Search This Blog

Loading...

Sunday, April 13, 2014

Description and demonstration of the Heartbleed bug in OpenSSL

There is a ton of posts on the Internet about the new bug in OpenSSL. I'm not going to repeat what others wrote  but rather give us a small demonstration.

Heartbeat packet description in SSL protocol suite

This is excellent blog posts we can take a look at the openssl code analysis and see where exactly the bug was hidden: Diagnosis of the OpenSSL Heartbleed Bug.

If you want to learn more how to build an potential exploid you can read and watch this: http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

A working code for a prof of concept can be found here:
http://www.garage4hackers.com/entry.php?b=2551
http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed/

Demonstration

How do I know if my site is vulnerable?

There are potentially many different ways how you can test if a site is vulnerable. As two extreme examples (a) we could write a simple SSL client and try to sent an hearbeat packet (not so trivial and requires some knowledge about the ssl protocol itself) or (b) search for a site on Internet that do the testing for us. I would definitively avoid (b). These sites can store the URL you provided and try to exploit you later.

A more simple and elegant solution can be built using openssl cli client tool instead. By running as single line script you can test if a server supports heartbeat or not. Next you have to find if the version of the OpenSSL you use is vulnerable.
 
$ openssl s_client -connect www.cloudflarechallenge.com:443 -tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Free SSL/CN=cloudflarechallenge.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
 3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 4 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgIQSkGkHc+NJGGLqUs9YZlcxDANBgkqhkiG9w0BAQUFADBy
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEYMBYGA1UE
AxMPRXNzZW50aWFsU1NMIENBMB4XDTE0MDQxMDAwMDAwMFoXDTE0MDcwOTIzNTk1
OVowWDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMREwDwYDVQQL
EwhGcmVlIFNTTDEgMB4GA1UEAxMXY2xvdWRmbGFyZWNoYWxsZW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQBaRWcPHl945y10L3tm2C+13
bm4oqaGMIekvJyYTF7VGJFKX+EYgvt/wWD+qJTO1Wbm5dknVQbt3PP7061M2H6/b
sG3M+xTfKK8d6/AAHWZMy0/ps+5cGPOzFFwL3JVwEFakoExGc3jT6S9RlhU5q4I+
q8Qd+jpHL7uKeklipCb8VIznRmtGKYI7H01kjyW8gwXYOrWKlKCHOIcR32LIxHfd
fv72QjT2kGupne3TmXAY+6cEL12ZqS2HCYpGBa8QQaZ7/dggc1X5OJL1yrQP8Le9
/faCOBHn0A4yzNp873BVMQ+7T+7k2PCSs7qAfB0TdvdfQFiPPFaTODDtPWClAgMB
AAGjggHXMIIB0zAfBgNVHSMEGDAWgBTay+qtWwhdzP/8JlTOSeVVxjj0+DAdBgNV
HQ4EFgQUbqyvF2sHtsjg5i82wBON35elvNQwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3
CgMDBglghkgBhvhCBAEwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEw
OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5jb21vZG9jYS5jb20vRXNzZW50
aWFsU1NMQ0EuY3JsMG4GCCsGAQUFBwEBBGIwYDA4BggrBgEFBQcwAoYsaHR0cDov
L2NydC5jb21vZG9jYS5jb20vRXNzZW50aWFsU1NMQ0FfMi5jcnQwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA/BgNVHREEODA2ghdjbG91ZGZs
YXJlY2hhbGxlbmdlLmNvbYIbd3d3LmNsb3VkZmxhcmVjaGFsbGVuZ2UuY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQBlN1564xpz0f0EnCh5dKOjo6uk+kbLzEhkfaGd5Ydi
4diFQ9VYx3+Le1JCB/bDHMVUfwlqTpV0Eq8DZIWTO5wnP9BlRDiljVe7+y/jkQ/b
/B88kmBr2jjR9Aet1l8hOrqJycw6Ack6F+5hd/lYIvZ/0YH+h/qu9/Z6ii6rcUCd
UWERSKiTFsbM8PRmG/Cwb4Jm52N8ev6mcVYmxeBYIPmf51HBHEakN13oQcubCAjd
V9/8CugEMrl56lUpt7BYZMET2h4NyCDrfTlbFcDqQC+YBr5dLDOvLpe7T7Dv+r1P
wYJ+R0A4JC0F2RdUeIBWC5CycJcTx4h7ZSlNeWtFrZgJ
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Free SSL/CN=cloudflarechallenge.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 6784 bytes and written 376 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: EF16DB45C3D67F69A480645C5267C4FDC44F41FD4CF4911194E986FC21E72F62
    Session-ID-ctx:
    Master-Key: 9DF3223AAF1520D6437E643E83E4AD5B1A590776F375B7ED082E024F3EC9EB43617A0D1F7715DF299EA483F905095465
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - c5 00 41 79 f6 38 12 30-bf 5f 85 54 f7 93 09 1c   ..Ay.8.0._.T....
    0010 - c1 60 e2 23 ca 90 8f 17-0c 4a 9f db cc 40 0e ea   .`.#.....J...@..
    0020 - 55 b0 f8 49 f1 7e b0 4e-78 0f 36 4a 58 3a 60 e2   U..I.~.Nx.6JX:`.
    0030 - b4 2b 22 a2 49 e8 c5 42-d0 00 ad a6 ec 49 b3 4d   .+".I..B.....I.M
    0040 - 28 b1 c3 ad 03 c6 53 de-a3 e7 ec c8 aa ed 5e 97   (.....S.......^.
    0050 - 75 12 5e 9f 5f eb cf a9-4a ab b7 85 bf cd e0 12   u.^._...J.......
    0060 - 2c ec 0b 05 4f cf ac 16-e9 65 40 1b a8 60 dc 3a   ,...O....e@..`.:
    0070 - 99 a0 cf 7a 65 0b 4c 74-a5 fc a5 16 11 48 e2 94   ...ze.Lt.....H..
    0080 - 19 0e 17 a8 03 d0 d0 4b-a4 14 7e 49 05 75 36 65   .......K..~I.u6e
    0090 - d4 70 63 fa a7 92 5a 14-63 97 00 cf 6b 5b 45 36   .pc...Z.c...k[E6

