Extended Subset

NTLM (v1 and v2) and MS-CHAP (v1 and v2) are challenge-response authentication protocols which are designed to be compatible with the hashing algorithms windows uses to handle password credentials. The challenge-response system solves the obvious problem of previous protocols which tended to simply transmit the password in the clear. However, NTLM is still susceptible to credentials forwarding attacks, it simply has little or no built-in defenses against them. What this means is that an active attacker (i.e., one who can modify traffic on the network between the client and server) is able to redirect a few bytes in one direction, a few bytes in the other, and “steal” the login from the legitimate client and use it to authenticate his own connection to the server. Effectively, this challenge-response scheme amounts to a one-time password transmitted in the clear.

I was honored to be a guest presenter at Dan Geer’s talk today at the Usenix Security Symposium 10. We talked about the need to fix network protocols and the unique challenges that presents. Although I had originally planned to talk about the SSL/TLS experience, I took this opportunity to present what I had learned about NTLM after spending some time looking into the issue over the past few weeks.

People in-the-know have been aware of this attack for at least 14 years. The security research community discussed it repeatedly years back, but somehow it fell through the cracks and was forgotten. But today’s hostile networking environment has given us a newfound appreciation of the need to keep up with any detail which might have implications for data security, so possibly this is the right time to raise awareness of this problem once again. Spread the word.

I’ll be updating this post with more technical detail, so watch for changes over the next day. Until then, I’ll post some links to material as it’s available.

Attack demo videos by Liam Schneider

SMB reflection

SMB relaying with a fully-patched Windows

Other

Slides from Usenix Security 2010 presentation

Press

ZDNet

The Register

Authentication under Windows: A smouldering security problem - The H

Papers, Presentations, and Published Attacks

1996 - Dominique Brezinski - A Weakness in CIFS Authentication
1997 - Brezinski - BlackHat - Security posture assessment of Windows NT networks
1999 - Schneier, Mudge, Wagner review PPTP+MSCHAPv2
2000 - DilDog - @stake - Telnet NTLM Replay Vulnerability
2001 - Sir Dystic - Cult of the Dead Cow - @lantacon - SMBRelay
2004 - Jesse Burns - iSEC -NTLM Authentication Unsafe,  HTTP to SMB attack demo
2007 - Grutzmacher - Squirtle
2007 - HTTP to SMB implemented in Metasploit
2007 - HD Moore, valsmith - BlackHat - Tactical Exploitation
2008 - Eric Rachner exploits HTTP-HTTP
2008 - Andres and Miguel Tarasco Acuña - SMBrelay3

Recognized vulnerabilities arising from this fundamental weakness in NTLM

CVE-1999-1087 MS98-016 IE interprets a 32-bit number as an Intranet zone IP address
CVE-2000-0834 MS00-067 Patch for “Windows 2000 Telnet Client NTLM Authentication” CVE-2001-0003 MS01-001 Patch for MS Office “Web Extender Client” to use IE settings CVE-2005-0147 Firefox responds to proxy auth requests from arbitrary servers
CVE-2008-3009 MS08-076 Windows Media do not use the SPN for validating replies
CVE-2008-3010 MS08-076 Windows Media associates ISATAP addresses with Intranet zone
CVE-2008-4037 MS08-068 SMB credential reflection protection
CVE-2009-0550 MS09-013 WinHTTP doesn’t correctly opt-in to the NTLM reflection protection
CVE-2009-0550 MS09-014 WinINet doesn’t correctly opt-in to the NTLM reflection protection
CVE-2009-1930 MS09-042 Telnet protocol doesn’t correctly opt-in to the NTLM reflection protection
CVE-2009-3983 Firefox allows remote attackers to replay NTLM credentials of the user
CVE-2010-0231 Hernan Ochoa, Augustin Azubel - BlackHat - Windows’ SMB PRNG is pwned (somewhat unrelated, but too good not to mention)
CVE-2010-1413 Webkit sends NTLM in unspecified circumstances.

Notes

Most or all of the current patched mitigations appear to be less than completely effective. For example read about the remote code execution vulnerability MS08-068. Except that when you see the words “reflection protection” mentally substitute “protection that can be bypassed by simply targeting a different machine”.

Starting with Vista, a MIC (message integrity code) has been included in the messages. However, it probably can’t be very effective unless clients and servers are willing to refuse to make connections with remote endpoints that do not supply it. It signs the content of the messages in each direction, but it doesn’t look like any new info has been “bound” into the authentication process. For example, the target server may be checked, but an attacker may still be able to forward the credentials to a different port and protocol on the same server. In some scenarios (e.g., http rewriting) the bad guy may be the one specifying the target server in the first place.

