Continuing the previous post, now that we know what MACs are and how they work in the context of TLS protocol we can move further ahead and analyze OpenSSL 1.1.0a and 1.1.0b Heap Overflow vulnerability. To exploit this vulnerability (cve-2016-7054) we need to negotiate a ChaCha20-Poly1305 cipher suite with the server and send a message with a bad mac. Let us first setup the server that’s running OpenSSL 1.1.0a. Setting Up OpenSSL 1.1.0a We can download the desired version from https://www.openssl.org/source/old/1.1.0/, after decompressing the archive, we configure the package but since we don’t want it to overwrite our current installed...
Continue reading...Overview of MAC Algorithms, Fuzzing TLS and Finally Exploiting CVE-2016-7054 Part 1/3
Overview of MAC Algorithms, TLS Protocol and CHACHA20-POLY1305 Algorithms In the upcoming posts I’m going to give an introduction on Openssl CVE-2016-7054 vulnerability and the terminology about this topic. In part 2 we will discuss available tools and techniques and how to actually produce an exploit for this vulnerability, in the 3rd part we will try to enumerate installed Openssl version on our systems and see how we can update software packages that use Openssl like Apache, Nginx and Python. Intro Couple of days ago Fortinet published a blog post titled “Analysis of OpenSSL ChaCha20-Poly1305 Heap Buffer Overflow (CVE-2016-7054)“. A...
Continue reading...TLS Extended Master Secret, Breaking SSL Proxies
SSL Proxy Failing To Decrypt The Handshake, Fixing Connection Reset Issue in New Browsers There was a new update couple of months ago affecting web servers and web browsers introducing a new TLS extension (Extended master secret) that changes the way master_secret is generated. This update broke the devices that were doing SSL inspection or proxy because they wouldn’t be able to decrypt the handshake and ultimately would reset the connection. In this post we’re going discuss the issue and look for workarounds and fixes. These fixes would be either an update in the device which is decrypting the SSL...
Continue reading...Client Certificate Authentication in SSL/TLS and its interaction with Web Application Firewalls
In a previous blog post I discussed about Client Certificate Authentication and possible implementation methods. In this post I’m going to delve deep into TLS protocol implementation, specifically the Client Certificate part. During the setup of Client Certificate Authentication on a web application I faced various issues and when a piece of technology is just a black box in your view, there’s not much tuning or debugging that can take place when things stop working. So I spent a handful of time studying the underlying technology and I’m sharing the gist of it here. I’m also going to briefly go...
Continue reading...Tools for testing HTTPoxy Vulnerability
I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually. Edit: Added IIS HTTPoxy Testing Tool: https://github.com/silverfoxy/HTTPoxy-Test-Tools/tree/master/iis_httpoxy HTTPoxy Test Tools This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this CGI file and sets the “proxy” header for the underlying request. If the environment variable is affected, then you’re vulnerable....
Continue reading...HTTPoxy vulnerability affecting CGI Applications
There’s this new vulnerability with a website [HTTPoxy.org] and a logo. Apart from the complete description that’s available at their official website I’m going to walk you through it and give you some practical examples of abuse cases. I’ve also developed a tool that you can run on your servers which tells you if you’re vulnerable or not. What is HTTPoxy and how does it work? HTTPoxy is the name of a vulnerability affecting CGI based applications. This can affect PHP, Go, Python, Perl, etc. Web servers running in a CGI or CGI-like context may assign client request Proxy header...
Continue reading...Client Certificate Authentication, Configuring IIS To Authenticate Users Via Hardware Tokens
Preface What is PKI? Wikipedia says: A Public Key Infrastructure (PKI) is a set of roles, policies and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. Is PKI all about public key cryptography? Not exactly, the emphasis is more on policies and procedures rather than the technology and math. Ok, What does this PKI thing look like? This system consists of different parties, namely the Certificate Authority (CA), the Registration Authority (RA) and the Validation Authority (VA). These roles aren’t mutually exclusive, one party can be the CA and the VA at...
Continue reading...Website Deface Detection Script
You’re going to get hacked on the weekend? Panic mode activated. Today I’m going to show you how easy it is to get a “bot” up and running that watches your website and alerts you if you get hacked (defaced). This bot is going to kindly notify you over telegram. [Skip to the technical part] The Story (What was the problem I was trying to solve?) I suppose all admins and techies have had this nightmare at least once in their career where there’s an exploit raging in the wild and services and websites of companies in the same business...
Continue reading...Mac OS X ElCapitan 10.11.5 Update Login Issue
Facing issues after 10.11.5 update? The login screen stuck at loading? Backups not available or are old? Don’t panic hopefully this post will guide you through fixing it with no data loss. It took me 2 days to figure this out. The fun coincidence here is that the guy who posted this tip on apple forums said that it was his last resort before giving up. And when I found this post I was preparing my ElCapitan bootable disk to do a fresh installation. “Never Give Up, Never Give In.”
Continue reading...