter’s API and OAuth Implementation by Nicolas Seriot
Nicolas Seriot (https://twitter.com/nst021) is an iOS Cocoa developer with an interest in privacy and security. He is currently a mobile applications developer and project manager in Switzerland. Nicolas focused his talk on the extraction of consumer tokens that are needed for OAuth to authenticate a consumer to a service provider. These tokens can then be used by rogue applications to gain access to a victims twitter account.
During his talk he extracted the consumer tokens from popular twitter clients under OSX by using classic binary analysis methods. He started off by dumping hardcoded tokens contained in the binary by using “strings”. After that he demonstrated dynamic approaches by using a debugger and finding the consumer tokens in different places of the binary. His approach included dumping the return values of functions, dumping deallocated pointers, dumping the whole process memory and even searching for valid consumer keys on google. Nicolas then presented a tool that can use valid consumer tokens to impersonate any official twitter application using OAuth.
He concluded his talk by pointing out the implications of bringing OAuth from the web to the desktop. Among the biggest problems seems to be the possibility to attack users by impersonating legit consumer applications during the authentication process. It is possible to trick a user into thinking he is authorizing a legit twitter app. Because of the possibility to supply an arbitrary callback URL, the access tokens to authenticate the consumer are redirected to a server under the attacker’s control. These access tokens can then be used to make requests on behalf of the user.
The talk did not include any attacks on the OAuth protocol used by twitter. It rather pointed out the importance to keep consumer tokens private and that usage outside of the web will raise the attack surface when using OAuth.
Orchestrating a Fire Sale: Bringing Dutch Alarm Systems to Their Knees by Wilco Baan Hofman
Wilco Baan Hofman, reverse engineer who is working for Nikhef (http://www.nikhef.nl/), talked about the signaling message security of dutch alarming systems. He mainly focused on SIA-HS (or SIA “highly secure”), a proprietary protocol by Alphatronics which is, according to the product catalog, impossible to decipher. After a short summary of ridiculous assumptions made by Alphatronics and some basic alarm dialer information, Wilco moved directly to the encryption of SIA-HS. It turns out that the “impossible to decipher”-cipher is just a XOR with a 1-Byte key. This key also can’t vary in a wide range because it’s stored in a lookup table within the firmware. Not as much magic as one might expect, as the protocol itself contains a lot of zero-bytes according to some screen shots presented at the talk.
Wilco implemented full SIA-HS and Vebon SecIP functionality of an Alarm Receiving Center (ARC) which can be downloaded from github (https://github.com/bitlair/siahsd). SIA-HS provides nearly no security feature that would be mandatory for a secure protocol. There is no identity- or session-authentication which makes it easy for an attacker to disturb the whole system by e.g. spamming the ARC with false alarms. Because the source IP of the UDP packets is easy to spoof, one could send alarms for every of the ARC’s customers. Wilco also talked about the Vebon SecIP protocol, which uses 1024 bit RSA crypto to exchange a 128 bit AES session key. Even though this sounds pretty nice, this protocol also doesn’t any kind of identity verifications.
Responsible disclosure attempts failed in the first, but then Vebon and Chrion (two providers of dutch alarming systems) started to act and support Wilco. Chrion even offered a properly configured ARC to aid testing, which is really awesome. Alphatronics only reaction was to ask Wilco to take down the publication. Countermeasures to mitigate the risks are very limited, so customers have to just wait for firmware updates and providers should isolate customers on insecure protocols.
Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel – Nikita Tarakanow
Nikita aka “The Crazy Wild Russian” (https://twitter.com/NTarakanov) started his talk with a recap of the rising importance of local kernel vulnerabilities in the Windows kernel. Due to sandbox implementations in many popular client applications and their low attack surface, kernel exploits are the next logical step to fully compromise a system.
Most vulnerabilities in the Windows kernel are memory corruptions and almost all of them affect the kernel pool, which is analogous to the user-mode heap. Nikita highlighted important research in exploiting pool corruption vulnerabilities, as well as counter measures implemented in recent Windows versions. Most importantly, many of the techniques presented by Tarjei Mandt ((https://twitter.com/kernelpool) in the last years were fixed by Microsoft in Windows 8 and the remaining approaches require a high amount of control about the pool layout, as well as the corruption itself.
In order to allow exploitation of limited pool corruptions (for example overflows with a constant value) Nikita started looking at attack vectors not directly involving pool allocator metadata. His approach, called “Direct Kernel Object Header Manipulation” overwrites the single byte TypeIndex field inside a kernel object header.
The TypeIndex field is used as an array index to find the address of a type initializer procedure which can be triggered using the NtQuerySecurityObject syscall. Interestingly, the used array includes several indexes with a value of 0, as well as an entry with the hardcoded constant 0xbad0b0b0. As Nikita discovered, the referenced index is called during several syscalls including tQuerySecurityObject. This means that by corrupting the TypeEntry field of a kernel object and calling the NtQuerySecurityObject syscall using this object as an argument, the kernel can be manipulated to execute code mapped at 0x00000000 or 0xbad0b0b0.