Nice research from matousec.com. Their article KHOBE – 8.0 earthquake for Windows desktop security software points out a common flaw in the implementation of functions that are called across a security boundary. It seems this is an easy-to-make mistake as all of the tested products made it!

This technique has been known about for a while, too. The author lists a few earlier (and very general) examples. It immediately reminded me of of Exploiting Concurrency Vulnerabilities in System Call Wrappers. Looks like the direct Windows AV equivalent of this well-known Systrace bug.

The good news for the vendors is that there’s a straightforward fix: hook functions simply must deep-copy their pointer arguments upon entry and use those consistently, even passing them to the hooked function if that is called. This is no more or less than what the implementation of any normal system function is expected to do.

The article’s example vulnerable code has some race conditions which might just allow a little escalation (line 14). I hear this is not atypical in actual AV products. Even if an add-on security product fails to offer every additional protection it promises, at the very least it should not make anything worse (which again is extraordinarily easy to do in this type of code).

I had heard about this being discussed but I didn’t think Mozilla would actually go through with it. But nevertheless, in my browser, there it is:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1228079105 (0x49330001)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT
        Validity
            Not Before: Apr 16 07:09:14 2007 GMT
            Not After : Apr 16 07:09:14 2027 GMT
        Subject: C=CN, O=CNNIC, CN=CNNIC ROOT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:35:f7:3f:...:f3:3a:ca:cb:
                    99:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Authority Key Identifier:
                keyid:65:F2:31:AD:2A:F7:F7:DD:52:96:0A:C7:02:C1:0E:EF:A6:D5:3B:11

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreeme
nt, Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                65:F2:31:AD:2A:F7:F7:DD:52:96:0A:C7:02:C1:0E:EF:A6:D5:3B:11
    Signature Algorithm: sha1WithRSAEncryption

Remember: The entire purpose of PKI and the Certificate Authority industry is to prevent active man-in-the-middle-style attacks. Passive eavesdroppers can be defeated with much simpler anonymous cryptography.

Look, nothing against the Chinese people or necessarily even the country of China. We all know they are some real groovy cats over there, if you catch my drift. But this specific organization is well-known for conducting network interception, monitoring, and filtering on a massive scale. There’s probably no organization in the world doing more of it.

If Mozilla’s idea of a security policy is to allow the CNNIC (or any of its delegated sub-CAs) to read and/or modify the data I exchange with websites, in my opinion it raises some serious questions about their judgment.

I guess it could be worse. Firefox could be like MS Windows and trust them for code signing too.*

Sigh.

* OK, OK … actually, that’s not completely correct. Vista, for example, doesn’t trust them out-of-the-box. There’s just this handy little feature where the first time any user (admin or no) running IE makes an https request to a server which presents a cert rooting to CNNIC, the OS silently adds them to the trusted root CAs for the entire local machine. You can delete it then if you want, but don’t worry, it will be there to help you out like that again if ever the need may arise.

The fact that McAfee can shut down mass numbers of systems running Windows XP and the power stays on is a very positive sign.

Nevertheless, here’s a list of reported power incidents about that time. This was from a quick search, some may be out of place due to time zone issues, etc.

http://www.inforum.com/event/article/id/276674/
http://www.indianexpress.com/news/blackout-at-power-utility-office-disrupts-bill-payment/610712/
http://www.eyretribune.com.au/news/local/news/general/lightning-strike-sparks-blackout/1810629.aspx
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10640337
http://www.digitimes.com/news/a20100422PD203.html
http://www.blayneychronicle.com.au/news/local/news/general/blackout-affects-3000-shire-residents/1810338.aspx

Saturday afternoon

Intel has a nice C++ toolchain. They use the great EDG C++ front end which is known for its standards-compliance. There’s even a free-as-in-beer offer of many of the tools on Linux for “non-commercial software development“.

I have played with this package from time to time. Last weekend I downloaded and upgraded to the latest suite which include the compiler, debugger, and various libraries.

The compiler seemed to work just fine. But when I run the debugger…

Intel(R) Debugger for applications running on Intel(R) 64, Version 11.1, Build [1.2097.2.333]
30 DAY EVALUATION LICENSE
NOTE: The evaluation period for this product ends in 23 days.

Well, that’s not very nice. I thought I had a proper non-commercial license! Hmm…I must have chosen the wrong option when I installed it last week.

I’ll try dropping in the license file manually. Doesn’t work.

