SlideShare a Scribd company logo

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

Download as PPTX, PDF
Jakub Kałużny, profile picture
Jakub Kałużny

The document presents a detailed analysis of vulnerabilities associated with proprietary protocols in various applications such as home automation, pull printing, and remote desktop systems. It outlines penetration testing methodologies, case studies, and security recommendations for architects and developers to mitigate risks. Key points include the necessity for secure development practices, the use of proper encryption, and awareness of potential attack vectors.

1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Shameful secrets of proprietary protocols Sławomir Jasek Jakub Kałużny
Who are we • Pentesters @ SecuRing • Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
Agenda • Case studies – proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading • Cheatsheet for architects & developers • How to hack it
Proprietary network protocols • A pentester will encounter one • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
And what if we change the password? Password 1: Password 2 Password 3
Home automation protocol Internal command (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
Home automation - SSL • Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
Pull Printing Solutions
Why hack pull printing? • Widely used • Confidential data • Getting popular
Threat modelling – key risks sniffing print queues accountability users’ data
Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
Pull printing #1 - consequences sniffing print queues accountability users’ data
Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
Remote desktop protocol • X-win „on steroids” (encryption, compression, access control...) • Mainframe access for critical business operations • „More than 100,000 users around the world” • „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000004 11 01 30 0d 08 03 f1 00 00 00 00 00 00 00 00 00 ..0..... ........ 00000014 00 ff ff 7f 00 00 01 ac 3d 08 08 68 69 6a 61 63 ........ =..hijac 00000024 6b 65 64 0a 30 35 31 45 31 45 31 41 32 36 00 01 ked.051E 1E1A26.. 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
Password [redacted] Communications Limited 54657374696e6750617373776f72643132333454657374696e6750617373776f7264TestingPassword1234TestingPassword XOR 1c101e1900000032080117572c1d095c475d5d3704071d060014702d1a1e1e1b1700 = 48756d6d696e676269726420436f6d6d756e69636174696f6e73204c696d69746564
C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you? Remote Desktop - SSL S E R V E R
C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect! S E R V E R Remote Desktop - SSL
Remote desktop protocol - vendor • „We don’t know PGP, use zip with our CEO’s name as password” • Do not plan to solve the issues (?) • > /dev/null 2>&1 • Full disclosure! • ... and a few weeks later the mysterious shut down of our beloved ;)
Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
Pull Printing #2 - Reverse- engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
Pull Printing #2 - Consequences sniffing print queues accountability users’ data
“Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/ Trading protocol
Trading protocol – a few packets
That’s interesting!
That’s interesting!
And what if we...
And how about...
<soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”? RegisterUser
Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
Architecture
Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
Cheat sheet - developers • Protocol is NOT secure by its secrecy • Proper encryption. Use known standards, implement them with care. • Input validation, access control, many layers of security, least privilege principle... • Beware backwards compatibility
How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
Look for the fine manual • There may be unofficial client, or e.g. wireshark plugin • Ask for the docs  • Search for them – Yes, we have found internal protocol specification by google hacking!
Decompile client • Sometimes easy – e.g. not obfuscated Android application: byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); String s1 = ""; for(int j = 0; j < 10; j++) s1 = (new StringBuilder()).append(s1).append(toHexString(abyte4).charAt(j)).toString(); System.arraycopy(s1.getBytes(), 0, abyte1, 5, 10); • Sometimes really hard & time consuming. • May be fun, but often leads astray
Watch the packets • Various tools to analyze proprietary protocols – time consuming, usually do not work • Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. • Your favourite scripting language
Q&A? slawomir.jasek@securing.pl jakub.kaluzny@securing.pl www.securing.pl

More Related Content

PPTX
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
PDF
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
PDF
Big problems with big data – Hadoop interfaces security
SecuRing
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PDF
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
PPTX
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat Security Conference
 
PDF
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
PDF
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Jakub Kałużny
 
Big problems with big data – Hadoop interfaces security
SecuRing
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Defcon 22-david-wyde-client-side-http-cookie-security
Priyanka Aash
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat Security Conference
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Shakacon
 

What's hot (20)

PDF
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
Internal Pentest: from z3r0 to h3r0
marcioalma
 
PDF
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PPTX
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
PDF
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
PROIDEA
 
PPTX
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PDF
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
Web security for developers
Sunny Neo
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PDF
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash
 
PDF
Security events in 2014
Chong-Kuan Chen
 
PDF
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
PPTX
Root via sms. 4G security assessment
Sergey Gordeychik
 
