Upload File

with great power comes great pwnage

34
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona With Great Power Comes Great Pwnage Area41 Security Conference Zürich, June 10 th 2016 [email protected] [email protected]

Upload: dangxuyen

Post on 04-Jan-2017

217 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: With Great Power Comes Great Pwnage

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

With Great Power Comes Great Pwnage

Area41 Security Conference Zürich, June 10th 2016

[email protected] [email protected]

Page 2: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 2 www.compass-security.com

Hello

Page 3: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 3 www.compass-security.com

Agenda

Introduction to SAML

Use-Cases

Protocol Details

SAML Attacks

Demo

Remediation

Page 4: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 4 www.compass-security.com

Introduction: SAML

Security

Assertion

Markup

Language

Page 5: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 5 www.compass-security.com

Introduction: Components

Identity Provider (IdP) • Checks the identity of

subjects • Issues SAML assertions • Provides the result to

SPs

Client / User Entity that wants to assert a particular identity

Service Providers (SP) • Provides services to

subjects • Trusts the identification

from the IdP based on the assertions it receives

Page 6: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 6 www.compass-security.com

USE-CASES

Page 7: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 7 www.compass-security.com

Use-Case: IG B2B BrokerGate

21 Insurers (13 online) Broker portal as

Service Providers

941 Brokers, 4295 Users

Mirilex GmbH

Mentor Assekuranz

AG

Sfaeras SA

Tectron AG Finanzberatung

Page 8: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 8 www.compass-security.com

SAML 2.0 IdP

Use-Case: IG B2B BrokerGate

941 Brokers, 4295 Users

Mirilex GmbH

Mentor Assekuranz

AG

Sfaeras SA

Tectron AG Finanzberatung

21 Insurers (13 online) Broker portal as

Service Providers

Page 9: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 9 www.compass-security.com

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

Jan13

Mrz13

Mai13

Jul13

Sep13

Nov13

Jan14

Mrz14

Mai14

Jul14

Sep14

Nov14

Jan15

Mrz15

Mai15

Jul15

Sep15

Nov15

Logins per Month

User Accounts

Use-Case: IG B2B BrokerGate

Page 10: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 10 www.compass-security.com

Use-Case: SWITCHaai

University

Webmail eLearning

Student Admin

Hospital

Library

eJournals

Research DB

Where are you from?

Page 11: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 11 www.compass-security.com

Use-Case: SWITCHaai

Page 12: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 12 www.compass-security.com

Use-Case: SWITCHaai

On Average: 52 SAML authentication requests per minute

Page 13: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 13 www.compass-security.com

SAML 2.0 FUNDAMENTALS

Page 14: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 14 www.compass-security.com

SAML The Overall Picture

With an Assertion a IdP confirms to a

SP the identity of an subject including the

used authentication method

SAML defines a number of protocol

messages, e.g.

authentication request, artifact resolution

or single logout

Bindings specify how the various

messages can be carried over underlying

transport protocols, e.g. HTTP redirect or

POST

SAML profiles define how the SAML

assertions, protocols, and bindings are

combined and constrained to provide

greater interoperability in particular usage

scenarios, e.g. Web Browser SSO Profile

Page 15: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 15 www.compass-security.com

SP-Initiated SSO with Redirect and POST Bindings

Web Browser SSO Profile

Page 16: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 16 www.compass-security.com

Web Browser SSO Profile (Artifact)

SP-Initiated SSO with POST/Artifact Bindings

Page 17: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 17 www.compass-security.com

SAML Assertion

Security Assertion

Version AssertionID IssueInstant

Issuer

IdP EntityId

Subject

NameID

UserId

Conditions

AudienceRestriction

SP EntityID

NotBefore NotAfter

AuthnStatement

AuthnContext

AuthInstant

AuthnContextClassRef

Attribute

Attribute

Attribute

Digital Signature

X.509 Signing Certificate

Digest Signature Algorithm, Transforms Sig Value

Page 18: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 18 www.compass-security.com

XML Signature

c14n sha1

Digest Assertion

rsa

rsa

+

Page 19: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 19 www.compass-security.com

SAML ATTACKS

Page 20: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 20 www.compass-security.com

SAML Attacks

Technologies SAML

XML Signatures

X.509 Certificates

Page 21: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 21 www.compass-security.com

Page 22: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 22 www.compass-security.com

SAML Attacks - SAML

Log out other users due to a guessable IDs

Replay an eavesdropped SAML Message

Google for Messages, Stack Overflow

Page 23: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 23 www.compass-security.com

SAML Attacks - XML

Signature Exclusion (simply delete Signature)

XML Signature Wrapping Paper «On Breaking SAML: Be Whoever You Want to

Be», 2012

Page 24: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 24 www.compass-security.com

SAML Attacks - XML

Normal Message

Page 25: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 25 www.compass-security.com

SAML Attacks - XML

Manipulated Message (XSW)

Page 26: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 26 www.compass-security.com

