ClickJacking

In October last year there was discussion about a vulnerability discovered by RSnake and Jeremiah Grossman in the Adobe Flash framework and all major browsers. Among other things, an attacker could control the web camera and the microphone of the user; viewing actions and recording any speech. This could be used for real time surveillance of an individual.

The attack involves getting the user to click on harmless buttons or links on web pages. However, by using a concealed link, the user is actually clicking on an entirely different link or button from the one he appears to be on. This can be used to get him to navigate to unknown web pages, or to dismiss alert boxes. It is executed by creating an iframe with the malicious link in the top-left corner and embeds this in the harmless page that the user is shown. This iframe is made invisible by turning the opacity down, and is made to hover just under the user's mouse pointer. As a result, regardless of where the user clicks, the malicious link is clicked. In Flash, the attacker can enable the microphone and web cam, and get the user to click on 'yes' to all the confirmation dialogs that come up.

The paper explaining the details is available here and a demonstration of the attack can be seen over here.

Rogue CA Certificates

So much for a relaxed end to the year. This morning, at the Chaos Communication Congress, security researchers created a rogue CA certificate which is trusted by all major browsers by default. This means, that in effect, they have become a virtual CA and any can certify any website with a certificate signed with their rogue certificate and pass the inspection by the browser. Malicious sites could impersonate legitimate mail providers or banking sites during a Man in the middle attack and completely deceive the user.

The attack targets CAs that continue to sign their certificates using the MD5 hash algorithm. It relies on generating a "collision" between the certificate that is originally requested from the CA, and a duplicate, rogue certificate generated by the attacker. It is also, at the moment, only possible in case the CA generates certificates using predictable serial numbers.

The danger here is that since browsers implicitly trust the certificates that are signed by trusted roots, there is no mitigation possible on the client end and one has to rely on CAs to upgrade their infrastructure.

The surprising fact is that CAs are still using MD5 - 3 years after the first attacks and collisions surfaced. Let's hope that when they upgrade their infrastructure, CAs don't just move to SHA-1 which is also rumoured to be susceptible to collision attacks, but to stronger algorithms like SHA-2 or Whirlpool. Oh, and that they start randomizing the serial numbers for the certificates as well.

More details about the attack can be found here.

Merry Christmas

Another year has gone by and there's been some really neat stuff in the security space. We've seen lots of 'The Internet is coming to an end' kind of vulnerabilities, but for the most work has continued with mild, if any disruption. There has also been a whole lot of debate about full vs partial disclosure and responsible reporting of vulnerabilities, but we're not going to be getting into that here. Here's to a Merry Christmas and all the best for 2009 to everyone! We're all looking forward to a really exciting year ahead over here.

SQL Injection

SQL Injection is at once, one of the most common and most misunderstood vulnerabilities that we've come across in our testing. Part of the fault lies with the remediation steps given by Microsoft which state that one should use stored procedures, without delving into how one should use them.
Are stored procedures immune to SQL Injection attacks? Undoubtedly not! Let's have a look at the following line in a stored procedure

set @query = 'Select * From Users Where UserID Like %' + @userId + '%'
exec (@query)

This procedure is also vulnerable because the parameter is directly appended to the query and then executed. Now, why exactly does SQL Injection occur? It happens because the execution engine takes a string as input, without distinguishing between user supplied data and the query logic. This allows the user to format his input in a way to modify the structure of the query. When the data is passed via parameters, the execution engine is careful to distinguish between the code and data segments, and not allow user input such as ' or -- to break the structure of the query. However, when it is directly concatenated as a string and then executed, SQL injection is possible - even in stored procedures.

VoIP : Part II

A number of the security problems in SIP occur because the data is sent in the clear and is easy to view and modify. The server and the agent use a challenge response system where the password is hashed with the realm and the nonce. The calculation for the response is

H1 = MD5(username:realm:password)
H2 = MD5(method:uri)
Response = MD5(H1:nonce:H2)

The username, realm and nonce are passed in the challenge and so the only unknown is the password. An attacker who has access to both the challenge and the response, can compute the hashes offline using a brute-force or dictionary attack and obtain the password of the user. Another attack that arises is that the agent can impersonate any other user by changing the From field in an INVITE request.

Denial of Service Attacks

Denial of Service (DoS) is a class of attacks where a particular agent is made unavailable to any other agent on the network. These attacks are possible because the agents do not verify the identity of the sender of messages. They rely on IP addresses which can be spoofed. Sending a CANCEL request to an agent who has received an INVITE packet cancels the phone call, even if it is sent by an attacker on the network. Sending a BYE packet to the server while impersonating an agent, can also prevent that agent from receiving any calls.

A large number of the vulnerabilities in SIP and RTP would be mitigated if SSL/TLS were used along with SIP to prevent Man in the middle style attacks.

VoIP : Part I

Over the last few days, we have been playing around with VoIP security using an Asterisk server and some soft-phones as agents. Primarily, we've been experimenting with the Session Initiation Protocol or SIP and the Real-time Transport Protocol or RTP. This is the protocol that is increasingly being used for call management functions such as registering the agents and setting up and terminating calls.
The main kinds of SIP requests are a REGISTER request that is sent by the agents to the server to register themselves, an INVITE request to invite another agent to join a call, a CANCEL request to cancel an invitation, and a BYE message to terminate a call.

Anatomy of a Call

The agent sends an INVITE packet to the server with the address of the agent it wishes to call. The server than forwards this to the recipient, which replies with a ringing tone if it is free to accept a call. The server then returns this ringing tone and the address of the recipient to the caller. The caller can now directly contact the recipient to set up a channel for communication. In case the caller and recipient lie on the same network they can communicate directly. However, if they lie on different networks, they may use a proxy for communication.

Eavesdropping a call

During the call set up, the IP addresses and ports of both agents along with recording parameters such as the protocol type and audio encoding to be used are exchanged. The most common protocol for exchange of voice data is RTP. An attacker can mount a Man in the middle attack to view the packets that are being exchanged by both the systems. As the RTP packets are unencrypted, they can be combined by the attacker using the codec specified to listen in on the audio file. Both Wireshark and Cain and Abel are able to reconstruct wave files from the RTP packets that they intercept without too much difficulty and the conversation is recorded!

Young IT Profesional of the Year Award

Two of our team members - Bhavesh and Mihir, have jointly won the Young IT Professional of the Year Award (YITPA) for the West Zone for their work on Helios. This has awarded by the Computer Society of India, the largest body of computer professionals in the country.