|
Owch TLS mitm bugs are never fun, someone is having a very bad couple weeks. I'm not sure why they put code signing first, that's far less mattering.
|
# ¿ Jan 14, 2020 19:58 |
|
|
# ¿ Apr 29, 2024 00:06 |
|
BangersInMyKnickers posted:Windows Update, SCCM agent, WSUS, Java Updater, Adobe Updater, AV updaters are all going to be using code signature validation to make sure the packages they are running are legit and either already have system privs or will be implicitly trusted by the user if they throw a UAC dialog for update. The TLS intercept is less of a problem if you can still rely on code signing, but you can't and that gives you a pre-built foothold TLS mitms are enough for full device control even without code signing compromises, I've found bugs like this in other things and they are not fun times. E: https://twitter.com/taviso/status/1217157205939519489 apseudonym fucked around with this message at 21:21 on Jan 14, 2020 |
# ¿ Jan 14, 2020 21:17 |
|
Malloc Voidstar posted:https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF If the NSA is going to be doing more disclosures like this I hope it'll improve the quality of vuln disclosure. No clever name or lovely marketing, it's refreshing.
|
# ¿ Jan 15, 2020 01:13 |
|
redleader posted:oooh, nosebleed
|
# ¿ Jan 15, 2020 01:38 |
|
ewiley posted:well gently caress that was fast tqbf spoiled the math on twitter/HN yesterday so its only a handful of openssl EC math calls to generate your own bad cert (I recommend a CA)
|
# ¿ Jan 16, 2020 04:15 |
|
Cocoa Crispies posted:tqbf and idlewords are the only good people on the orange website I respect that he continues to smack down bad opinions on the orange site, I gave up years ago.
|
# ¿ Jan 16, 2020 04:31 |
|
Jabor posted:let me check my understanding for a moment: Not quite on the bug part. the issue is that they allow explicitly specific curves, that's bad and an RFC violation (this is yet another example of flexibility in security code being a fuckup). You can provide a new curve with otherwise similar properties but with a new G. Stealing from tqbf's post: if you generate a new key x and choose a new G' = 1/xQ then your public key is the same as the Q through basic algebra. But you're on a different curve and in correct usage that shouldn't matter since that curve isn't what the client is using. ASN.1 encoding for ECParams lets you both do named curves but also explicitly set all the values, though only the named version is 'allowed'. Microsoft in their implementation mistakenly honored explicit curves in the certificate, and here we are. let me post some explicit values here real quick from my other machine.
|
# ¿ Jan 16, 2020 05:48 |
|
For example, we're going to use the USERTrust ECC Certification Authority cert, because it has the honor of being the alphabetically first ec cert in my cadir. Here's the SPKI code:
For all the values for secp384r1 see `openssl ecparam -name secp384r1 -param_enc explicit -text`, its a bit long to paste but you can see the standard G there. I don't know x (obviously) on secp384r1, but let's make a new fancy curve with all the parameters of secp384r1 _except_ we set G = Q above. Here's the EC params for that. code:
If you do ecdsa on this curve I can obviously show I have the private key corresponding to the public key of Q _on this curve_, even though I don't know it on secp384r1 and can't do anything there. In a correct TLS client when I send my signature on my new curve you will reject it as invalid, because it an explicit specified curve and you're a strong TLS stack who doesn't let servers tell you what to do. Microsoft however honored the explicit curve, and here's the shenanigains. Now, you can sign your evil.com certificate using your 'ca' on the new curve with the key (1, Q) and if it's accepted you haven't patched.* * Haven't tested with this cert, because , but I'll add it to my mitm testing suite and run it once I eat some food.
|
# ¿ Jan 16, 2020 06:11 |
|
Alright got the MiTM working and published. I had to touch openssl's C APIs again and that made me sad. Since this is fuckup thread: Some more on the bug The CA I use has a Subject/Issuer that I made up, no AKI or any v3 extensions but an SPKI from what I posted, that Windows considered this trusted says a lot about their path building/checking. It was mistaken for the legit root that I only share the Q,p,a,b values with. When path building you eventually have to end up at your locally trusted roots (or die), but them seem to be doing a match based just on the SPKI of my root cert. That's not inherently insane since TrustAnchors are just an SPKI and a name in a cert, but for my cert to have been mistaken for the CA it means that code is doing a limited comparison check of the SPKI. If they checked the encoded bytes mine would fail, and it they did any curve name based checks it would also fail. It may be that they either only checked the pub field (and not the curve parameters) for equality, or maybe only did a,b,P and not G. Either way had they not supported explicit curves in that field they might have lucked out, or if they used the SPKI from the trust anchor and not from the server provided cert. Since I doubt they always do the SPKI check: I'd bet that in the event path building gets stuck instead of rejecting it does a last ditch attempt looking through the trust anchors for an anchor with a 'matching' SPKI. This could maybe help you in a scenario where a CA has multiple names for the same key and the server presents without cross signing certs one you don't have. TLS changes are measured based on how many servers you break connections to, so compat hacks are totally a thing but I'm just guessing at this point. TL;dr: lol at the person on twitter saying it would take months to actually use, the disclosure gives enough away that most the work is dealing with openssl to craft the certificate. Difficulty 3/10.