SAML Attacks Certificate Tampering

Precondition: Certificate is embedded in the message

«clone» a certificate, generate new key material

Use a certificate signed by other official CA

Use a revoked certificate

Page 27: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 27 www.compass-security.com

Demo Exploit

Found in June 2015 by Compass Security

using SAML POST-Binding

not matching all attributes of the X.509 certificate embedded

in the assertion against the certificate from the identity provider (IdP)

Page 28: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 28 www.compass-security.com

Demo Exploit

+

Page 29: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 29 www.compass-security.com

SAMLRaider

SAMLRaider Extension for Burp

https://github.com/SAMLRaider/SAMLRaider

Page 30: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 30 www.compass-security.com

Demo Exploit

Page 31: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 31 www.compass-security.com

REMEDIATIONS

Page 32: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 32 www.compass-security.com

SAML Attacks - Mitigation

Configuration:

Use artifact binding (no content on client)

If POST-binding is necessary:

Use encrypted messages

Implementation:

Only process signed XML tree (delete other content)

Use key material on the SP or IdP and not embedded keys

Page 33: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 33 www.compass-security.com

Questions?

Credits and Links:

Emanuel Duss, Bachelor Thesis and SAMLRaider

Bachelor Thesis https://eprints.hsr.ch/464/

SAMLRaider on Github: https://github.com/SAMLRaider/SAMLRaider

Page 34: With Great Power Comes Great Pwnage

© Compass Security Schweiz AG Slide 34 www.compass-security.com


Marketing Strategy - Great Strategy Comes From Good Questions

With Great Power Comes Great Responsibility 1. Bell-ringer Respond in writing to the following prompts: 2 How might the adage “With great power comes

Power Apps - With great power comes great responsibility

Pwnage Workshop Beta 8 14 2011

K-2 Assessments: With Great Choice Comes Great ... · K-2 Assessments: With Great Choice Comes Great Responsibility 2017-2018 Arkansas Association of Educational Administrators Summer

With great power comes great responsibility… Ashoka’s Pillars

Matt Petersen - Content Marketing - "With Great Power Comes Great Responsibility" - SPIDERMAN

Transposition of the Great Arteries - pdfs.semanticscholar.org · Transposition of the Great Arteries (TGA) Simplified definition: aorta comes off of the RV, pulmonary artery comes

With Great Data Comes Great Responsibility

With Great Power Comes Great Responsibility! Said a wise old uncle

Pwnage 2 Aug 2011

With Great Power Comes Great Responsibility - Philsci …philsci-archive.pitt.edu/...Great_Power_Comes_Great_Responsibility... · With Great Power Comes Great Responsibility On causation

Windows File Pseudonyms Strange Filenames and Haiku OR: Pwnage and Poetry

With Great Power Comes Great Responsibility ... · With Great Power Comes Great Responsibility: Macroprudential Tools at Work in ... Macroprudential Measures to Deal with Mortgage

Pwnage 2.0 How to own the world - HITB · Saumil Shah ceo, net-square Pwnage 2.0 How to own the world Hack In The Box 2009 – Dubai

With great power comes great scalability - StatPro Group Report 2015... · With great power comes great scalability ... 2.4p 2014 2.4p ... 36 Introduction to Corporate Governance

With Great Freedom for Inconsistent Data Comes Great ...cseweb.ucsd.edu/~ikatsis/publications/techreport.pdf · With Great Freedom for Inconsistent Data Comes Great Scalability Responsibility

SNMP : Simple Network Mediated (Cisco) Pwnage

With Great Data Comes Great Responsibility...With Great Data Comes Great Responsibility Today’s technology and benefit delivery models allow State Agencies to access more data than

With great power comes great (development) responsibility

With Great Power comes Great Responsibilities

With great apps comes great responsibility

Great-Great Grampa Richard Comes West 1823 - 1889 · 2016. 3. 17. · The Richard Wiley Story Compiled by Ed, Don and Ron Guenther Great-Great Grampa Richard Comes West 1823 - 1889

Vicente Diaz - Jorge Mieres - Fuel For Pwnage

Integrating Mobile and Network Attacks for In-Depth Pwnage

Metasploit: Pwnage and Ponies

Great Content Comes From Great Delivery

PWNage: Producing a newsletter with Perl

With Great Training Comes Great Vulnerability: Practical Attacks against Transfer Learning · 2019-12-18 · With Great Training Comes Great Vulnerability: Practical Attacks against

Mass Pwnage Metasploit

EXPOSURE: CEO EMAIL PASSWORDS AND PWNAGE · PDF fileCEO EMAIL EPOSURE: PASSWORDS AND PWNAGE 2 ... F-Secure recently conducted a study of CEO emails to find out which breached services

Medical Devices Passwords to Pwnage by Scott Erven

Pwnage 1 July 2011

Systems Applications Proxy Pwnage

Systems Applications Proxy Pwnage - SensePost