I’ll do an uninstall and reinstall. No luck.

So I uninstall, this time completely removing the /opt/intel and the /tmp/FLEXnet directories. Reinstall making sure to give it the correct license file this time.

Again! The compiler is happy, but the debugger still insists it’s a time-limited evaluation copy. Hmmm, something not very funny is going on here.

Did a little web searching. It seems that FLEXnet is some sort of software licensing product that’s been owned by several different corporate entities using several different names over the years. Including Macrovision! At this point I approach panic…they’d better not have screwed with my boot sector…this was my cleanest dev box!

There were a few questions on Intel’s forums about problems in this area, and it seemed they were getting help. But this is on a weekend (non-commercial after all), so I figured I’d try to figure it out on my own. I found one post which suggested setting the environment variable INTEL_LMD_DEBUG=1. This was a useful tip as it provided a fascinating view into the mind of a pile of code as it is deciding whether or not to be a functioning piece of software. Some excerpts:

INTEL_LMD: checkout: contents of particular license actually checked out:
INTEL_LMD: checkout: feature name: DbgL (INCREMENT line)
INTEL_LMD: checkout: license expires: 11-may-2010
INTEL_LMD: checkout: license maintenance expires: 2020.1231
INTEL_LMD: checkout: type of license: uncounted (unlimited number of users)
INTEL_LMD: checkout: allowed platforms:
INTEL_LMD: checkout: amd64_re (Intel(R) 64 architecture; Linux*)
INTEL_LMD: checkout: i86_r (IA-32 architecture; Linux*)
INTEL_LMD: checkout: i86_re (IA-32 architecture; Linux*)
INTEL_LMD: checkout: it64_lr (IA-64 architecture; Linux*)
INTEL_LMD: checkout: it64_re (IA-64 architecture; Linux*)
INTEL_LMD: checkout: *Other brands and names are the property of their respective owners.

I could have used the debugger on itself, that might have been interesting in a recursive sort of way. But strace(1) got straight to the point.

Here are some of the highlights, there was lots of repetition I didn’t duplicate here. Also, this happens in a child process so use the strace -o and -ff options.

stat("/home/marsh/.flexlmrc", 0x7fff334bf8d0) = -1 ENOENT (No such file or directory)
stat("/home/marsh/.flexlmborrow", 0x7fff334bf920) = -1 ENOENT (No such file or directory)

Never seen those files before.

mkdir("/tmp/FLEXnet", 0777) = -1 EEXIST (File exists)
chmod("/tmp/FLEXnet", 0777) = -1 EPERM (Operation not permitted)
open("/tmp/FLEXnet/2167552-85A0F138-527D-4012-8175-79A3AEA4152E", O_WRONLY|O_CREAT|O_EXCL, 0666) = -1 EEXIST (File exists)

Man, they sure like the file permissions wide-open. I hope this thing doesn’t have any buffer overflows.

open("/tmp/FLEXnet/2167552-16F7558F-328B-4dc3-BEDF-095C1F14FFF1", O_WRONLY|O_CREAT|O_EXCL, 0666) = -1 EEXIST (File exists)
close(4294967295) = -1 EBADF (Bad file descriptor)

Nice of them to make sure not to leave any bad file descriptors open.

stat("/usr", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/local", {st_mode=S_IFDIR|S_ISGID|0775, st_size=4096, ...}) = 0
stat("/usr/local/share", {st_mode=S_IFDIR|S_ISGID|0775, st_size=4096, ...}) = 0
stat("/usr/local/share/macrovision", {st_mode=S_IFDIR|S_ISGID|0755, st_size=4096, ...}) = 0
stat("/usr/local/share/macrovision/storage", {st_mode=S_IFDIR|S_ISGID|0777, st_size=4096, ...}) = 0
stat("/usr/local/share/macrovision/storage/FLEXnet", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
open("/usr/local/share/macrovision/storage/FLEXnet/INTEL_00211300_tsf.data", O_RDWR|O_CREAT, 0666) = 4
chmod("/usr/local/share/macrovision/storage/FLEXnet/INTEL_00211300_tsf.data", 0666) = 0

Hey, how did those “macrovision” directories get there? I don’t recall giving permission for the uninstaller to leave old files lying around! I thought I had put everything under /opt.

Well I’ll just delete that old directory and reinstall, once again. (That fixed it by the way, but I was more interested in the strace at this point).

