time effjcient assessment of open source projects for red
play

Time-effjcient assessment of open-source projects for Red Teamers - PowerPoint PPT Presentation

Nov 18, 2023 •139 likes •717 views

Time-effjcient assessment of open-source projects for Red Teamers Pass the Salt 2019 Thomas Chauchefoin (@swapgs) Julien Szlamowicz (@SzLam_) Agenda Introduction Methodology Findings Disclosure Conclusion 2 / 57

  1. Time-effjcient assessment of open-source projects for Red Teamers Pass the Salt 2019 Thomas Chauchefoin (@swapgs) Julien Szlamowicz (@SzLam_)

  2. Agenda  Introduction  Methodology  Findings  Disclosure  Conclusion 2 / 57

  3. Introduction 3 / 57

  4. $(id)  Synacktiv is a French company focusing on offensive security: manual assessment, source code review, reverse engineering...  Three teams  Pentest  Reverse engineering  Development Paris Rennes Rennes  We are remote-friendly  Reach us at apply@synacktiv.com or Lyon at the social event Toulouse 4 / 57

  5. WE NEED A SYSADMIN 5 / 57

  6. Context  Red team assessment: only a fashionable term for “real- world” pentest?  Big scopes!  Limited effort per exposed asset  We need to reach the internal network as fast as we can  Facing the Blue Team  OSS is not less secure than proprietary software but:  Easier to get and deploy in a lab  Quicker to assess than an obfuscated / closed product 6 / 57

  7. Case study  This talk aims at presenting our (sort of) methodology and fjndings in GLPI  Hopefully didactic enough to be interesting to people not working in infosec  Discovered issues were patched several months ago  Make sure you’re at least on 9.4.1.1  Don’t expose it publicly  Identifjed the fjrst day of a 2-weeks Red Team engagement  Gave us a good insight on the target’s internal network 7 / 57

  8. GLPI ? ‘’GLPI ITSM is a software for business powered by open-source technologies. Take control over your IT infrastructure: assets inventory, tickets, MDM’’ (glpi-project.org)  Mostly supported by Teclib ’ , editor of Armadito and Uhuru, under GPLv2  Plugins help adding various features  Inventory  MDM  Software deployment  Confjguration 8 / 57

  9. GLPI  Telemetry shows it’s commonly used in France and Brazil  28K pingbacks last year  9K from French IP addresses  You can add yourself on the website to show you like the project  C.N.A.M.T.S, 130K computers and 90K users (2007)  Police Nationale, 100K computers (2012)  Various government departments  Seems like an interesting target in our context: let’s break it :-) 9 / 57

  10. Considerations  During regular pentests, you can be loud and intrusive  Exhaustive rather than opportunistic  During Red Team engagements, the goals change  Get a foot in the door ASAP  Remain undetected  Deep compromise  A single entry point is enough  Time constraint 10 / 57

  11. Methodology 11 / 57

  12. Considerations  What is a good Red Team vulnerability?  Forget everything about client-side attacks in the fjrst place (except for phishing campaigns)  No destructive actions  Low forensic/detection footprints  No feature breaking or raised exceptions (Sentry is quite popular nowadays)  Reproducible in our lab fjrst 12 / 57

  13. Replicating the environment  When assessing OSS, you are never really in blackbox  Try to replicate an accurate environment  HTTP server  CGI’s version  Product version  It will be very helpful to  Avoid early detection  Abuse specifjc confjgurations, vulnerabilities or behaviour  Any information leak is valuable 13 / 57

  14. Assessing the attack surface  We are only interested in unauthenticated code paths  PHP applications not using frameworks will often have several scripts directly reachable  Prevented by  Ensuring a given constant is defjned  User has a session with a given value, etc  In real life, these checks are always forgotten at least once 14 / 57

  15. Assessing the attack surface 15 / 57

  16. Assessing the attack surface  In practice, we tend to use a hybrid approach when reading source code  Find vulnerabilities quickly  No need to be exhaustive  The lab allows performing dynamic analysis and using our blackbox skillset 16 / 57

  17. Assessing the attack surface  Our colleague @Tiyeuse developed a tool to fjnd reachable fjles “doing things”  Not only declaring classes and functions  Not exiting after checking for a constant declared in another fjle  Possibility to add custom patterns to exclude authentication checks  GLPI had several pre-authenticated vulnerabilities in such fjles  Less code to read  Less things to understand  Happier auditor :-) 17 / 57

