Post on 13-May-2020
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
When complexity leads to fragility…
Geneva Information Security Day - 10th October 2014
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
# whoami
Frédéric BOURLA
Chief Security Specialist
Head of Ethical Hacking & Computer Forensics Departments
High-Tech Bridge SA
~14 years experience in Information Technologies
GXPN, LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT
GREM, CHFI
RHCE, RHCT, MCP
[frederic.bourla@htbridge.com]
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
# readelf prez
Slides & talk in English.
1 round of 30’ [including Q&A] focused on attack
vectors arising from information systems complexity
and unclear responsibilities.
No need to take notes, slides will be published on
High-Tech Bridge website.
Given the very short time and the heterogeneous
attendees, slides will not dive to far in the technique.
Nevertheless, I will soon publish a white paper for
people willing to go deeper in the technical side.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Information systems became complex
0x03 - Lack of boundaries and liability
0x04 - More opportunities for hackers
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
Moore’s Law is a computing term which originated
around 1970; the simplified version of this law states that
processor speeds, or overall processing power for
computers will double every two years.
Since a few years, it even become faster. CPU speeds
double each year!
Business models have evolved... And nowadays PC
have become more complex than the main frame
computers they were intended to replace.
This is a direct effect of the environment sophistication
and structural complexity of Operating Systems.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
A Google datacentre in Iowa, where your three billion
daily searches and YouTube requests are processed:
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
Even on a smaller scale, personal computers are
nowadays quite complex...
From hardware to software, everything is now far more
sophisticated than it seems to be.
A complexity which often generates a new kind of
unintended consequence... An hidden fragility!
Let’s take an example in everyday life, by analysing how
a process can execute another binary on your Windows
computer.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
EXE search order with ShellExecute function:
The current working directory.
The system directory [%WINDIR%\System32].
The 16-bit system directory [%WINDIR%\System].
The Windows directory.
The directories that are listed in %PATH%.
This creates opportunities for malicious users, by
abusing CWD. Each time developers rely on relative
path to call other binaries, there is a binary planting
opportunity.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
EXE search order with CreateProcess function:
The directory from which the application is loaded.
The current working directory.
The system directory [%WINDIR%\System32].
The 16-bit system directory [%WINDIR%\System].
The Windows directory.
The directories that are listed in %PATH%.
It is even worse with CreateProcess, as the first directory
queried is the one where the caller program sits.
Permissive ACL on the initial folder also creates a binary
planting opportunity.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Information systems became complex
Demo 1: Abusing Insecure Access Permissions of
loading directory
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Information systems became complex
0x03 - Lack of boundaries and liability
0x04 - More opportunities for hackers
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Hackers can be very difficult to trace... And thereafter
even harder to prosecute:
Countries do not agree on what elements constitute a
given crime.
Laws most often do not define properly the terms
"data" and "computer", in an attempt to prevent the
legislation from becoming obsolete by the increasingly
rapid advancement of technology.
Law enforcement officials have to petition countries to
extradite suspects in order to hold a trial, and this
process can take years. It for example took roughly 6
years to extradite Gary McKinnon from UK, despite US
charged him for hacking into the Department of
Defense and NASA computer systems.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Hackers can be very difficult to trace... And thereafter
even harder to prosecute:
Be granted a warrant in another country can be very
difficult.
In some countries, the laws against hacking are strict
but the implementation is weak.
In other countries, there is simply a lack of laws.
A few examples of law discrepancies:
German law forbids possession of “hacker tools”.
[which probably does not help security professionals to
fight hackers]
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
A few examples of law discrepancies:
Breaking into and encrypted Wi-Fi network is not
considered to be a criminal offence in Netherlands.
[as routers are not considered as computers]
Wi-Fi hacking was also legal in Belgium until a few
years ago.
A few years ago, a group of people broke into the
Supreme Court's website in Argentina, and the judge
finally ruled that hacking was legal by default in the
country, arguing that the law covers crimes against
people, things and animals, but not cyberspace.
There are no special laws in Gaza that protect against
electronic crime.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
A few examples of law discrepancies:
At the end of May 2014, 27 people have been
convicted of cyber-crimes in Portugal in the past six
years, but not one of them was made to serve time in
prison.
In China, it is illegal to hack against the Chinese
government and punishable by death. On the other
hand, hacking for the Chinese government has
become a very profitable job.
On the other hand, there are no cyber-borders between
countries. Hackers often bounce in China, Turkey,
Russia, Taiwan, Brazil, Romania or India to get
unpunished.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
In 2010, bank robbers:
Pulled off 5'628 heists.
Ran off with $43 million.
The average robbery netted $7'643.
The loot was recovered in 22% of cases.
According to FBI Internet Crime Report this same year:
303'809 complaints for Internet fraud.
A total loss of $1.1 billion.
1'420 prepared criminal cases.
Just 6 convictions.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
This means only one jailed cyber-criminal for every
50'635 victims!
And these are just the cases significant enough to be
reported to the FBI. Identity theft is even less risky for
hackers, as odds of being caught are almost
infinitesimal.
Security threats are exacerbated by lack of boundaries,
whether geographical or logical.
Do you remember our previous demo, where we used
Insecure Access Permissions on the loading directory to
abuse the CreateProcess function? Such a binary
planting could also be carried out remotely...
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
The easiest way would be to use a remote share… For
example if you click a link [in an email or on a website] to
a file that is hosted on a WebDAV share in China.
