cryptography in web applications: vulnerabilities and attacks

Cryptography in web applications: vulnerabilities and

attacks21/08/2012DCG #7812

Saint-Petersburg by@d0znpp

[d0znpp@localhost ~]# whoami

ONsec company: founder and expertFun: security researcher, international speaker, bug hunter, Neuron-hackspace member (neuronspace.ru)Science: statistical algorithms and machine learning areas

Defcon Russia (DCG #7812)

Introduction

Where you can see crypto in webapps?• passwords storage mechanism• one-time passwords• unique codes• remember tokens• CSRF tokens• CAPTCHA• etc


Introduction

• Everything unique based on randoms• In general randoms are pseudo random• Every random values initiated by seed value• Seed is your target. If you know seed, you

know all "random" values.• Each process has their seed• Keep-alive connection share seed in many

scriptsWhy you can know a seed value?


Task #1

How do you hack it?

mt_srand(microtime()*10000);mt_srand(getmypid());

$secret = md5(mt_rand().mt_rand().mt_rand());


Problem #1. Weak seed

• Initiate rand from short-length seedmt_srand(microtime()*10000);mt_srand(getmypid());

• Brute-force attack restores seed


Task #2

How do you hack it?

mt_srand((double)microtime()*1000000);mt_srand(uniqid("",true));

$secret = md5(mt_rand().mt_rand().mt_rand());


Problem #2. Predicated seed

• Initiate rand from predicated seedmt_srand((double)microtime()*1000000);• Official PHP doc example

(http://www.php.net/manual/en/function.mt-srand.php):

function make_seed(){ list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000);}


Task #3

How do you hack it?

function resetUserPassword($userid){$newpass = sha1(mt_rand(). mt_rand().

mt_rand());}function generateCaptcha(){

mt_srand((double)microtime()*10000);return $captcha[mt_rand(0,30)].

$captcha[mt_rand(0,30)]…}Defcon Russia (DCG #7812)

Problem #3. Keep-Alive glue

Stefan Esser, 2008http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Keep-Alive is your friendWhen some information is known about the internal state of the random number generator Keep-Alive HTTP request can make exploits very easy. Because follow request during a Keep-Alive HTTP connection are handled by the same process (same random number generator) the state of the random number generator stays the same and random numbers can be precalculated from the outside. While this is always true for mod_php, it is not true for CGI and only sometimes true for fastcgi setup


Problem #3. Keep-Alive glue

• Initiate random with predicated value:GET /newcaptha HTTP/1.1Connection: Keep-Alive

• Generate predicated next random valueGET /recoverpass HTTP/1.1Connection: Keep-Alive


Task #4

How do you hack it?

function resetPassword($email){if(userExists($email)){

mt_srand((double)microtime()*1000000);$new_pass = md5(mt_rand());if (sendPassByEmail($email,$new_pass)){

updateUserPass($email,$new_pass);}else return false;

}else return false;}Defcon Russia (DCG #7812)

Problem #4. Race condition


mt_srand((double)

microtime()* 1000000)

Q1: change my password

Q2: change admin

Q3: change my password

Date:Tue, 21 Aug 2012 09:34:37

Date:Tue, 21 Aug 2012 09:34:37

Date:Tue, 21 Aug 2012 09:34:37

• Locally brute microseconds Q1, Q3• Determine interval where Q2 are exists• Remotely brute Q1 value


• Request to reset self password• Request to reset admin password• Request to reset self password again• Parse "Date" header in HTTP response• Compare "Date" seconds in 3 responses (D1,

D2, D3), D1>D2>D3 or D1>D2 (D3 in next second)

• If D1,D2,D3 seconds are different, try again



• Locally brute rand values R1, R3 from D1 and D3 responses (10^6 value for D1 and 10^6-R3 for D3)

• Now you know a short interval (R1;R3) where R2 are exists

• Remotely brute R2 via ~10^3 HTTP responses (not 10^6 anymore)

• Sucks where balancer/frontend are presentDefcon Russia (DCG #7812)

Task #5

function generateMySafetyToken(){mt_srand($really_random_value);$salt = generateRandomString(8);$newpass = generateRandomString(32);updateUser($salt.md5($newpass.

$reallyLongAndSecretSalt)); } function generateRandomString($l){

$chars = “abcdeghijklmnopqrtuvwxz…”;for($i=0;$i<$l;$i++)

@$r.=$chars[mt_rand(0,strlen($chars)-1)];return $r; } Defcon Russia (DCG #7812)

Problem #5. Shared randoms

• Generating randoms and share it values in HTTP responses (various unique IDs)

• Seed value may be recovered by randoms• By seed value you get all the values of

randoms after shared


Rands sequence length (bytes) Seeds count

1 ~ 3,5*10^7 (~= mt_getrandmax()/62)

2 ~ 5,5*10^5

3 ~ 9*10^3

4 ~ 150

5 ~ 4


• How many random values you need to recover seed?

• mt_getrandmax() = 2^32/2• For 62 preset (a-z A-Z 0-9):



• Recovering seed by brute 2^32 values take 1,2 hour on my laptop CPUs (i7 1.8GHz)

• One PHP process for brute per each /proc/cpuinfo item

• Let me know if you want to get demo scripts ;)


What about hashes?

• MD5 brute speed is about 11*10^9 hashes/sec on AMD Radeon HD6990 (~$800)

Tools:• oclHashcat(pro/lite)• ighashgpu• johntheripper• egbruteforcer (insidepro)


Typically problems

• md5($salt.$pass) really hard to brute at present moment

• Why? Read http://hashcat.net/forum/thread-1437.html for details

• Wait for new oclHashcat version (late 2012)• Other tools has no md5($salt.$pass) template

• Dictionary attacks really slow (~ 10^3 h/s)


How much time to brute?

Row MD5 brute speed (modern hardware)• CPU: ~10^7 hash/sec 150W• GPU: ~10^10 hash/sec 500W• FPGU: ~10^11 hash/sec 250W


Thx & questions ???

• Stefan Esser’s 2008 for great research• Mykola Ilin (Defcon UA, Kiev) for answers

and practice, theoretical base and others• Neuronspace (haskspace Moscow) for all ;)

Follow me: @d0znppd0znpp[special char]ONsec.ru


cryptography in web applications: vulnerabilities and attacks

Documents

rand defcon russia dcg

seeddefcon russia dcg

alivedefcon russia dcg

fastcgi setupdefcon

alive glueinitiate random

alive http connection

random number generator

random numbers