|
# ¿ Jan 16, 2020 11:22 |
|
Rufus Ping posted:Yeah specifically it's when retrieving certs from an internal cache (everyone seems to be missing this - it's why you need to warm the verifier up with a legit cert first), which is keyed on too little information and was not subsequently checked properly Huh, it does? I was attacking 100% of tls connections after boot and it worked. One must have slid through.
|
# ¿ Jan 16, 2020 16:42 |
|
Rufus Ping posted:Depending on which root you spoofed something else may have cached it during startup (I imagine all sorts of telemetry and update checks go over TLS) Huh. I was avoiding reading most the writeups to avoid spoiling my fun, looks like I might have gotten a bit lucky. Cert caches and caching state is pretty dangerous, I got a less bad than this MiTM CVE in Android's old stack for doing that. I'm surprised they are doing what looks like a contains on the cache and not getting the cert from the cache and using that for the chain check.
|
# ¿ Jan 16, 2020 17:29 |
|
Rufus Ping posted:Maybe something on disk was verified using the same code path. Cab files? Could be, no clue. I don't really do much with my desktop besides lovely video games. Openssl was definitely the biggest pain for this, I tried for an hour to see if I could do it without going down to the APIs, but it looked like too much of a pain so I wrote a stupid c program instead. It wasn't so bad except it's been like 8 years so I had to reread all the docs and I hate those APIs. If anyone wants it I can upload the source for generating the pem private key given a group and a pubkey, it's not complicated but in case you too hate
|
# ¿ Jan 16, 2020 17:41 |
|
Happy to help I added it to nogotofail so you can test for this (and maybe have fun)
|
# ¿ Jan 16, 2020 18:16 |
|
Subjunctive posted:There’s a little ruby snippet that does all the work: Mother fucker. The python bindings for openssl don't let you touch the values in the key/group.
|
# ¿ Jan 16, 2020 21:10 |
|
Vapor Moon posted:All my discords are going mad about this Windows CVE and I'm a big dumby so is it as bad for random shmoes as they are making it out to be or just good ol media frenzy? Arbitrary MiTMs are rather bad.
|
# ¿ Jan 16, 2020 21:12 |
|
Djeser posted:its bad, but your gaming pc and porn stash are probably not high value targets My games and somethingawful.com credentials are serious business OK
|
# ¿ Jan 16, 2020 21:21 |
|
BangersInMyKnickers posted:http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-January/014922.html By scanning the certificates yes (the bad cert isn't the one you are talking to it's the issuer), but in TLS 1.3 the certificates are encrypted so you cannot do passive network detection of it. Welcome to the future where jury rigged passive network detection flat obviously doesn't work instead of giving you warm feelings while not working. Patch your devices.
|
# ¿ Jan 16, 2020 22:54 |
|
James Baud posted:Just MITM all the TLS1.3 with your enterprise CA instead of "most" TLS1.2. Your MiTM appliance probably has its own dumb set of MiTM bugs
|
# ¿ Jan 17, 2020 02:10 |
|
Subjunctive posted:I used netscalers before the Citrix acquisition and they were awful then too. many pained exchanges with their support and engineering to discover that the documentation was omitting yet another way in which they violated the HTTP spec What's a few MUST and MUST NOTS between friends.
|
# ¿ Jan 21, 2020 22:36 |
|
haveblue posted:you can back up iphones locally with encryption through itunes sync, is that an option on android? No, but e2e cloud encrypted backups is the default. apseudonym fucked around with this message at 01:09 on Jan 24, 2020 |
# ¿ Jan 24, 2020 01:07 |
|
Subjunctive posted:OK, so what should I tell people to do then? It seems like "don't grant accessibility permissions" is the closest thing that would actually prevent this class of attack (which then uses those permissions to disable the Play Protect stuff, natch), but that's not very easy to explain to people. Certainly not as easy as "only install from the Play Store", so you got my hopes up! Granting accessibility requires a lot of clicks through UI that's clearly marked accessibility. "Dont grant accessibility regardless of the pitch" is a good thing to say. Only install from the play store is in practice the simplest, the numbers of bad there are still less than any other machine they own. e: this thread still doesn't know much about mobile anything
|
# ¿ Mar 2, 2020 20:08 |
|
Google authenticator doesn't support cloud backups but does support device to device setup flowsSubjunctive posted:can apps opt out of accessibility access? apseudonym fucked around with this message at 17:55 on Apr 6, 2020 |
# ¿ Apr 6, 2020 17:53 |
|
D. Ebdrup posted:any os with sufficient debug tracing can let root snoop on passwords, for example windows, macos, probably ios, and freebsd all have dtrace Any OS that let's you dtrace other things isn't a secure OS tho
|
# ¿ Apr 7, 2020 02:21 |
|
haveblue posted:apple will review your entitlements and there’s a subset of keys that will require you to explain to a human a really really good reason you need to use it before they approve your app. dtrace is almost certainly on that list if it’s even available on the publish to App Store target (haven’t checked) Apple enables some pretty scary entitlements but dtrace on a production phone would be a pretty insane.