  18. Other tools and tricks  We don’t have semantic tooling  PHP-Parser can still help create a “smart grep”  RIPS scanner is awesome  But a bit expensive for everyday use  Dumping every DB query to a log fjle  Harder to miss SQL errors (injections)  Easier to debug PoCs  Instrument low-level PHP functions to search for specifjc behaviours  Unbalanced quotes?  Profilers: fracker, xhprof 18 / 57

  19. Assessing the attack surface  Create a wrapper around $_GET and $_POST :  No need to browse all the includes to fjnd accepted parameters 19 / 57

  20. Approach  After isolating access control functions, a quick run of debroussailleuse gave us the list of reachable fjles  Still ~400 fjles left (excluding vendors/ )  In theory, fjles in /scripts/ are protected by a .htaccess  Our target uses nginx  It’s in the offjcial documentation  AllowOverride is set to None since Apache 2.3.9 20 / 57

  21. Findings 21 / 57

  22. Information leak  Accessing ajax/telemetry.php discloses  GLPI version  GLPI modules  PHP version  PHP modules  Operating system  HTTP server  Enough to start creating a lab 22 / 57

  23. DEMO 23 / 57

  24. SQL injection in compute_dictionnary.php ?  Digging in scripts/ yields interesting results  scripts/compute_dictionnary.php 24 / 57

  25. SQL injection in compute_dictionnary.php ? 25 / 57

  26. SQL injection in compute_dictionnary.php ?  But it doesn’t work! :-S 26 / 57

  27. SQL injection in compute_dictionnary.php ?  The reason lies in inc/includes.php 27 / 57

  28. SQL injection in compute_dictionnary.php ?  Toolbox::sanitize() is implemented this way  addslashes_deep()  Recursive mysql_real_escape_string()  clean_cross_side_scripting_deep()  Replaces < > by their HTML entities  sanitize() will fail in several cases (it’s regex time) 28 / 57

  29. SQL injection in unlock_tasks.php  A hit was found in scripts/unlock_tasks.php  CVE-2019-10232 29 / 57

  30. DEMO 30 / 57

  31. SQL injection in unlock_tasks.php  However…  The injection doesn’t allow creating users  Passwords are hashed with bcrypt  PHP_PASSWORD_BRCRYPT_COST = 10  Our 8 1080 Ti GPUs will hardly be enough  Need to fjnd another way to get in—let’s inspect the table glpi_users  name  password  last_login  password_forget_token  personal_token  api_token 31 / 57

  32. SQL injection in unlock_tasks.php  The Remember me feature is enabled by default and uses the personal_token value ["2","$2y$10f10tNcc[...]wmVSUIi"] [user_id, hash(personal_token)]  Several hash algorithms supported  Leaking a token is enough to log in  We could also use the API key or reset users’ password  Any data allowing to authenticate is a secret , they should be stored in the database the same way 32 / 57

  33. DEMO 33 / 57

  34. Abusing the Remember me feature  While looking Remember Me feature, its implementation seemed weird  Thanks to json_decode() , we can play with types of  $cookie_id  $cookie_token 34 / 57

  35. Abusing the Remember me feature 35 / 57

  36. Abusing the Remember me feature  Then, our values are used this way  $user → getAuthToken() creates a new personal _ token if it doesn’t exist 36 / 57

  37. Abusing the Remember me feature  The personal_token is then compared with the hash provided in the cookie 37 / 57

  38. Abusing the Remember me feature  The personal_token is then compared with the hash provided in the cookie 38 / 57

  39. Abusing the Remember me feature  The hashed value to compare is controlled by the attacker (CVE-2019-10233) 39 / 57

  40. Abusing the Remember me feature  If the provided hash doesn’t match any well-known algorithms, we need to talk about PHP comparisons 40 / 57

  41. Abusing the Remember me feature  Quick reminder about PHP loose comparisons... 41 / 57

  42. Abusing the Remember me feature  Thus we can make the code compare  We are likely able to fjnd an int producing a suitable SHA-1 output within a few tries 42 / 57

  43. Abusing the Remember me feature  @bitcoinctf brought to our attention that it is also possible to do this…  No more need to iterate over a few integers, a single request is enough 43 / 57

  44. DEMO 44 / 57

  45. Going deeper  We are admin on the solution (or any other user)  But the goal is still to compromise the infrastructure  We need to fjnd something else on the authenticated part  Time to compromise the underlying server  Old vulnerabilities are patched 45 / 57