PPTX
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Defcon 22-gregory-pickett-abusing-software-defined-networks
Priyanka Aash
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Internal Pentest: from z3r0 to h3r0
marcioalma
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
PROIDEA
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
SecuRing
 
External to DA, the OS X Way
Stephan Borosh
 
Corporations - the new victims of targeted ransomware
Cyber Security Alliance
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Web security for developers
Sunny Neo
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Priyanka Aash
 
Security events in 2014
Chong-Kuan Chen
 
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Root via sms. 4G security assessment
Sergey Gordeychik
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Ad

Similar to Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014 (20)

PDF
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
PDF
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
 
PDF
The 5 elements of IoT security
Julien Vermillard
 
PDF
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
PDF
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
PDF
Top 10 secure boot mistakes
Justin Black
 
PDF
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
PDF
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
PDF
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
PPTX
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
PPTX
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
PDF
OSMC 2024 | Building a better check_http by Mattias Schlenker.pdf
NETWAYS
 
PDF
Fundamentals of network hacking
Pranshu Pareek
 
PDF
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
PPTX
Information security & ethical hacking
eiti panchkula
 
PPTX
Automatski - The Internet of Things - Security in IoT
automatskicorporation
 
PPTX
Malware Analysis For The Enterprise
Jason Ross
 
PDF
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
PPTX
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
PPTX
Shytikov on NTLM Authentication
shytikov
 
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
 
The 5 elements of IoT security
Julien Vermillard
 
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...
PROIDEA
 
Top 10 secure boot mistakes
Justin Black
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Revisiting atm vulnerabilities for our fun and vendor’s
Olga Kochetova
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Aleksandr Timorin
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
OSMC 2024 | Building a better check_http by Mattias Schlenker.pdf
NETWAYS
 
Fundamentals of network hacking
Pranshu Pareek
 
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
Information security & ethical hacking
eiti panchkula
 
Automatski - The Internet of Things - Security in IoT
automatskicorporation
 
Malware Analysis For The Enterprise
Jason Ross
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Yevgeniy Brikman
 
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Shytikov on NTLM Authentication
shytikov
 
Ad

More from Jakub Kałużny (6)

PDF
The Hacker's Guide to NOT Getting Hacked
Jakub Kałużny
 
PDF
Pentesting voice biometrics solutions - AusCERT 2017
Jakub Kałużny
 
PDF
Script based malware detection in online banking
Jakub Kałużny
 
PDF
ESA - Hacking the aerospace industry - should we worry ?
Jakub Kałużny
 
PPTX
Bypassing malware detection mechanisms in online banking
Jakub Kałużny
 
PPTX
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
The Hacker's Guide to NOT Getting Hacked
Jakub Kałużny
 
Pentesting voice biometrics solutions - AusCERT 2017
Jakub Kałużny
 
Script based malware detection in online banking
Jakub Kałużny
 
ESA - Hacking the aerospace industry - should we worry ?
Jakub Kałużny
 
Bypassing malware detection mechanisms in online banking
Jakub Kałużny
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 

Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014

  • 1. Shameful secrets of proprietary protocols Sławomir Jasek Jakub Kałużny
  • 2. Who are we • Pentesters @ SecuRing • Security assessments of applications, networks, systems... Sławomir Jasek Jakub Kałużny
  • 3. Agenda • Case studies – proprietary protocols – Home automation – Pull printing #1 – Remote desktop – Pull printing #2 – Trading • Cheatsheet for architects & developers • How to hack it
  • 4. Proprietary network protocols • A pentester will encounter one • Don’t have the protocol specs nor tools to attack it • How to hack it? • decompile the client? • search for some tools? • watch the raw packets? • Let’s try! https://www.flickr.com/photos/canonsnapper/2566562866
  • 5. Home automation remote control ● „Plug the device, configure your router for port forwarding (and dynamic dns if necessary), set password.” ● Proprietary TCP protocol, direct connection from Internet to device, password protected access http://www.flickr.com/photos/99832244@N07/9436065073/
  • 6. Protocol – a few packets ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 02 01 00 00 a9 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 ab 55 41 00 15 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 0c 02 00 00 a4 39 64 64 34 65 34 36 31 32 36 .....9dd 4e46126 aa 55 41 00 14 39 64 64 34 65 34 36 31 32 36 .UA..9dd 4e46126 aa 53 41 02 01 01 f0 f1 f1 f1 f1 00 be f1 f1 00 .SA..... ........ c4 00 e1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 f1 ........ ........ f1 f1 f1 00 64 00 00 00 01 00 f0 f0 0a f1 00 02 ....d... ........ 0f 0f e7 S E R V E R C L I E N T
  • 7. And what if we change the password? Password 1: Password 2 Password 3
  • 8. Home automation protocol Internal command (5 bytes) MD5(password) – first 10 bytes Status returned by the appliance (sensors, settings, etc).
  • 9. Home automation - failures ● Sniffing ● MITM ● Connect directly to the appliance - sniffed hash is enough ● Recommendation: SSL!
  • 10. Home automation - SSL • Vendor: OK, we have added SSL support! sslcontext = SSLContext.getInstance("TLS"); atrustmanager = new TrustManager[1]; atrustmanager[0] = new EasyX509TrustManager(null); sslcontext.init(null, atrustmanager, null); • Empty TrustManager – accepts all certificates
  • 11. Side effect How to build your own appliance: socat tcp4-listen:1234,fork,readbytes=5 /dev/ttyUSB0,vmin=51 And for the new version with SSL support: socat openssl-listen:1234,key=s.key, cert=s.crt,verify=0,fork,readbytes=5 /dev/ttyUSB0,vmin=51
  • 13. Why hack pull printing? • Widely used • Confidential data • Getting popular
  • 14. Threat modelling – key risks sniffing print queues accountability users’ data
  • 15. Attack vectors Other users’ data Access to other print queues Sniffing, MITM Authorization bypass User/admin interface vulnerabilities
  • 16. Pull Printing #1 – access control “With its roots in education and the full understanding that college kids “like to hack”, our development processes continually focus on security.” “Secure print release (…) can integrate card-swipe user authentication at devices (…) ensuring jobs are only printed when the collecting user is present.”
  • 17. Pull Printing #1 – binary protocol S E R V E R P R I N T E R HELLO USER: user1 token HASH(password + token) Password ok Release my print queue OK Just copied 100 pages
  • 18. Charge user “guest-xyz” for copying 100 pages Pull Printing #1 – closer look Release my print queue Just copied 100 pages User permissions beginDeviceTransaction (…) guest-xyz Release print queue for user “guest-xyz” S E R V E R P R I N T E R
  • 19. Pull printing #1 - consequences sniffing print queues accountability users’ data
  • 20. Pull printing #1 - vendor gets notified • Gave access to KB and support service • And all versions of software • Responded in few hours and patched in few days • Was happy to be pentested
  • 21. Remote desktop protocol • X-win „on steroids” (encryption, compression, access control...) • Mainframe access for critical business operations • „More than 100,000 users around the world” • „Prevents unauthorized eavesdropping FIPS 140-2 Validated End-to-end data encryption” http://en.wikipedia.org/wiki/X_Window_System_protocols_and_architecture
  • 22. Remote desktop protocol 00000000 0b 00 00 00 .... C L I E N T S E R V E R 00000000 01 01 00 00 .... 00000004 16 03 00 00 6d 01 00 00 69 03 00 52 8d e8 02 cf ....m... i..R.... 00000014 88 d3 96 14 f4 a3 7c 47 f3 0d 85 57 58 d6 c9 f7 ......|G ...WX... 00000024 18 24 95 15 2e 05 82 27 b7 1e ff 00 00 42 00 3a .$.....' .....B.: 00000034 00 39 00 38 00 35 00 34 00 33 00 32 00 2f 00 1b .9.8.5.4 .3.2./.. 00000044 00 1a 00 19 00 18 00 17 00 16 00 15 00 14 00 13 ........ ........ 00000054 00 12 00 11 00 0a 00 09 00 08 00 07 00 06 00 05 ........ ........ SSL 00000000 01 00 00 00 .... 00000004 11 01 30 0d 08 03 f1 00 00 00 00 00 00 00 00 00 ..0..... ........ 00000014 00 ff ff 7f 00 00 01 ac 3d 08 08 68 69 6a 61 63 ........ =..hijac 00000024 6b 65 64 0a 30 35 31 45 31 45 31 41 32 36 00 01 ked.051E 1E1A26.. 00000000 01 00 00 00 .... LOGIN ENCODED PASSWORD