An aside: I always figured Intel made a compiler in order to ensure there would be one that could take best advantage of new features in their chips. Whatever profit they made from toolchain sales couldn’t possibly be significant compared to even the tiniest incremental boost to their processor business. Seems to me that the primary effect of leaving these hidden DRM files behind is to convert software developers from people with a passing familiarity with the toolchain into those who no longer are using it, and their dev boxes into machines that forever refuse to run it!

stat("/Users/Shared/Library/Application Support/Intel/Licenses", 0x7fff334bf960) = -1 ENOENT (No such file or directory)

Maybe it’s a Mac thing?

open("/proc/pci", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/pci", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/hostid", O_RDONLY) = -1 ENOENT (No such file or directory)
uname({sys="Linux", node="m...", ...}) = 0

Hmm, I wonder why it’s interested in those system files.

open("/etc/resolv.conf", O_RDONLY)      = 5
connect(5, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY)    = 5
fstat(5, {st_mode=S_IFREG|0644, st_size=475, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5905c59000
read(5, "# /etc/nsswitch.conf\n#\n# Example "..., 4096) = 475
open("/etc/host.conf", O_RDONLY)        = 5
open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 5
open("/opt/intel/Compiler/11.1/069/lib/intel64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnss_files.so.2", O_RDONLY) = 5

OK, this guy is starting to creep me out a little bit. It’s almost like he’s getting ready to make a network connection or something. This is not something I want, in the same way that I would not want to see a dinner guest at my house start writing down the serial numbers off my home appliances.

statfs("/", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=1032112, f_bfree=431368, f_bavail=378940, f_files=262144, f_ffree=206780, f_fsid={596574817, -405841800}, f_namelen=255, f_frsize=4096}) = 0
stat("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/proc/mounts", O_RDONLY) = 5
read(5, "rootfs / rootfs rw 0 0\nnone /sys "..., 1024) = 1024

Oh good, no network connection. He sure is interested in my filesystems though. Maybe being a little nosy even?

readlink("/dev/fb", 0x7fff601d15f0, 1024) = -1 ENOENT (No such file or directory)

Now why would a command-line program care if I have a framebuffer device?

open("/proc/cpuinfo", O_RDONLY) = 5
open("/proc/meminfo", O_RDONLY) = 5
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
ioctl(5, SIOCGIFHWADDR, {ifr_name="xp0", ???}) = -1 ENODEV (No such device)

What is this interface “xp0″ I wonder, and why is its hardware address interesting?

ioctl(5, SIOCGIFHWADDR, {ifr_name="eth0", ifr_hwaddr=00:...}) = 0

Well, I guess we knew that was coming.

uname({sys="Linux", node="m...", ...}) = 0

That too.

ioctl(5, SIOCGIFADDR, {ifr_name="xp0", ???}) = -1 ENODEV (No such device)
ioctl(5, SIOCGIFADDR, {ifr_name="eth0", ifr_addr={AF_INET, inet_addr("192.168...")}}) = 0

Now it wants assigned addresses. There’s that “xp0″ again.

Oh! We’d better read a bunch of int32’s from our secret file:

fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
lseek(4, 1877, SEEK_SET) = 1877
read(4, "\0\0\0\33"..., 4) = 4
fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
lseek(4, 1881, SEEK_SET) = 1881
read(4, "\1!\0\0"..., 4) = 4
fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
fstat(4, {st_mode=S_IFREG|0666, st_size=12754, ...}) = 0
lseek(4, 1885, SEEK_SET) = 1885

[a lot more of these]

This obsession with the file size before every seek and read is symptomatic of a program suppressing its inner race condition. Hmm, a suitable case for treatment. Nurse! Seize him!!

mkdir("/tmp/FLEXnet", 0777) = -1 EEXIST (File exists)
chmod("/tmp/FLEXnet", 0777) = -1 EPERM (Operation not permitted)
open("/tmp/FLEXnet/608B1FE4-2ACE-4914-9910-3B4BC90DA531", O_WRONLY|O_CREAT|O_EXCL, 0666) = -1 EEXIST (File exists)
close(4294967295) = -1 EBADF (Bad file descriptor)
stat("/tmp/FLEXnet/608B1FE4-2ACE-4914-9910-3B4BC90DA531", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0

Ready, fire, aim!

open("/usr/local/share/macrovision/storage/.tfCaFrmpbmEbzmoEBzFqjzbuFc", O_RDWR) = 5
chmod("/usr/local/share/macrovision/storage/.tfCaFrmpbmEbzmoEBzFqjzbuFc", 0666) = -1 EPERM (Operation not permitted)
read(5, "...", 80) = 55
read(5, ""..., 25) = 0
close(5) = 0

The lesson here is always be sure your hidden files in a world-writable directory are world-writable before you read from them?

