security bugs in protocols are really bad
play

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor - PowerPoint PPT Presentation

Feb 13, 2024 •123 likes •631 views

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&A.

  1. Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor

  2. Protocol Bugs Objectives  Discuss the complexities in mitigating security bugs occurring in network protocols.  Describe some current issues.  Leave time for Q&A.

  3. Protocol Bugs Outline:  Case Study: NTLM Credentials Forwarding  Case Study: TLS Authentication Gap  Conclusions

  4. Case Study: NTLM Credentials Forwarding

  5. NTLM Credentials Forwarding Problem: Protocols using the NTLM and MS-CHAP (both v1 and v2) authentication schemes are subject to trivial credentials forwarding attacks.  This is a separate issue from the various password-recovery attacks.

  6. NTLM Credentials Forwarding  This scheme is a natural expression of how Windows stores (non-Kerberos) credentials. It's used by a lot of stuff ...

  7. NTLM Credentials Forwarding  VPNs L2TP PPTP-MPPE

  8. NTLM Credentials Forwarding  email POP3 SMTP IMAP

  9. NTLM Credentials Forwarding  Remote desktop and telephony RDP SIP

  10. NTLM Credentials Forwarding  Web HTTP HTTPS

  11. NTLM Credentials Forwarding  Directory and single sign-on LDAP RADIUS

  12. NTLM Credentials Forwarding  Windows file sharing and RPC SMB CIFS MS-RPC MS-RPC/HTTP

  13. NTLM Credentials Forwarding  Other MS SQL MS Media Player and last but not least...

  14. NTLM Credentials Forwarding  Classics FTP Telnet

  15. NTLM Credentials Forwarding Normal Usage client server Type 1 negotiate Type 2 challenge target info T y p e 3 NTLMv2 response client challenge* authenticator response* * CHAP-only

  16. NTLM Credentials Forwarding The Attack! client Mallory server Type 1 negotiate Type 2 challenge target info T y p e 3 NTLMv2 response TCP RST application data application data

  17. NTLM Credentials Forwarding  How bad is it?  Alice connects to insecure WiFi with Windows  Mallory gets into corporate VPN IT'S THAT BAD* * Plausibly

  18. NTLM Credentials Forwarding  It's a cross-protocol attack:

  19. NTLM Credentials Forwarding  So who knew? It's been a mainstay of penteseters for a long time... ...it always surpises people who take my Tactical Exploitation class and do the NTLM relay labs. - HD Moore

  20. NTLM Credentials Forwarding  So who knew? Microsoft, other vendors, and hackers have known about it forever .

  21. NTLM Credentials Forwarding 1996  Dominique Brezinski "A Weakness in CIFS Authentication"

  22. NTLM Credentials Forwarding 1997  Dominique Brezinski BlackHat "Security posture assessment of Windows NT networks"

  23. NTLM Credentials Forwarding 1999  Schneier, Mudge, Wagner Cryptanalysis of Microsoft's PPTP Authentication Extensions (MSCHAPv2) But discussion of credentials forwarding or MitM is conspicuously absent  CVE-1999-1087 MS98-016 IE interprets a 32-bit number as an Intranet zone IP address

  24. NTLM Credentials Forwarding 2000  DilDog - @stake Telnet NTLM Replay  CVE-2000-0834 MS00-067 Patch for "Windows 2000 Telnet Client NTLM Authentication" Vulnerability

  25. NTLM Credentials Forwarding 2001  Sir Dystic - Cult of the Dead Cow @lantacon SMBRelay  CVE-2001-0003 MS01-001 Patch for MS Office "Web Extender Client" to follow IE settings for NTLM

  26. NTLM Credentials Forwarding 2004  Jesse Burns - iSEC NTLM Authentication Unsafe HTTP to SMB attack demo

  27. NTLM Credentials Forwarding 2007  Grutzmacher Squirtle

  28. NTLM Credentials Forwarding  Squirtle  Water-type Pokémon  Ability: Torrent  If < 33% HP remaining, power increased by 1.5x  Domesticated  well-behaved  loyal  Evolves into Wartortle

  29. NTLM Credentials Forwarding

  30. NTLM Credentials Forwarding 2007  HTTP to SMB added to Metasploit  HD Moore, valsmith BlackHat Tactical Exploitation

  31. NTLM Credentials Forwarding 2008  Eric Rachner Exploits HTTP-HTTP

  32. NTLM Credentials Forwarding 2008  CVE-2008-3009 MS08-076 Windows Media do not use the SPN for validating replies  CVE-2008-3010 MS08-076 Windows Media associates ISATAP addresses with Intranet zone  CVE-2008-4037 MS08-068 SMB credential reflection protection