  46. Fusion Inventory  While gathering technical details about the target’s infrastructure using regular features …  Back to the good old blackbox refmexes, a wild LFI appears 46 / 57

Recommend

Connexions Open Source Textbooks Open Source Assessment Richard Baraniuk Rice University

Connexions Open Source Textbooks Open Source Assessment Richard Baraniuk Rice University

Connexions Open Source Textbooks Open Source Assessment Richard Baraniuk Rice University educational publishing poor access to high-quality teaching materials ($$$) inefficient development concept silos educational assessment lack of

408 views • 18 slides
Inclusion &amp; Diversity in Open Source Projects opensourcediversity.org @osdiversity

Inclusion &amp; Diversity in Open Source Projects opensourcediversity.org @osdiversity

Inclusion &amp; Diversity in Open Source Projects opensourcediversity.org @osdiversity #opensourcediversity 1 11 % GitHub Open Source Survey 95% of respondents are men just 3% are women Half of contributors say that their open source

429 views • 24 slides
in CS ADAPTING AN OPEN-SOURCE WEB- BASED ASSESSMENT SYSTEM FOR THE AUTOMATED ASSESSMENT OF

in CS ADAPTING AN OPEN-SOURCE WEB- BASED ASSESSMENT SYSTEM FOR THE AUTOMATED ASSESSMENT OF

in CS ADAPTING AN OPEN-SOURCE WEB- BASED ASSESSMENT SYSTEM FOR THE AUTOMATED ASSESSMENT OF PROGRAMMING PROBLEMS Dr. Christelle Scharff Dr. Olly Gotel Pace University, New York, USA in CS Outline Systems for Automated Assessment of

618 views • 17 slides
Traction Getting Traction for (your) Open Source Projects Michael Boelen

Traction Getting Traction for (your) Open Source Projects Michael Boelen

Traction Getting Traction for (your) Open Source Projects Michael Boelen michael.boelen@cisofy.com T-DOSE 2016, 12 November (NLLGG track) Why? (developers) Promote your open source project Users Feedback Invisible benefits 2

674 views • 49 slides
Ray Paik @rspaik ~ everyone can contribute ~ 1 Agenda My open source journey

Ray Paik @rspaik ~ everyone can contribute ~ 1 Agenda My open source journey

Building a thriving community in a company-led open source projects Ray Paik @rspaik ~ everyone can contribute ~ 1 Agenda My open source journey Traditional vs. company-led open source projects So how does community work at a

140 views • 9 slides
Professional Usability in Open Source Projects: GNOME, OpenOffice.org, NetBeans Calum Benson

Professional Usability in Open Source Projects: GNOME, OpenOffice.org, NetBeans Calum Benson

Professional Usability in Open Source Projects: GNOME, OpenOffice.org, NetBeans Calum Benson Matthias Mller-Prove Jiri Mzourek Professional Usability in Open Source Projects: GNOME, OpenOffice.org, NetBeans Agenda Our projects Open

296 views • 13 slides
A systematic collection of open source projects to cover everything in life. Credits go to the

A systematic collection of open source projects to cover everything in life. Credits go to the

A systematic collection of open source projects to cover everything in life. Credits go to the origial projects. I just integrate them think a Wikipedia for everything free &amp; open. It's unfinished as it's just me so far and I do

338 views • 18 slides
Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA

Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA

What open source and J.K. Rowling have in common Importance of storytelling in open source projects Speaker : Justin W. Flory License : CC-BY-SA 4.0 So, who are you? Fedora contributor Community Operations team lead, Fedora Magazine

351 views • 20 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
in Open Source Projects? Gerardo Massimiliano Rocco Sebastiano

in Open Source Projects? Gerardo Massimiliano Rocco Sebastiano

Who is going to Mentor Newcomers in Open Source Projects? Gerardo Massimiliano Rocco Sebastiano Canfora Di Penta Oliveto Panichella C ontext and M otivations Software Development

1.05k views • 71 slides
Graphic design tools for Open Source FPGAs Learn about the Apio and Icestudio projects Jess

Graphic design tools for Open Source FPGAs Learn about the Apio and Icestudio projects Jess

Graphic design tools for Open Source FPGAs Learn about the Apio and Icestudio projects Jess Arroyo Torrens Presentation Husband and father of two. Engineer in software, robotics and electronics. Creator of the open source tools Apio and

