2012 Oct 1, 6:33
According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not
display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.
The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log
in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to
booby-trapped imposter sites.
technical security html router web dns csrf 2012 Sep 13, 5:00
Level 7 of the Stripe CTF involved running a length extension attack on the level 7 server's custom crypto code.
Code
@app.route('/logs/')
@require_authentication
def logs(id):
rows = get_logs(id)
return render_template('logs.html', logs=rows)
...
def verify_signature(user_id, sig, raw_params):
# get secret token for user_id
try:
row = g.db.select_one('users', {'id': user_id})
except db.NotFound:
raise BadSignature('no such user_id')
secret = str(row['secret'])
h = hashlib.sha1()
h.update(secret + raw_params)
print 'computed signature', h.hexdigest(), 'for body', repr(raw_params)
if h.hexdigest() != sig:
raise BadSignature('signature does not match')
return True
Issue
The level 7 web app is a web API in which clients submit signed RESTful requests and some actions are restricted to particular clients. The goal is to view the response to one of the restricted
actions. The first issue is that there is a logs path to display the previous requests for a user and although the logs path requires the client to be authenticatd, it doesn't restrict the logs
you view to be for the user for which you are authenticated. So you can manually change the number in the '/logs/[#]' to '/logs/1' to view the logs for the user ID 1 who can make restricted
requests. The level 7 web app can be exploited with replay attacks but you won't find in the logs any of the restricted requests we need to run for our goal. And we can't just modify the requests
because they are signed.
However they are signed using their own custom signing code which can be exploited by a length extension attack. All
Merkle–Damgård hash algorithms (which includes MD5, and SHA) have the property that if you hash data of the form (secret + data) where data is known and the length but not content of secret is
known you can construct the hash for a new message (secret + data + padding + newdata) where newdata is whatever you like and padding is determined using newdata, data, and the length of secret.
You can find a sha-padding.py script on VNSecurity blog that will tell you the new hash and padding per the above. With that I
produced my new restricted request based on another user's previous request. The original request was the following.
count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
The new request with padding and my new content was the
following.
count=10&lat=37.351&user_id=1&long=%2D119.827&waffle=eggo%80%02%28&waffle=liege|sig:8dbd9dfa60ef3964b1ee0785a68760af8658048c
My new data in the new
request is able to overwrite the waffle parameter because their parser fills in a map without checking if the parameter existed previously.
Notes
Code review red flags included custom crypto looking code. However I am not a crypto expert and it was difficult for me to find the solution to this level.
hash internet length-extension security sha1 stripe-ctf technical web 2011 Nov 14, 7:51
Includes ‘511 Network Authentication Required’ for airport/hotel/coffee shop scenarios! Am I too excited about this?
technical ietf http http-status-codes 2010 Oct 4, 2:05Proposed 428 HTTP error code for hijacking proxies to indicate to the client the user needs to login to the network etc. Glad to see this one's finally happening.
http http-status captive-portal hijack proxy authentication technical rfc reference 2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!
firefox browser identity web mozilla security authentication openid 2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In
addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign
in more easily to government-operated websites."
identity openid google security authentication facebook password via:connolly technical 2009 Apr 29, 12:34"In this presentation, recorded at QCon San Francisco 2008, HTTPbis WG chair Mark Nottingham gives an update on the current status of the HTTP protocol in the wild, and the ongoing work to clarify
the HTTP specification."
http httpbis protocol ietf reference video authentication cookie uri url tcp sctp mark-nottingham via:ericlaw 2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they
upload. Lots of plugins for different blogging platforms.
blog web photo avatar image authentication identity icon hash 2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards
can be revoked and replaced. How do you revoke a finger?"
article microsoft security identity authentication biometrics 2008 Apr 24, 9:41This is a CAPTCHA in which you must id the center of subimages in a collage and then choose the correct caption for a second a photo. It took me seven tries to click close enough to the center of a
subimage. I'm human I swear! Lame implementation.
captcha image security 2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."
php openid development opensource identity authentication api software server library 2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.
foaf openid authentication identity rdf semanticweb trust web spam 2007 Mar 19, 3:13Documentation on setting up SSH to use keys.
security ssh howto key publickey putty 2007 Mar 13, 3:54A blog article on creating group OpenIDs.
openid authentication group privacy blog article 2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.
anonymous authentication openid identity privacy 2007 Mar 13, 3:53The OpenID Specification
openid authentication specification security 2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.
authentication identity openid security specification privacy 2007 Mar 13, 7:57I had a few thoughts after reading about
OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
-
Anonymous OpenID
-
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID
associated with that URI. This has already been implemented by Jayant Gandhi.
-
Group OpenID
-
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
-
OpenID Normalization
-
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my
OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID
specification.
I guess I'm a little late to the scene.
technical stolen-thoughts openid
Some rights reserved