Head of Ethical Hacking & Computer Forensics Departments ~14 … · 2014-10-14 · Head of Ethical...

©2014 High-Tech Bridge SA – www.htbridge.com / www.immuniweb.com

When complexity leads to fragility…

Geneva Information Security Day - 10th October 2014


# whoami

Frédéric BOURLA

Chief Security Specialist

Head of Ethical Hacking & Computer Forensics Departments

High-Tech Bridge SA

~14 years experience in Information Technologies

GXPN, LPT, CISSP, CCSE, CCSA, ECSA, CEH, eCPPT

GREM, CHFI

RHCE, RHCT, MCP

[[email protected]]


# readelf prez

Slides & talk in English.

1 round of 30’ [including Q&A] focused on attack

vectors arising from information systems complexity

and unclear responsibilities.

No need to take notes, slides will be published on

High-Tech Bridge website.

Given the very short time and the heterogeneous

attendees, slides will not dive to far in the technique.

Nevertheless, I will soon publish a white paper for

people willing to go deeper in the technical side.


Table of contents

0x00 - About me

0x01 - About this conference

0x02 - Information systems became complex

0x03 - Lack of boundaries and liability

0x04 - More opportunities for hackers


Information systems became complex

Moore’s Law is a computing term which originated

around 1970; the simplified version of this law states that

processor speeds, or overall processing power for

computers will double every two years.

Since a few years, it even become faster. CPU speeds

double each year!

Business models have evolved... And nowadays PC

have become more complex than the main frame

computers they were intended to replace.

This is a direct effect of the environment sophistication

and structural complexity of Operating Systems.



A Google datacentre in Iowa, where your three billion

daily searches and YouTube requests are processed:



Even on a smaller scale, personal computers are

nowadays quite complex...

From hardware to software, everything is now far more

sophisticated than it seems to be.

A complexity which often generates a new kind of

unintended consequence... An hidden fragility!

Let’s take an example in everyday life, by analysing how

a process can execute another binary on your Windows

computer.



EXE search order with ShellExecute function:

The current working directory.

The system directory [%WINDIR%\System32].

The 16-bit system directory [%WINDIR%\System].

The Windows directory.

The directories that are listed in %PATH%.

This creates opportunities for malicious users, by

abusing CWD. Each time developers rely on relative

path to call other binaries, there is a binary planting

opportunity.



EXE search order with CreateProcess function:

The directory from which the application is loaded.






It is even worse with CreateProcess, as the first directory

queried is the one where the caller program sits.

Permissive ACL on the initial folder also creates a binary

planting opportunity.



Demo 1: Abusing Insecure Access Permissions of

loading directory


Table of contents

0x00 - About me






Lack of boundaries and liability

Hackers can be very difficult to trace... And thereafter

even harder to prosecute:

Countries do not agree on what elements constitute a

given crime.

Laws most often do not define properly the terms

"data" and "computer", in an attempt to prevent the

legislation from becoming obsolete by the increasingly

rapid advancement of technology.

Law enforcement officials have to petition countries to

extradite suspects in order to hold a trial, and this

process can take years. It for example took roughly 6

years to extradite Gary McKinnon from UK, despite US

charged him for hacking into the Department of

Defense and NASA computer systems.



Hackers can be very difficult to trace... And thereafter

even harder to prosecute:

Be granted a warrant in another country can be very

difficult.

In some countries, the laws against hacking are strict

but the implementation is weak.

In other countries, there is simply a lack of laws.

A few examples of law discrepancies:

German law forbids possession of “hacker tools”.

[which probably does not help security professionals to

fight hackers]




Breaking into and encrypted Wi-Fi network is not

considered to be a criminal offence in Netherlands.

[as routers are not considered as computers]

Wi-Fi hacking was also legal in Belgium until a few

years ago.

A few years ago, a group of people broke into the

Supreme Court's website in Argentina, and the judge

finally ruled that hacking was legal by default in the

country, arguing that the law covers crimes against

people, things and animals, but not cyberspace.

There are no special laws in Gaza that protect against

electronic crime.




At the end of May 2014, 27 people have been

convicted of cyber-crimes in Portugal in the past six

years, but not one of them was made to serve time in

prison.

In China, it is illegal to hack against the Chinese

government and punishable by death. On the other

hand, hacking for the Chinese government has

become a very profitable job.

On the other hand, there are no cyber-borders between

countries. Hackers often bounce in China, Turkey,

Russia, Taiwan, Brazil, Romania or India to get

unpunished.



In 2010, bank robbers:

Pulled off 5'628 heists.

Ran off with $43 million.

The average robbery netted $7'643.

The loot was recovered in 22% of cases.

According to FBI Internet Crime Report this same year:

303'809 complaints for Internet fraud.

A total loss of $1.1 billion.

1'420 prepared criminal cases.

Just 6 convictions.



This means only one jailed cyber-criminal for every

50'635 victims!

And these are just the cases significant enough to be

reported to the FBI. Identity theft is even less risky for

hackers, as odds of being caught are almost

infinitesimal.

Security threats are exacerbated by lack of boundaries,

whether geographical or logical.

Do you remember our previous demo, where we used

Insecure Access Permissions on the loading directory to

abuse the CreateProcess function? Such a binary

planting could also be carried out remotely...