751 views • 28 slides
Contributing to large open source projects 1 / 57 Who am I? Jrme Petazzoni (@jpetazzo)

Contributing to large open source projects 1 / 57 Who am I? Jrme Petazzoni (@jpetazzo)

Contributing to large open source projects 1 / 57 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California I put things in containers I touched (with a 10-feet pole): the Linux kernel; OpenStack I contributed

694 views • 57 slides
The sustainability of and metrics for success in open source projects Martilene Orffer,

The sustainability of and metrics for success in open source projects Martilene Orffer,

IT SECTION SATELLITE MEETING The sustainability of and metrics for success in open source projects Martilene Orffer, Managing Director twitter: martileneo About OPENCOLLAB South African Software development company; focus on education

426 views • 16 slides
Everyone wants (someone else) to do it Writing documentation for open source software Welcome

Everyone wants (someone else) to do it Writing documentation for open source software Welcome

Everyone wants (someone else) to do it Writing documentation for open source software Welcome Mike Pumphrey Projects Community Advocate OpenGeo Suite mike@boundlessgeo.com OpenGeo Training github.com/bmmpxf GeoServer Open Source

822 views • 46 slides
Building Open Source Projects in Government Esri Ecosystems Lyzi Diamond FOSS4G 2014 | Portland,

Building Open Source Projects in Government Esri Ecosystems Lyzi Diamond FOSS4G 2014 | Portland,

Building Open Source Projects in Government Esri Ecosystems Lyzi Diamond FOSS4G 2014 | Portland, OR | September 10, 2014 Road designed by Juan Pablo Bravo from the thenounproject.com This talk is about building open source web applications

403 views • 37 slides
Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

in CS Extending and Contributing to an Open Source Web-based System for the Assessment of Programming Dr. Christelle Scharff Dr. Olly Gotel Pace University, New York, USA Dr. Andrew Wildenberg Cornell College, Iowa, USA in CS Outline

273 views • 26 slides
Open Source eID Projects RMLL Frank Cornelis 10/07/2013 Agenda Overview eID

Open Source eID Projects RMLL Frank Cornelis 10/07/2013 Agenda Overview eID

Open Source eID Projects RMLL Frank Cornelis 10/07/2013 Agenda Overview eID Cryptography in Java via JCA RSA, PKI, jTrust, eID Trust Service Integration levels for eID eID Applet Commons eID eID Identity Provider

758 views • 59 slides
Introducing Automated Unit T esting into Open Source Projects Christopher Oezbek Freie

Introducing Automated Unit T esting into Open Source Projects Christopher Oezbek Freie

Failing test cases Passing test cases 250 200 Tests 150 100 50 A M J J A S O N D J F M A M J J A S O N D J F M A M J J A 2007 2008 2009 Month Introducing Automated Unit T esting into Open Source Projects

220 views • 10 slides
EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of

EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of

EVERYONE CAN DO OPEN SOURCE Bleeding Edge Web, August 2019 Who am I? Brian Moeskau VP of Engineering (&amp; meetup organizer) github.com/bmoeskau Some open source projects I've worked on Ext JS Extensible Every developer should

606 views • 31 slides
Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osbganeti

Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osbganeti

Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osbganeti http://is.gd/osbganetipdf About us OSU Open Source Lab Server hosting for Open Source Projects Open Source development projects Lance / Lead Systems

1.45k views • 127 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Marco Piccioni Possible projects External 1. Join and contribute to an open source project of

Marco Piccioni Possible projects External 1. Join and contribute to an open source project of

Chair of Software Engineering Languages in Depth Series: Java Programming Prof. Dr. Bertrand Meyer Project presentation Marco Piccioni Possible projects External 1. Join and contribute to an open source project of your choice Internal to

374 views • 16 slides
Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osconganeti |

Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osconganeti |

Hands on Virtualization with Ganeti Lance Albertson Peter Krenesky http://is.gd/osconganeti | http://is.gd/osconganetipdf About us OSU Open Source Lab Server hosting for Open Source Projects Open Source development projects Lance / Lead

1.22k views • 119 slides
www.dealii.org How to submit patches Github Github is a hosting service: For open source

www.dealii.org How to submit patches Github Github is a hosting service: For open source

Planning for the future: www.dealii.org How to submit patches Github Github is a hosting service: For open source projects For other projects (for $) Stores the central repository of projects Stores individual people's

604 views • 11 slides

More recommend