iSEC Research Labs

CA Alternative Whitepapers

11 Feb 2015 - Braden Hollembaek

Academic co-authors Adam Bates, Joe Pletcher, Tyler Nichols, Dave Tian and iSEC engineer Braden Hollembaek had a pair of interesting papers published at the 2014 Conference on Computer and Communications Security and the 2014 Internet Measurement Conference, respectively.

In "Securing SSL Certificate Verification through Dynamic Linking", the paper introduces CertShim, a lightweight retrofit to existing SSL/TLS implementations that provides new mechanisms to address: vulnerabilities in legacy software, improper usage of existing libraries, and the swift bootstrapping of new enhancements. This is accomplished by dynamically hooking calls to the certificate validation entry points in the OpenSSL, PolarSSL, and GnuTLS libraries via an LD_PRELOAD shim. The paper also demonstrates CertShim's extensibility by adapting it to work with Convergence, DANE, and Client-Based Key Pinning. CertShim imposes only a modest 20ms overhead for an SSL verification call and, by coarse estimate, hooks the SSL dependencies of 94% of Ubuntu's most popular packages with no changes necessary to existing applications. This work creates a framework to help increase the system-wide security of SSL communications in non-browser software, while simultaneously reducing the barriers to evaluating and adopting alternative proposals to the certificate authority system.

For context leading into the second paper, it should be pointed out that in 2011 Moxie Marlinspike proposed a CA alternative, Convergence, that extends the Network Perspectives system of multi-path probing to perform certificate verification. Unfortunately, adoption of Convergence and other SSL/TLS trust enhancements has been slow.

Some adoption concerns are addressed in "Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale", where the question is asked "What if all certificates were validated with Convergence?" In this paper, a case study of deploying Convergence under realistic workloads with a university-wide trace of real-world HTTPS activity is performed. By synthesizing Convergence requests, it is possible to effectively simulate perspectives-based verification on an entire university. The paper demonstrates that, through local and server caching, a single Convergence deployment can meet the requirements of millions of SSL flows while imposing under 0.1% network overhead and requiring as little as 108ms to validate a certificate, making Convergence a worthwhile candidate for further deployment and adoption.

Links to the papers and source code can be found here:

CertShim Paper: certshim_ccs14.pdf

Source code for CertShim: https://bitbucket.org/uf_sensei/cert-shim

Please keep in mind that CertShim is part of an ongoing research project that relies on unstable function hooks into version-dependent libraries, and as such, should not be used as a production security resource.

Forced Perspectives Paper: forced_perspectives_imc14.pdf

Calculating SQL Permissions

09 Feb 2015 - Peter Oehlert

iSEC Partners is happy to announce the availability of a tool to help those wishing to better secure their database applications and users. It is a simple command line tool that can monitor Microsoft SQL Server for a period of query activity and then return the smallest set of permissions necessary to execute all of the monitored queries.

Unnecessary permissions granted to users and applications can be a significant threat if or when those credentials can be used by an attacker. Maybe a database user who normally only queries a couple of static views leaves their password on a text file on a laptop that gets compromised. Or perhaps an application has a SQL Injection flaw allowing nefarious ne'er do wells to issue arbitrary SQL statements against the database. Both of these cases can lead to painful breaches where large data sets are exfiltrated, modified or even just wantonly deleted. The SQL Permissions tool will help determine the most restrictive set of permissions that are actually needed.

This can be useful for developers of applications, as well as applications that already exist. The key in any case is to execute all of the logic or activities that permissions are desired for, as the tool will only calculate a permission for queries it observes. In some cases, an application developer could do even better by isolating high risk privileges to a different components using different database credentials, thereby segregating the risk that highly privileged operations have. Though the tool cannot help rearchitect an application, it can provide the list of permissions required and reviewing the list can provide a useful look at the necessary permissions.