stat("/usr/local/share/macrovision/storage/.mEEmchcxpinkgaogqeEzDEuzyb", 0x7fff601d2020) = -1 ENOENT (No such file or directory)
link("/usr/local/share/macrovision/storage/.DyvjkuyxBpbcAtpyheotsmkone", "/tmp/FLEXnet/mEEmchcxpinkgaogqeEzDEuzyb") = -1 EXDEV (Invalid cross-device link)

Sorry, that link is just not going to persist across the next reboot.

open("/opt/intel/Compiler/11.1/069/bin/intel64/*.lic", O_RDONLY) = -1 ENOENT (No such file or directory)

You know, I don’t think that syscall does wildcard expansion.

stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3543, ...}) = 0
write(2, " INTEL_LMD: flex_expire_days: "..., 44) = 44

Clearly we wouldn’t want to expire somebody’s license in the wrong timezone.

write(2, "3"..., 1) = 1
write(2, "0"..., 1) = 1
write(2, " "..., 1) = 1
write(2, "D"..., 1) = 1
write(2, "A"..., 1) = 1
write(2, "Y"..., 1) = 1
write(2, " "..., 1) = 1
write(2, "E"..., 1) = 1
write(2, "V"..., 1) = 1
....

Why did they print it like that? To hide the string or something?

Finally:

INTEL_LMD: flex_config: at least one license has been granted
INTEL_LMD: flex_config: the most recently checked out feature was checked out successfully
INTEL_LMD: flex_expire_days: returns 3650000
INTEL_LMD: checkout: returns GRANTED

Awesome! I’m considered legit for the next 10,000 years! (except leap days)

Deeper issues

Darn, all that looking at strace logs got me out of the mood for writing whatever code that was I was planning to write. I’m also starting to wonder about the wisdom of putting DRM on a low-level debugger and licensing it free only to people who use them on the weekend for fun.

Wait a second…what were those lines from before?

mkdir("/tmp/FLEXnet", 0777) = -1 EEXIST (File exists)
chmod("/tmp/FLEXnet", 0777) = -1 EPERM (Operation not permitted)

Are they seriously not checking the return code on mkdir and just chmod’ing whatever existed before?

This needs testing.

/tmp$ ln -sf /tmp/couldve_bin_bash /tmp/FLEXnet

/tmp$ ls -al /tmp
total 616
drwxrwxrwt 9 root root 4096 2010-04-20 23:22 .
drwxr-xr-x 23 root root 4096 2009-08-05 07:00 ..
-rw-r–r– 1 root root 0 2010-04-20 23:21 couldve_bin_bash
lrwxrwxrwx 1 marsh marsh 21 2010-04-20 23:22 FLEXnet -> /tmp/couldve_bin_bash
drwx—— 2 root root 16384 2009-04-03 21:39 lost+found

/tmp$ cat | mail root
Dear root,
I think there’s a bug in the Intel debugger. Could you please check
to see what version we have installed. It should print it on startup.
K thx bye
^D

# . /opt/intel/Compiler/11.1/069/bin/iccvars.sh
# idbc
Intel(R) Debugger for applications running on Intel(R) 64, Version 11.1, Build [1.2097.2.333]
(idb) q
#

/tmp$ ls -al /tmp
total 616
drwxrwxrwt 9 root root 4096 2010-04-20 23:22 .
drwxr-xr-x 23 root root 4096 2009-08-05 07:00 ..
-rwxrwxrwx 1 root root 0 2010-04-20 23:21 couldve_bin_bash
lrwxrwxrwx 1 marsh marsh 21 2010-04-20 23:22 FLEXnet -> /tmp/couldve_bin_bash
drwx—— 2 root root 16384 2009-04-03 21:39 lost+found

OK, I didn’t actually send myself that email. But dude, 1996 called and said it wants its bug back!

A quick test showed this file handing operation to be exploitable, too:

open("/usr/local/share/macrovision/storage/FLEXnet/INTEL_00211300_tsf.data", O_RDWR|O_CREAT, 0666) = 4
chmod("/usr/local/share/macrovision/storage/FLEXnet/INTEL_00211300_tsf.data", 0666) = 0

Scope

So it’s not hard to imagine that this local escalation vulnerability would affect other Linux/Unix/BSD software using FLEXlm. For example, Looks like a tool that is said to “find critical security vulnerabilities” for “over 650 organizations” might be using this “/usr/local/share/macrovision” directory for similar purposes. I’m told that many CAD and EDA systems use this DRM as well.