Another scenario would be to wait for your Current
Working Directory to change, and to plant the malicious
file in that external share.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Demo 2: Abusing Current Working Directory
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
On a logical point of view, most problem also occur when
developers do not keep a clear border between code
and data.
When Code + Data = Code, compromise occurs [soon or
late].
All Injections attacks [e.g. XSS, SQLi and XXE attacks]
exploit this lack of boundaries.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Let's see a common mistake in PHP:
If a malicious user types john woo' or SELECT
database();-- for the producer and 5 for the rating, the
resulting query becomes:
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
It is the same problem with the recent ShellShock
vulnerability, which resides in the way Bash allows
importing functions from the environment.
By not successfully separating code from data, this
feature allows arbitrary code execution in Bash by
setting specific environment variables.
The biggest exposure is Bash scripts executed via “cgi-
bin” on web servers. The CGI specification requires the
web server to convert HTTP request headers supplied by
the client to environment variables. If a Bash script is
called via cgi-bin, an attacker may use this to remotely
execute code in the context of web server.
Already 6 CVE for this whack-a-mole patching game…
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Some automated scanner send crafted User-Agent to
remotely exploit ShellShock, such as:
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
Let's go back to our binary planting attacks.
The scenario in the first demo dealt with binary planting
through Insecure Access Permissions, a common
problem when installers fail to limit write access to the
installation directory for non-privileged users.
The second scenario dealt with remote binary planting
through Current Working Directory abuse, for example
via a WebDAV share on an external server.
Those attacks are well known by hackers for years
now... But there are more tricky abuses with DLL files,
which facilitate loading optional features [same binary,
different functionalities depending on available DLL].
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
DLL search order with LoadLibrary function:
[if SafeDllSearchMode is enabled, which is the case
since Windows XP SP2, and if it is not overwritten by
LOAD_WITH_ALTERED_SEARCH_PATH while calling
LoadLibraryEx]:
The directory from which the application is loaded.
The system directory [%WINDIR%\System32].
The 16-bit system directory [%WINDIR%\System].
The Windows directory.
The current working directory.
The directories that are listed in %PATH%.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
There are very common problems with Dynamic Link
Libraries on Microsoft Windows based operating
systems [especially after numerous applications have
been installed and uninstalled], such as:
Conflicts between DLL versions
Problem to load required DLLs
Collecting many unnecessary DLL copies
To overcome this “DLL Hell” problem, the “Side-by-Side
Assembly” feature was added to Windows XP.
It permit to have several versions of a given DLL to exist
on the same host at a same time, that any application
can use.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Lack of boundaries and liability
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
Table of contents
0x00 - About me
0x01 - About this conference
0x02 - Information systems became complex
0x03 - Lack of boundaries and liability
0x04 - More opportunities for hackers
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
Complexity often generates an hidden fragility.
This kind of unintended consequence is a direct effect of
the environment sophistication and structural complexity
of applications and underlying Operating Systems.
Vulnerabilities can remain hidden for a very long time.
Heartbleed was for example disclosed in April 2014, but
the flaw was introduced in December 2011! Despite
OpenSSL is Open Source, the vulnerability remained
undetected for nearly 3 years.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
It is even worse with the recent ShellShock. The Unix
Bash vulnerability was publicly reported on 24
September 2014, but the vulnerability was here for more
than 20 years, hidden in the complexity of the code since
the early days of the web. Millions of servers are
vulnerable, and thousands of them have already been
compromised.
Even on a smaller scale, your system is most probably
impacted by many vulnerabilities deeply hidden in the
applications and configurations complexity.
Some of them may never be patched, as vendors blame
each other. Our HTB23108 advisory from 7 August 2012
is for example still used during penetration tests.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
Such a severe problem can occur if:
A System Service searches for an inexistent DLL file to
know if it can add specific features.
And if:
A program gives too permissive ACL [e.g. Create Files
/ Write Data privilege too anybody] on a local subfolder
that is ultimately added to the PATH environment
variable. [e.g. C:\Program Files (x86)\IBM\Rational
AppScan]
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
Similar Insecure Access Permissions are even more
frequent with the root folder. When a directory is created
in C:\ root folder, access permissions for files and
subfolders are inherited from the parent directory. Default
members of the Authenticated users group have the
Create Folders / Append Data right on all directories
created within the C:\ root folder.
As this behaviour also applies to folders created by
application's installer, it is the developer's responsibility
to ensure that default permissions to its installation
directory are changed, or at least to avoid adding its
installation directory to the PATH system environment
variable. Otherwise, any member of the Authenticated
users group has a beautiful binary planting opportunity.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
In our example, Python, Perl and Eclipse installers forgot
to remove the privileges inherited from the root folder.
Finally sometimes developers code their installer
properly, but ACLs or PATH values are modified by
system administrators to facilitate their daily duties or
migration phases. [for example C:\Novel\Groupwise and
C:\Program Files\OmniBack\bin have been exploited
several times during our penetration tests].
This attack is a perfect exploitation example of a
vulnerably which leverages both code complexity and
lack of liability. For Microsoft “it is not a product
vulnerability” as “the system has been weakened by a
third-party application”. For other vendors, Windows
services should not rely on inexistent DLL files.
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
More opportunities for hackers
Demo 3: Leveraging long-term vulnerabilities
©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com
exit (0);
Your questions are always welcome!
[frederic.bourla@htbridge.com]