The tool is now open sourced and available on iSEC's GitHub page. It does not support every kind of potential SQL Statement that can be executed, but covers the most common queries used in runtime application scenarios. The tool uses assemblies only available from SQL Server Profiler, so this will require a SQL Server version that includes Profiler installed locally, even if using trace files. Notably, that does not include the SQL Express editions. These assemblies are not included in the tool, and are not available for redistribution. It has been tested on SQL Server 2012 and 2014, though it likely works on other editions as the underlying profiling and tracing technology has not significantly changed.

Good luck, and have fun locking down everything!

Vulnerability Overview: Ghost (CVE-2015-0235)

27 Jan 2015 - Valentin Leon, Jeremiah Blatz

Executive Summary

An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the gethostbyname() function, called when resolving a hostname to an IP.

Immediate patches are required to fix a vulnerability in glibc that allows arbitrary code execution from unauthenticated users. It is necessary to restart computers or processes following patching.

Ghost enables code execution, arbitrary data disclosure, and system compromise from unauthenticated remote attackers. The ways that a system could be vulnerable to this bug are numerous, and no exhaustive list could be compiled. Patching is required immediately, as a proof-of-concept is soon to be publicly released.

What is vulnerable?

This vulnerability has been in production glibc versions since November 2000, and was patched in source code since May 2013:

  • glibc 2.2 through 2.17 (inclusive) are vulnerable
  • glibc 2.18 through 2.20 (inclusive) are NOT vulnerable
  • prior versions of glibc (<= 2.1.3) are NOT vulnerable

Even if you are not directly using the gethostbyname() function, a large number of software packages incorporate the call and are vulnerable.

Service and software that can be exploited include, but is not limited to:

  • clockdiff
  • procmail
  • pppd (SUID root)
  • Exim Internet Mailer

An exploit has been written against Exim, and a working PoC is soon to be publicly disclosed.

Who is vulnerable?

  • Organizations that ship applications statically linked against vulnerable versions of glibc, or ship appliances built on Linux distributions that have a vulnerable version of glibc. This includes virtual appliances/virtual machines.
  • Organizations or end users that have a Linux desktop or server running with a vulnerable version of glibc, or use applications statically linked against a vulnerable version of glibc. This also extends to appliances and virtual machines. Since this vulnerability has been present in glibc for over a decade, out of date or EOL'd devices are likely to be vulnerable as well.

The following Linux distributions contains a vulnerable version of the glibc:


Ubuntu

10.04 LTS fix available fixed in libc6 2.11.1-0ubuntu7.20
12.04 LTS fix available fixed in libc6 2.15-0ubuntu10.10
14 and newer not vulnerable


Debian

6.x - squeeze vulnerable
6.x - squeeze (LTS) vulnerable
7.x - wheezy vulnerable
7.x - wheezy (security) fix available fixed in glib 2.13-38+deb7u7
8.0 - jesse not vulnerable
dev - sid not vulnerable


Red Hat Enterprise

fix information
Desktop (v. 5) fix available fixed in glibc-2.5-123.el5_11.1
Desktop (v. 6) fix available fixed in glibc-2.12-1.149.el6_6.5
Desktop (v. 7) fix available fixed in glibc-2.17-55.el7_0.5
HPC Node (v. 6) fix available fixed in glibc-2.12-1.149.el6_6.5
HPC Node (v. 7) fix available fixed in glibc-2.17-55.el7_0.5
Server (v. 5) fix available fixed in glibc-2.5-123.el5_11.1
Server (v. 6) fix available fixed in glibc-2.12-1.149.el6_6.5
Server (v. 7) fix available fixed in glibc-2.17-55.el7_0.5
Server EUS (v. 6.6.z) fix available fixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 6) fix available fixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 7) fix available fixed in glibc-2.17-55.el7_0.5
RHEL 4 ELS fix available fixed in glibc-2.3.4-2.57.el4.2