Examples of previous vulns in this DRM and products that use it:
http://www.google.com/search?q=”FLEXlm+vulnerabilities”
http://www.google.com/search?q=FLEX+”license+file”

ICC Compiler

Well that’s enough for the debugger. I wonder how secure the compiler is? IIRC, Gentoo Linux supports using icc as the system compiler, and runs it as root.

open("/tmp/iccT0R3pl", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
close(3) = 0
chmod("/tmp/iccT0R3pl", 01232) = 0

“01232″ What’s up with those permissions??

Wait a minute 01232 in octal is … 666 in decimal. Satan fail.

The command did succeed, but what does it mean?

$ touch test
$ chmod 01232 test
$ ls -al test
--w--wx-wT 1 marsh marsh 0 2010-04-20 21:02 test

Well clearly that’s not going to be good for much. I guess that’s why the program’s next action is to throw it out and try a different filename:

unlink("/tmp/iccT0R3pl") = 0
open("/tmp/iccT0R3plarg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(3, "-_g\n-mP3OPT_inline_alloca\n-D__HON"..., 1979) = 1979
close(3) = 0

Uh oh. This time the compiler actually succeeded in creating a tmp file with everybody=everything mode bits. Even worse, he’s writing compiler arguments into it. It’s a response file.

How far could an attacker go with with control of a response file? Can it be used to invoke an arbitrary command? He could try the “-dynamic-linker” option. According to the docs it “Specifies a dynamic linker other than the default.” That would probably do it.

But perhaps more disturbing is the prospect of a bad guy subtly modifying the compiler settings to inject evilness into the build products (changes here might not end up on the build log). With all the concern about APT these days (and I think it is quite legitimate), this is exactly what you don’t want to be possible on your engineer’s workstations.

So we have exploitable unsafe tmp file creation on the Intel icc complier as well.

Searching

Intel does not seem to document the creation of these directories and hidden files by their products:

“Your search - macrovision site:http://software.intel.com/en-us/articles/intel-software-technical-documentation/ - did not match any documents.”

Looks like over a year ago a Linux distro’s automated security report noticed some badness, and it was reported:

http://software.intel.com/en-us/articles/world-writable-files-in-the-icc-rpms/
But apparently it was ignored.

Even before that a user had pointed out the unsafe chmod:
http://software.intel.com/en-us/forums/showthread.php?t=61712

Non-Linux

I don’t know if this has been tested before, but my personal theory is that this class of unsafe tmp file handing bugs usually associated with unix can sometimes be exploitable on the Windows side as well. Although Windows has supported symlinks for some time, it restricts their creation to Administrators. However, NTFS junction points in publicly-writable directories can be created by an unprivileged user:

c:\>mklink /j test C:\users\marsh
Junction created for test <<===>> C:\users\marsh

c:\>dir
Volume in drive C is drive-c
Volume Serial Number is E458-1C9F

Directory of c:\

01/20/2008 10:03 PM <DIR> PerfLogs
04/10/2010 12:18 PM <DIR> Program Files
04/14/2010 08:40 PM <DIR> Program Files (x86)
04/21/2010 01:13 AM <JUNCTION> test [C:\users\marsh]
03/05/2010 09:00 AM <DIR> Users
03/05/2010 04:43 PM <DIR> Virtual Machines
04/09/2010 09:07 PM <DIR> Windows
0 File(s) 0 bytes
7 Dir(s) 23,012,346,880 bytes free

Again, this part is educated speculation and not a proven exploit. (I am not planning on experimenting on my Windows box, it takes too long to reinstall!) But I would recommend that the same thorough investigation and remediation be done for potentially-affected Windows products where there is shared code or similar behavior.

Also, I don’t know much about Macs, but last I saw they looked a lot like BSD.

Conclusions

With Intel talking big about “What’s Hot and New in Open Source at Intel“, I would have expected them to have behaved differently. They should behave like a guest on my machine and I really expect to be treated better than some poor TurboTax user.

You can debate the merits of invasive DRM schemes all you want for video games and entertainment media. But IMHO that monkey business has absolutely no place in the build infrastructure of a serious software development process. Such a critical tool as a compiler must produce 100% repeatable results with unquestionable reliability and the production build machines must be the most secure systems in the enterprise.

There are some legitimate issues here. Producing an industrial-strength C++ toolchain is one of the largest and most challenging software projects one could ever attempt and consequently only a few teams have ever pulled it off. It’s going to be a hard enough task for any vendor even without the added challenge of incorporating proprietary schemes in a futile attempt to turn the host system against its owner.