  • 24. C L I E N T CLIENTHELLO! cipher suites: SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA (...) default configuration SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA OK, no problem! You have to be the right server if you say so, don’t you? Remote Desktop - SSL S E R V E R
  • 25. C L I E N T CLIENTHELLO! certificates configured SERVERHELLO! Certificate Non-anonymous cipher suites: (...) 1st connection: OK, certificate stored! Following connections: OK, certificate valid / ALERT: MITM ATTACK! SERVERHELLO! I don’t have any certificate! cipherSuite: SSL_DH_anon_WITH_AES_256_CBC_SHA I have your certificate, but since you don’t offer it any more, I won’t check it. OK, let’s connect! S E R V E R Remote Desktop - SSL
  • 26. Remote desktop protocol - vendor • „We don’t know PGP, use zip with our CEO’s name as password” • Do not plan to solve the issues (?) • > /dev/null 2>&1 • Full disclosure! • ... and a few weeks later the mysterious shut down of our beloved ;)
  • 27. Pull Printing #2 - encryption “is a modern printing solution that safeguards document confidentiality and unauthorized access to print, scan, copy and e-mail functions. Its user-authentication provides air-tight security on your shared MFPs that function as personal printers.”
  • 28. Vendor ensures „Documents are delivered only into the right hands” „Information is kept confidential. No risk of being left unattended at the printer” „Document collection is safe anytime and anywhere — no “print and sprint”.” „Integration with other enterprise applications and workflows is kept secure through single sign-on”
  • 29. Pull Printing #2 – binary protocol First look on communication: • TCP, 2 ports • No cleartext, no SSL • Seems to follow some scheme…
  • 30. Ex1: Deeper sight on traffic S E R V E R P R I N T E R constant 263B 96B, “X” B, 128B always different 64 B many identical 16B blocks HELLO HELLO, CERTIFICATE SESSION KEY PostScript, ECB mode https://en.wikipedia.org/wiki/ECB_mode
  • 31. Pull Printing #2 - Reverse- engineered • Hardcoded RSA certificate in printer embedded software • No trust store • AES-128 ECB used for traffic encryption • Same protocol in admin interface
  • 32. Pull Printing #2 - Consequences sniffing print queues accountability users’ data
  • 33. “Many of the devices do not have the CPU power that allows a fast login response and at the same time establish a high security level” For example changing ECB to CBC mode encryption will be more CPU intensive and introducing that may cause slower performance of the devices, which the customers are very reluctant to see implemented.” Pull Printing #1 - vendor gets notified “(…) system has been deployed at many high security customers and has passed internal audits.”
  • 34. ● An online application for instant financial operations ● A proprietary, binary protocol, designed in order to minimise delays ● TCP in SSL tunnel https://www.flickr.com/photos/tradingrichmom/5571144428/ Trading protocol
  • 35. Trading protocol – a few packets
  • 38. And what if we...
  • 40. <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> &lt;error code=&quot;266&quot; &gt;Incorrect login&lt;/error&gt; </registerUserReturn> </registerUserResponse> </soapenv:Body> • Incorrect password • Incorrect first name • Group with name null doesn't exist • Group with name admin doesn't exist • Group with name Administrator doesn't exist • And how about „root”? RegisterUser
  • 41. Game Over <soapenv:Body> <registerUserResponse soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <registerUserReturn xsi:type="xsd:string"> User was registered sucessfully with id=5392745 </registerUserReturn> </registerUserResponse> </soapenv:Body> So now we can manage all the other accounts and spend their money!
  • 43. Cheat sheet – owners While deploying a proprietary solution: • Get it pentested • Verify vendor claims • Ask the vendor for secure development lifecycle, procedures of addressing vulnerabilities, previous bugs
  • 44. Cheat sheet - developers • Protocol is NOT secure by its secrecy • Proper encryption. Use known standards, implement them with care. • Input validation, access control, many layers of security, least privilege principle... • Beware backwards compatibility
  • 45. How to hack protocols? Decompile client? Inject code? Search for the specs? Use some tools? Watch the packets? https://www.flickr.com/photos/nkphillips/2865781749
  • 46. Look for the fine manual • There may be unofficial client, or e.g. wireshark plugin • Ask for the docs  • Search for them – Yes, we have found internal protocol specification by google hacking!
  • 47. Decompile client • Sometimes easy – e.g. not obfuscated Android application: byte abyte3[] = pass.getBytes(); byte abyte4[] = MessageDigest.getInstance("MD5").digest(abyte3); String s1 = ""; for(int j = 0; j < 10; j++) s1 = (new StringBuilder()).append(s1).append(toHexString(abyte4).charAt(j)).toString(); System.arraycopy(s1.getBytes(), 0, abyte1, 5, 10); • Sometimes really hard & time consuming. • May be fun, but often leads astray
  • 48. Watch the packets • Various tools to analyze proprietary protocols – time consuming, usually do not work • Raw, just try to spot some scheme – of course with a little help of your friends: wireshark, tcpdump, ssldump etc. • Your favourite scripting language