The easiest way would be to use a remote share… For

example if you click a link [in an email or on a website] to

a file that is hosted on a WebDAV share in China.

Another scenario would be to wait for your Current

Working Directory to change, and to plant the malicious

file in that external share.



Demo 2: Abusing Current Working Directory



On a logical point of view, most problem also occur when

developers do not keep a clear border between code

and data.

When Code + Data = Code, compromise occurs [soon or

late].

All Injections attacks [e.g. XSS, SQLi and XXE attacks]

exploit this lack of boundaries.



Let's see a common mistake in PHP:

If a malicious user types john woo' or SELECT

database();-- for the producer and 5 for the rating, the

resulting query becomes:



It is the same problem with the recent ShellShock

vulnerability, which resides in the way Bash allows

importing functions from the environment.

By not successfully separating code from data, this

feature allows arbitrary code execution in Bash by

setting specific environment variables.

The biggest exposure is Bash scripts executed via “cgi-

bin” on web servers. The CGI specification requires the

web server to convert HTTP request headers supplied by

the client to environment variables. If a Bash script is

called via cgi-bin, an attacker may use this to remotely

execute code in the context of web server.

Already 6 CVE for this whack-a-mole patching game…



Some automated scanner send crafted User-Agent to

remotely exploit ShellShock, such as:



Let's go back to our binary planting attacks.

The scenario in the first demo dealt with binary planting

through Insecure Access Permissions, a common

problem when installers fail to limit write access to the

installation directory for non-privileged users.

The second scenario dealt with remote binary planting

through Current Working Directory abuse, for example

via a WebDAV share on an external server.

Those attacks are well known by hackers for years

now... But there are more tricky abuses with DLL files,

which facilitate loading optional features [same binary,

different functionalities depending on available DLL].



DLL search order with LoadLibrary function:

[if SafeDllSearchMode is enabled, which is the case

since Windows XP SP2, and if it is not overwritten by

LOAD_WITH_ALTERED_SEARCH_PATH while calling

LoadLibraryEx]:

The directory from which the application is loaded.








There are very common problems with Dynamic Link

Libraries on Microsoft Windows based operating

systems [especially after numerous applications have

been installed and uninstalled], such as:

Conflicts between DLL versions

Problem to load required DLLs

Collecting many unnecessary DLL copies

To overcome this “DLL Hell” problem, the “Side-by-Side

Assembly” feature was added to Windows XP.

It permit to have several versions of a given DLL to exist

on the same host at a same time, that any application

can use.


Table of contents

0x00 - About me






More opportunities for hackers

Complexity often generates an hidden fragility.

This kind of unintended consequence is a direct effect of

the environment sophistication and structural complexity

of applications and underlying Operating Systems.

Vulnerabilities can remain hidden for a very long time.

Heartbleed was for example disclosed in April 2014, but

the flaw was introduced in December 2011! Despite

OpenSSL is Open Source, the vulnerability remained

undetected for nearly 3 years.



It is even worse with the recent ShellShock. The Unix

Bash vulnerability was publicly reported on 24

September 2014, but the vulnerability was here for more

than 20 years, hidden in the complexity of the code since

the early days of the web. Millions of servers are

vulnerable, and thousands of them have already been

compromised.

Even on a smaller scale, your system is most probably

impacted by many vulnerabilities deeply hidden in the

applications and configurations complexity.

Some of them may never be patched, as vendors blame

each other. Our HTB23108 advisory from 7 August 2012

is for example still used during penetration tests.



Such a severe problem can occur if:

A System Service searches for an inexistent DLL file to

know if it can add specific features.

And if:

A program gives too permissive ACL [e.g. Create Files

/ Write Data privilege too anybody] on a local subfolder

that is ultimately added to the PATH environment

variable. [e.g. C:\Program Files (x86)\IBM\Rational

AppScan]



Similar Insecure Access Permissions are even more

frequent with the root folder. When a directory is created

in C:\ root folder, access permissions for files and

subfolders are inherited from the parent directory. Default

members of the Authenticated users group have the

Create Folders / Append Data right on all directories

created within the C:\ root folder.

As this behaviour also applies to folders created by

application's installer, it is the developer's responsibility

to ensure that default permissions to its installation

directory are changed, or at least to avoid adding its

installation directory to the PATH system environment

variable. Otherwise, any member of the Authenticated

users group has a beautiful binary planting opportunity.



In our example, Python, Perl and Eclipse installers forgot

to remove the privileges inherited from the root folder.

Finally sometimes developers code their installer

properly, but ACLs or PATH values are modified by

system administrators to facilitate their daily duties or

migration phases. [for example C:\Novel\Groupwise and

C:\Program Files\OmniBack\bin have been exploited

several times during our penetration tests].

This attack is a perfect exploitation example of a

vulnerably which leverages both code complexity and

lack of liability. For Microsoft “it is not a product

vulnerability” as “the system has been weakened by a

third-party application”. For other vendors, Windows

services should not rely on inexistent DLL files.



Demo 3: Leveraging long-term vulnerabilities


exit (0);

Your questions are always welcome!

[[email protected]]

Head of Ethical Hacking & Computer Forensics Departments ~14 … · 2014-10-14 · Head of Ethical...

Documents

Transcript of Head of Ethical Hacking & Computer Forensics Departments ~14 … · 2014-10-14 · Head of Ethical...