I may never track down every leftover file and undocumented modification this rude guest made to my system. But I do know that I would rather have been writing code on that Saturday afternoon.

Recently a leading expert was interviewed on topics involving data security and SSL. I feel that some of the statements made in that interview are misleading and need a little clarification (inline).

We’ve also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree?

I’m not convinced that SSL has a problem. After all, you don’t have to use it.

WTF? Maybe this is out of context.

If I log-on to Amazon without SSL the company will still take my money.

No, I just tested it. Amazon will not let you log in without https. Good for them!

The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line.

A MitM attack is different than passive eavesdropping. If you only needed to defend against a passive eavesdropper, that can be done with anonymous cryptography and you wouldn’t need the expense and complexity of maintaining PKI and the whole Certificate Authority industry. SSL/TLS is intended to provide protection from both kinds of attack.

But I’m not convinced that’s the most serious problem. If someone wants your financial data they’ll hack the server holding it, rather than deal with SSL.

Just because something isn’t the most serious problem in one scenario doesn’t mean it’s not a critical factor in the security equation. It may even be the most serious problem in some other scenario. SSL generally does its job much better than other components of the system, but that doesn’t mean problems with it should be tolerated.

But doesn’t SSL give consumers confidence to shop online, and thus spur e-commerce?
Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying ‘You’re safe’. SSL doesn’t matter. It’s all in the database. We’ve got the threat the wrong way round. It’s not someone eavesdropping on Eve that’s the problem, it’s someone hacking Eve’s endpoint.

There’s the old joke about the two hunters running from a bear. (In case you haven’t heard it, one of them notes with irony that the race is between the two of them, rather than between them and the bear.) While this is an insightful analogy in many situations, the analogy only holds when there is only one bear who will be satisfied after only one target. This is certainly not the case in data security where there is likely more than one attacker who likely has more than one objective.

When are we going to get past this skewed view that data security only has to do with e-commerce web servers and their databases? Sure, it’s a common and important scenario, but it’s not the defining scenario for any core internet protocol. Without a solid library of primitive operations that deliver on their stated guarantees, it’s just not possible to build the larger and more complex systems securely.

What about how mail servers talk to each other? What about how B2B data exchange systems work? How do these endpoint systems receive their software patches and anti-malware updates? How do electronic voting machines transmit their results? All of these systems and many more can use SSL/TLS as a integral part of their security architecture.

We mustn’t dismiss the critical importance of SSL/TLS simply because web apps are prone to SQL injections and users don’t seem to be able to type “https” consistently. Some systems actually do have careful and competent designers and are deployed and managed by careful and competent admins. We need to hold the highest standards for core protocols like SSL/TLS, because if these people can’t build secure systems on top of them, what hope does anyone else have?

Much is being made about somebody with an authenticator getting their World of Warcraft account hacked: Man in the middle attacks circumventing authenticators.

From the original poster:

I was online, got a memory access violation critical error. Not being all to savvy with this, I didn’t pay extra attention to it.

This doesn’t sound like a man-in-the-middle attack to me. This sounds like a good old-fashioned compromised endpoint. An pwned box, if you will.

A MitM attack involves an active attacker who views and changes messages on the communications link between two endpoints. Any attack involving a compromise of the endpoint itself is, by definition, something else.

No login authentication scheme can help this. The legitimate user was, after all, logging in. The fact that his authentication keystrokes were being forwarded to the bad guys is just a technicality. It was effectively just a bandwidth-saver for the bad guys, who could have viewed his screen remotely and injected their own keystrokes and after he had logged in. Although one suspects that driving his character to the bank and mailing out all the valuable magic items might have prompted the user to turn off the PC!

Steve Dispensa and I gave the keynote presentation at Shmoocon this year. We spoke about our experiment in vulnerability disclosure, code named ‘Project Mogul’.

Video the talk is now avaliable at the Shmoocon site. (I suspect that link will break when they rework the site in preparation for 2011.)

Slides are at that site as well, but you might prefer the PDF version here.

Yesterday I read about the availability of a new version of Mozilla Thunderbird, which is all-around a pretty decent mail client. The new version is 3.0.x, and I’m currently using 2.0.x, so I figured it was due for an upgrade. I downloaded the new installer, uninstalled the previous version, and launched the installer. Everything appeared to be going fine.

Probably when the installer finished it offered to “Launch Thunderbird now”, and I took it up on the offer. For some reason, Thunderbird opened with an empty configuration, i.e., none of the mail accounts I had set up under 2.0.x were listed. I remembered having had previously been offered to “import settings” every other time I had installed a Mozilla product, so I launched that wizard. When it got to the step where I was supposed to select the application from which to import settings, the dialog box was blank and only the ‘Cancel’ button was enabled.