|
# ¿ Apr 7, 2020 07:30 |
|
haveblue posted:https://siguza.github.io/psychicpaper/ And their fix was to have more parsers, which means there's likely more of these bugs out there. Dont assume multiple parsers for anything complicated behave identically kids.
|
# ¿ May 4, 2020 17:23 |
|
ewiley posted:I mean the fact that there’s still a market for iOS exploits means Apple is doing something right wrt security. I’ve never even heard of saleable Android exploit since it’s just easier to get someone to install mrHands.apk or whatever directly. Android exploits cost more than iOS ones before this.
|
# ¿ May 13, 2020 17:17 |
|
Hamled posted:Presumably Zerodium's pricing table is more marketing bullshit than an actual quote... but given that they include a wide variety of Android-based exploit items on it they must be in the market for them, right? They are in the market for both, and while the numbers are only one example the relative comparisons match other folks I've talked to. Apple doesnt have nearly enough defense in depth and has way too much memory unsafe code, that combo hurts. Their hardware mitigations are cool and I envy the speed they can do em but mitigations are your last ditch effort not your first line and people are starting to realize those things aren't magical
|
# ¿ May 13, 2020 19:27 |
|
mystes posted:It amazes me how much of this weird legacy stuff there is in windows like this printer port functionality that nobody understands but which turns out to be insecure as soon as someone bothers to look at it. Before I started working in OSes I liked to laugh at Windows for all the backwards compat things that were arguably not used by anyone but still around. Now having gone through the hellish exercise to remove old bad things a bunch of times I sympathize, it's agony to rip old poo poo out like that and probably no one is around who understands the whole thing anymore and it's the least fun way to spend your time.
|
# ¿ May 13, 2020 23:36 |
|
Lain Iwakura posted:hi. i am still alive Glad you're still alive, nadim is loving scum.
|
# ¿ May 15, 2020 00:53 |
|
Optimus_Rhyme posted:Glad you're ok. poo poo my friend does(?) security there
|
# ¿ May 15, 2020 04:18 |
|
Optimus_Rhyme posted:Bunch of infosec ppl I follow that worked there got laid off today
|
# ¿ May 15, 2020 04:54 |
|
The Fool posted:I feel out of the loop, who’s the shitbag? A bad person who doesn't deserve the space in your brain needed to fit his awfulness.
|
# ¿ May 16, 2020 02:33 |
|
Varkk posted:I always thought the main problem with Java was that any one with half a pulse could vomit some code towards and IDE, it would then compile and run. Unlike other languages where if you didn’t get most stuff 99% correct it would fail to compile with an unhelpful message. This lead to a bunch of poorly coded Java apps becoming mission critical. Is your baseline here C++ or something?
|
# ¿ May 29, 2020 23:27 |
|
A Man With A Plan posted:Haha yeah I was thinking as a professional C developer, yiu don't get the code that handles itself but when it does compile, you get something suited for this thread If you write it in C you get something suited for this thread.
|
# ¿ May 29, 2020 23:44 |
|
ratbert90 posted:Modern C++ is good op. Which definition of modern C++ we going for? Show me a large C++ code base that doesn't have basic security vulnerabilities. Memory unsafety is a secfuck in 2020.
|
# ¿ May 29, 2020 23:51 |
|
The Iron Rose posted:https://bhavukjain1.github.io/blog/2020/05/30/zeroday-signin-with-apple/ And Apple forced developers to use apple signin, oof.
|
# ¿ May 30, 2020 18:34 |
|
Subjunctive posted:because of some complicated rotation thing they were trying to do, which apparently didn’t actually rotate anything anyway It sounds like once it rotated it was OK but before then it was using 0 Session resumption is such a footgun, though gnutls really went out of their way to make it especially footguny with the custom TOTP thing
|
# ¿ Jun 9, 2020 00:55 |
|
Subjunctive posted:maybe I misinterpreted this tweet? Oh I didn't see that last one, you're right.
|
# ¿ Jun 9, 2020 01:59 |
|
Jabor posted:My interpretation was that the master key was okay, but before the first rotation it was using all-0s as the ticket key. TOTP is supposed to be protected against leaks of other keys not the master key (TOTP still makes no sense for this)
|
# ¿ Jun 9, 2020 02:35 |
|
|
# ¿ Apr 29, 2024 00:06 |
|
Jabor posted:Half the reason you rotate your ticket keys is so that someone who compromises your server can't use the information they discover to read every single message ever sent to it that they've got squirreled away in a datacenter somewhere - they only get the stuff proximate to when they compromised the server. Yeah, TOTP doesn't make sense here
|
# ¿ Jun 9, 2020 02:57 |