  33. NTLM Credentials Forwarding 2009  CVE-2009-0550 MS09-013 WinHTTP doesn't correctly opt-in to the NTLM reflection protection  CVE-2009-0550 MS09-014 WinINet doesn't correctly opt-in to the NTLM reflection protection  CVE-2009-1930 MS09-042 Telnet protocol doesn't correctly opt-in to the NTLM reflection protection

  34. NTLM Credentials Forwarding 2010  Hernan Ocha, Augustin Azubel BlackHat Windows' SMB PRNG is defective  CVE-2010-0231

  35. NTLM Credentials Forwarding  CVE-2005-0147 Firefox responds to proxy auth requests from arbitrary servers  CVE-2009-3983 Firefox allows remote attackers to replay NTLM credentials of the user  CVE-2010-1413 Webkit sends NTLM in unspecified circumstances.

  36. NTLM Credentials Forwarding  Presentations, Publications, and CVEs

  37. NTLM Credentials Forwarding  Most attack space remains to be explored:

  38. NTLM Credentials Forwarding  Some mitigations have been released:

  39. NTLM Credentials Forwarding  MS Extended Protection for Authentication

  40. NTLM Credentials Forwarding  MS Extended Protection for Authentication  [These updates] allow web clients using the Windows HTTP Services, IIS web servers and applications based on http.sys to use this feature.  Deployment of EAP must happen on both the client and server for any given application. If only one side supports the feature, the connection will not benefit from the additional protection offered. - blogs.technet.com

  41. NTLM Credentials Forwarding  Mitigations  No fix can be completely effective without breaking backwards compatibility  Patching one protocol at a time to retrofit opt-in security is not a winning strategy  If back-compat must be broken, do it once and end up with a comprehensive fix!  E.g., NTLMv1 -> NTLMv2 !

  42. NTLM Credentials Forwarding Conclusion  The best choice would have been to begin transitioning to NTLMv3 back in 1997.

  43. Case Study: TLS Authentication Gap

  44. Conclusions

  45. Protocol Bugs Common features  Take a long time to be identified often only after a large installed base exists

  46. Protocol Bugs Common features  Difficult to assess  Minor weaknesses at different layers combine to form serious vulnerabilities  Initially unclear how to assess severity  Not always a simple test to determine a system's susceptibility  Attention-getting attacks (e.g. password cracking) may distract from the core vulnerability

  47. Protocol Bugs Common features  Seem to be subtle  Overlooked by multiple reviewers  Research not always accepted immediately  Successful exploit may seem to require "Mission Impossible"-type planning But this silently changes over time!

  48. Protocol Bugs Common features Difficult to mitigate  The need to maintain backwards compatibility usually prevents an effective fix. People wouldn't apply such a patch A complete fix can mean patching every client and every server in the world. Sometimes requires a complex multistage roll-out: Phase 1 - a year or more Phase 2 - a decade

  49. Protocol Bugs Common features  Built into embedded devices Firmware, even hardware  Difficult to detect  Flaw may be hidden by encryption  A successful exploit may be indistinguishable from a valid transaction or simple packet loss.

  50. Protocol Bugs  Contact: marsh@extendedsubset.com marsh@phonefactor.com @marshray Twitter marsh on silc.hick.org

Recommend

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara Schmid Institute of Information Security Recap Security Protocols We have defined the Dolev-Yao adversary communicating agents that follow a

618 views • 51 slides
Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini Gianluca Dini Dept. of Ingegneria dellInformazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it If you

467 views • 35 slides
Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The

Preventing Security Bugs Through Software Design Christoph Kern, Google xtof@google.com The Same Bugs, Over and Over Again... SQL-injection, XSS, XSRF, etc -- OWASP Top 10 Root cause Inherently bug-prone APIs Developers are

313 views • 28 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides
Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis

389 views • 24 slides
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of

Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of

Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols Key exchange protocols Combined

989 views • 73 slides
Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

CS 166: Information Security Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next, we look at real protocols SSH a simple &amp; useful security protocol SSL practical security on the Web

1.27k views • 112 slides
Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or

Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different threads of control operating in unpredictable fashion When programmer thought theyd work in a

649 views • 21 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides

More recommend