Although I felt it was a little strange that Thunderbird would not be able to keep its settings across an upgrade, I decided to press on. After all, I switch operating systems often enough that I usually end up redoing all that config once in a while anyway. So I selected ‘File’ -> ‘New’ -> ‘Mail’. The resulting dialog asked me just three questions: name, email address, and password. I became slightly suspicious when I noticed that the font sizes on the buttons didn’t match, but little did that prepare me for what happened next…

I am dumbstruck to see the the dialog box enlarge and display changing hostnames and port numbers which have no basis in reality. They are simply variations on a theme: my email address’ hostname with various mail-related prefixes and protocols attached. Essentially, it was doing a port scan against my domain. I knew that this port scan could have but one sinister purpose: to transmit my password to whomever was willing to pick up on the other end of the line!

Hostnames looked up:

    imap.example.com
    smtp.example.com
    pop.example.com
    pop3.example.com
    mail.example.com
    example.com

Ports probed:

    tcp port 143 imap
    tcp port 993 imaps
    tcp port 587 submission?
    tcp port 465 smtps
    tcp port 25 smtp
    tcp port 110 pop3
    tcp port 995 pop3s

Since not everyone is deeply familiar with the protocols involved here, I will point out the problem in case you haven’t guessed it. These are classic protocols used for transferring email. Like most older protocols, they were originally specified to transfer the password in-the-clear, and all of them have had some degree of protection for it added later. This has resulted in a situation where multiple versions of each protocol exist, sometimes simply wrapped in SSL/TLS and run on a different port number, and sometimes a negotiation is made to upgrade the security of a connection made to the original port. If the attacker can simply disrupt access to the secure connection, the application is induced to transmit the credentials over the insecure one. This is the crudest form of downgrade attack.

I also tried accounts for a couple of popular free email providers, Gmail and GMX. Interestingly, this detection process returned instantly even with a bad password and blocked connection. They both supported SSL/TLS unequivocally. Perhaps these providers have registered for special handling in Thunderbird (and in so doing increased the effective security for their users).

Admittedly, this auto-detection scheme probably looked dynamite to the user interface designers at Mozilla wanting to improve the experience. But (bless their hearts) it is quite the security bungle.

Thunderbird - It’s All Yours [mozillamessaging.com]

Easier to Get Started
All you need to provide is your name, email address, and password and Thunderbird will find your email settings and set up your email accounts for you. It’s that easy.

The generous explanation is that security concerns were weighed against usability concerns, and after soul-searching deliberation it was felt that, on balance, this represented a net improvement for their users. (A common mistake in security design is modeling the user as an aggregate statistic.) Some other explanations are that they didn’t think of the security concerns, the concerns didn’t come from influential parts of the organization, or they dismissed them out-of-hand because they just don’t care that much. I have no idea.

Of course there was no way it was going to arrive at reasonable settings for my single-user domain, I tunnel all that stuff over SSH and don’t have the ports listening. But Thunderbird gave me no informed consent before it started poking around for insecure connections to make, and even if it had managed to auto-detect some usable set of connection parameters, I assume it wouldn’t have explained the risks of using them. Given the protocols involved,  it must have been willing to leak the credentials in order to determine if the parameters were usable.

It may be that the auto-detection logic doesn’t actually use your password. I didn’t actually set up insecure servers to verify that either way. Regardless, it is not a difference in practice since the password must obviously be transmitted the first time it is used.

I find this somewhat non-intuitive, but really the only secure way to configure these email settings is to have them conveyed from your email admin all the way to your mail client via a trusted channels of communication. The actual admin is able to tell you “this is the name to use for the mail server and be sure to check the box that says ‘require SSL/TLS’”. But no auto-detection scheme can know to check that box.

http://www.wired.com/threatlevel/2010/02/school-district-halts-webcam-surveillance/

http://lmsd.org/sections/news/default.php?m=0&t=today&p=lmsd_anno&id=1138

Dear Dr. McGinley,

I am very curious to find the answer to this question: what kind of diseased mind comes up with a scheme involving sending remote-controlled cameras into the homes of schoolchildren?

Is audio transmission or recording (e.g. microphones) part of this system’s capabilities too?

In your letter, you write:

This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop.

What kind of ethical system were you able to construct in which those trivial ends could be used justify such sinister means?

Did you personally endorse this, or just assent in silence?

Sincerely,

Marsh Ray