By default, Windows 7 allows user mode to map code at the NULL address which makes exploitation trivial, but Windows 8 fixed this and MS13-31 (link) backported this feature back to Windows 7 systems. However, if we can write the right “magic” offset into TypeEntry 0xbad0b0b0 is dereferenced, which can be exploited in multiple ways depending whether we are on a x64 or x86 system.
Nikita finished his talk with the recommendation that Microsoft includes cookie values in the object header to make overwrite exploits harder and the prediction that SMAP (http://lwn.net/Articles/517475/) could be used to make the presented technique obsolete on x64 systems.
Overall, the talk was really impressive and the presented technique can allow successful exploitation of limited pool corruption bugs. Unfortunately, no demo exploit was presented which was a bit of a bummer.
Defeating the Intercepting Web Proxy – A Glimpse into the Next Generation of Web Security Tools by Petko D. Petkov
Traditional Web Proxies operate on a standalone basis – they use sockets to intercept messages and are based on additional software that you have to install. Web Securify is integrated straight into the browser without using any intercepting proxies or any other standard tools.
Petkov addressed how many lines of code are needed to develop a browser, are increasing (4 Million LoC) compared to an operating system´s (Linux-Kernel 14 Million LoC). Because of this fact he said, it really makes sense not to put an additional layer of tools between the browser and the operating system.
WebSecurify is all about putting an Attack Proxy like Burp into the browser by extending Browsers functionality (Firefox, Chrome) using the browsers API, so that messages are directly inspected without the need to be buffered by the proxy. Buffering slows down the testing and thus adds the need for pipelining to speed things up.
In his live demo Petkov demonstrated the passive scan of the PayPal website showing some flaws in applications on PayPal’s subdomains. Web Securify is capable of detecting common vulnerabilities by passively testing websites.
It was a good talk showing where WebTesting is heading. Although WebSecurify is still under development, it is already showing his full potential in regard of performance. The always annoying and time wasting loading of burp files is also history. Web Securify can load Burp State Files in no time. Petkov´s goal was to exploit various web technologies using nothing but web browsers and he is definitely heading in the right way. During the Live Demo there was only a Text field to enter the target URL but it was not possible to define a certain scope, which we think could be a problem for scoped tests. But the Suite is still under development and our expectations are that such features will come.
Virtually Secure – a journey from analysis to remote root 0day on an industry leading SSL-VPN Appliance (Firepass F5) by Tal Zeltzer
The goal was to have command execution from remote on a Firepass F5 SSL-VPN Appliance. Therefore an analysis of both virtual and physical appliances was done. From a blackbox point of view the attack surface was not very suggestively: Three opened ports (http, https, ssh) and a mostly http based communication. Mounting the system on another OS revealed some more information: an unencrypted boot partition, the rest of the hdd is encrypted, things like losetup and gpg run on the appliance but with these information we are still unable to mount the encrypted drivers. To be able to decrypt the hdd the losetup command in the bootloader was replaced with a busybox shell so the machine booted with a shell. With the command “/lib/losetup -e …” it was possible to decrypt the rest of the hdd. As the next step a backdoor was compiled and added to the init.d.
Then, from a whitebox point of view the attack surface changed a lot: A lot of outdated software was identified: A very old linux distribution (slackware release from 2000), apache and openssl versions from 2004 and many more… As there are known vulnerabilities in that old software it is still hard to write memory corruption exploits without a testbox so some more information had to be found out: There are some unknown apache modules running, the ssh on the system was modified and it was possible to download some of the php scripts, which looked like binary because they are encrypted with “Ioncube php”. Ioncube pre-compiles and encrypts the php code. In old versions this can be circumvented by xDebug/VLD but as it is very hard to compile this approach was dropped.
Next approach: have a look at the mysql log and the unknown apache modules. By watching the modules “virtual directory” was found and by playing with the parameters an sql injection was identified. By using “aaa%20aaa” as an injection payload it turned out that there is a format string vulnerability because url parameters don’t get url-decoded on serverside and a proof of concept could be done by injecting %08x–%08x–%08x to get some memory offsets. Because there was already one logical flaw found (SQLi) no further information gathering on this format string vuln was done. Instead the SQLi was used to paste some php shell code in a file to be able to execute commands. This was done by circumventing the “no-white-spaces-can-be-used” problem with the old comment trick (example payload: hello’/**/union/**/select…). As there was an old mysql version (3.23) no unions were supported, so the writing into a file had to be done by the “FIELDS SEPERATED BY” query that allows to write arbitrary data into a file. The final query looked like this:
“hello‘/**/or/**/(‘1’=‘1’)/**/into/**/outfile/**/’/tmp/test’/**/fields/**/seperated/**/by/**/0x603c3f706870…3f3e/**/–%20d”. With this the shell was created and was used in combination with “sudo” to execute commands as root.