authentication - Dave's Blog

Search

DSL modem hack used to infect millions with banking fraud malware | Ars Technica

2012 Oct 1, 6:33

According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.

The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

PermalinkCommentstechnical security html router web dns csrf

Stripe CTF - Level 7

2012 Sep 13, 5:00

Level 7 of the Stripe CTF involved running a length extension attack on the level 7 server's custom crypto code.

Code

@app.route('/logs/')
@require_authentication
def logs(id):
rows = get_logs(id)
return render_template('logs.html', logs=rows)

...

def verify_signature(user_id, sig, raw_params):
# get secret token for user_id
try:
row = g.db.select_one('users', {'id': user_id})
except db.NotFound:
raise BadSignature('no such user_id')
secret = str(row['secret'])

h = hashlib.sha1()
h.update(secret + raw_params)
print 'computed signature', h.hexdigest(), 'for body', repr(raw_params)
if h.hexdigest() != sig:
raise BadSignature('signature does not match')
return True

Issue

The level 7 web app is a web API in which clients submit signed RESTful requests and some actions are restricted to particular clients. The goal is to view the response to one of the restricted actions. The first issue is that there is a logs path to display the previous requests for a user and although the logs path requires the client to be authenticatd, it doesn't restrict the logs you view to be for the user for which you are authenticated. So you can manually change the number in the '/logs/[#]' to '/logs/1' to view the logs for the user ID 1 who can make restricted requests. The level 7 web app can be exploited with replay attacks but you won't find in the logs any of the restricted requests we need to run for our goal. And we can't just modify the requests because they are signed.

However they are signed using their own custom signing code which can be exploited by a length extension attack. All Merkle–Damgård hash algorithms (which includes MD5, and SHA) have the property that if you hash data of the form (secret + data) where data is known and the length but not content of secret is known you can construct the hash for a new message (secret + data + padding + newdata) where newdata is whatever you like and padding is determined using newdata, data, and the length of secret. You can find a sha-padding.py script on VNSecurity blog that will tell you the new hash and padding per the above. With that I produced my new restricted request based on another user's previous request. The original request was the following.

count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
The new request with padding and my new content was the following.
count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo%80%02%28&waffle=liege|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
My new data in the new request is able to overwrite the waffle parameter because their parser fills in a map without checking if the parameter existed previously.

Notes

Code review red flags included custom crypto looking code. However I am not a crypto expert and it was difficult for me to find the solution to this level.

PermalinkCommentshash internet length-extension security sha1 stripe-ctf technical web

"Additional HTTP Status Codes" - Mark Nottingham, Roy Fielding

2011 Nov 14, 7:51

Includes ‘511 Network Authentication Required’ for airport/hotel/coffee shop scenarios!  Am I too excited about this?

PermalinkCommentstechnical ietf http http-status-codes

Yahoo! Accepts OpenID Authentication with Google

2010 Oct 28, 6:32PermalinkCommentsOpenID Second Level Features YDN Theme Categories technical

draft-nottingham-http-portal - The Network Authentication Required HTTP Status Code

2010 Oct 4, 2:05Proposed 428 HTTP error code for hijacking proxies to indicate to the client the user needs to login to the network etc. Glad to see this one's finally happening.PermalinkCommentshttp http-status captive-portal hijack proxy authentication technical rfc reference

Aza’s Thoughts » Identity in the Browser (Firefox)

2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!PermalinkCommentsfirefox browser identity web mozilla security authentication openid

Official Google Blog: Cutting back on your long list of passwords

2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites."PermalinkCommentsidentity openid google security authentication facebook password via:connolly technical

InfoQ: HTTP Status Report

2009 Apr 29, 12:34"In this presentation, recorded at QCon San Francisco 2008, HTTPbis WG chair Mark Nottingham gives an update on the current status of the HTTP protocol in the wild, and the ongoing work to clarify the HTTP specification."PermalinkCommentshttp httpbis protocol ietf reference video authentication cookie uri url tcp sctp mark-nottingham via:ericlaw

Gravatar - Globally Recognized Avatars

2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they upload. Lots of plugins for different blogging platforms.PermalinkCommentsblog web photo avatar image authentication identity icon hash

It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards can be revoked and replaced. How do you revoke a finger?"PermalinkCommentsarticle microsoft security identity authentication biometrics

IMAGINATION -- image-based authentication: Step 1

2008 Apr 24, 9:41This is a CAPTCHA in which you must id the center of subimages in a collage and then choose the correct caption for a second a photo. It took me seven tries to click close enough to the center of a subimage. I'm human I swear! Lame implementation.PermalinkCommentscaptcha image security

Welcome to OpenID Enabled!

2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."PermalinkCommentsphp openid development opensource identity authentication api software server library

FOAF and OpenID: two great tastes that taste great together | Decentralized Information Group (DIG) Breadcrumbs

2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.PermalinkCommentsfoaf openid authentication identity rdf semanticweb trust web spam

Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

2007 Sep 11, 12:01Blog post about password security. A bit of a shot at:PermalinkCommentshack hackers crypto cryptography security blog article hash password authentication via:swannman

Using public keys for SSH authentication

2007 Mar 19, 3:13Documentation on setting up SSH to use keys.PermalinkCommentssecurity ssh howto key publickey putty

The Undevelopment Blog - Collective Identities Anybody?

2007 Mar 13, 3:54A blog article on creating group OpenIDs.PermalinkCommentsopenid authentication group privacy blog article

Free, anonymous, temporary, disposable OpenID by Jayant Gandhi

2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.PermalinkCommentsanonymous authentication openid identity privacy

Implementor's Draft: OpenID Authentication 2.0 - Draft 11

2007 Mar 13, 3:53The OpenID SpecificationPermalinkCommentsopenid authentication specification security

OpenID: an actually distributed identity system

2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.PermalinkCommentsauthentication identity openid security specification privacy

OpenID Stolen Thoughts

2007 Mar 13, 7:57I had a few thoughts after reading about OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
Anonymous OpenID
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID associated with that URI. This has already been implemented by Jayant Gandhi.
Group OpenID
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
OpenID Normalization
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID specification.
I guess I'm a little late to the scene.PermalinkCommentstechnical stolen-thoughts openid
Older Entries Creative Commons License Some rights reserved.