Mint

13 "Maya" fix available Tracks Ubuntu 12.04, should get update from Ubuntu servers
17 "Qiana" not vulnerable
17.1 "Rebecca" not vulnerable


Gentoo

libc information
stable not vulnerable  uses glibc 2.19-r1


Arch

fixed in all releases since August 2013, discussion here and package info here
anything recent not vulnerable


Fedora

discussion
19 and earlier vulnerable uses glibc 2.17 and earlier
20 not vulnerable uses glibc 2.18
21 not vulnerable uses glibc 2.20


Mandriva Linux

all vulnerable appears to use glibc 2.16


openSUSE

vulnerability information
Enterprise 11 & older vulnerable
Enterprise 12 not vulnerable
openSUSE 13.1 & newer  not vulnerable


Slackware

current not vulnerable uses glibc 2.20
14.1 and earlier vulnerable uses glibc 2.17 and earlier


Knoppix

information about glibc versions
7.2 and earlier vulnerable uses glibc 2.17 and earlier
7.4 and later not vulnerable uses glibc 2.19 and later


Slax

all vulnerable appears to use glibc 2.15


CentOS

CentOS-5 fix available fixed in glibc-2.5-123.el5_11
CentOS-6 fix available fixed in glibc-2.12-1.149.el6_6.5
CentOS-7 fix available fixed in glibc-2.17-55.el7_0.5

Patching

iSEC and Matasano recommend performing the following discovery and remediation steps.

Discovery

First, determine if your Linux is vulnerable. Either consult the table above, contact your vendor, or get the version from the version from the library itself. To do the latter, run locate libc.so.6 to find the location of your libc, then run that file, and it will print out version information.

Fix

If your distribution has patches available, install those patches. Otherwise:

  • Update to glibc 2.18 or newer
  • Restart all processes that load the glibc library
  • Issue new binaries for software statically linked against a vulnerable version of the glibc library.

Technical Overview

The _nsshostnamedigitsdots() function of the GNU C Library (glibc) is vulnerable to a buffer overflow. This function incorrectly calculates the size of a buffer to allocate, and under certain circumstances, arbitrary data can overwrite adjacent memory resulting in a heap based buffer overflow. While only a maximum of four (4) bytes of memory can be overwritten, it has been demonstrated that this was enough to bypass exploitation mitigations (such as ASLR and PIE) and grant code execution. The __nss_hostname_digits_dots() function is usually not called directly but is called from the gethostbyname() and gethostbyname2() glibc functions.

In practice, this can be exploited whenever the hostname passed is long enough (at least 1KB) and passes other sanity checks:

  • The hostname is composed entirely of digits and dots
  • The hostname starts and ends with a digit
  • The hostname must be of the form of a, a.b, a.b.c or a.b.c.d

References

Jailbreak, updated and open-sourced

19 Jan 2015 - Jason Copenhaver

Jailbreak allows a user to export certificates from Microsoft certificate stores even if the certificate has been marked as non-exportable; this can be useful if you need to make backups of the certificates or perform some other form of testing. The utility was first released in 2007, but at that time was closed source and OS version dependent, as it patched DLLs in memory. The new 4.0 release maintains all of the previous functionality but is now open source (under a BSD license) and uses a function hooking approach to remove OS version dependencies. There are pre-compiled binaries that should work on all versions of Windows from Windows XP up to Windows 8.1 on 32-bit and 64-bit systems.

A Simple DLL Injection Utility

29 Oct 2014 - Nicolas Guigo

NCLoader is a simple command-line DLL injection tool for windows. It takes a PID or process name as parameter and accounts for systems with a high number of running processes. Being single-featured, the utility aims for simplicity with its single C code file implementing the well known VirtualAllocEx+WriteProcessMemory+CreateRemoteThread method. The code aims for cleanliness (no warnings compilation on MSVC), readability and includes verbose error checking. Statically compiled binaries for x86 and x64 architectures are provided.

Check out the ncloader repository.