    Start Time: 1397426832
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
GET /heartbleed HTTP/1.1
Host: www.cloudflarechallenge.com

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Apr 2014 22:02:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=86400

f61
<!doctype html>
<html>
<head>
  <title>Heartbleed Challenge</title>

From the output we can see that:
  • We connect to the server
  • There are many packages exchange between the client (our openssl cli tool) and the web server; the packets types and formats are defined in the relevant RFC documents for SSL/TLS
  • Option tlsextdebug instructs openssl to print out TLS extensions the server supports
  • We can immediately see if the option is supported by our www server; what we have o do next is to check if the version of OpenSSL that we run is vulnerable or not 
  • It is important to note that regardless if the www server supports the heartbeat extension or not you as a client can sent any legitimate HTTP requests; the whole problem is that if your client sent an heartbeat packet that was on purpose malicious the server in its response can reveal a lot more data that it should.
References

http://www.openssl.org/docs/apps/s_client.html
http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
https://www.cloudflarechallenge.com/heartbleed


Tuesday, April 8, 2014

Can I use Shortest Path Bridging hardware to build my SDN network

Recently I've come across a document that compares a number of existing network overlays in SDN architecture: The 2013 Guide to Network Visualization and SDN.

What is new and interesting is the solution from Avaya. Instead of using VXLAN, STT and GRE like all other vendors they use SPB (we wrote about this here How does switch fabric network work) to build the SDN solution.

How does switch fabric network work

A network engineer can list a number of issues you can potentially run when using STP protocol  in your switch network. Over the years the network industry has created successor protocols like RSTP or MSTP. Both are improvements and offer much better convergence time and respond much quicker to switch topology changes. One of the major disadvantages for networks that relay on STP is the fact that they don't support multipathing. It means once network topology converges there will be blocked path between switches that are elected and managed by STP. This often redundant links can't be used because of a loop risk.

But there are better solutions today on the market to design better layer 2 Ethernet networks (more scalable, with higher throughput and with active link redundancy as an example). The 2 most popular are based on SPB and TRILL protocols. Both of them are used as a foundation in switch fabrics products. To better understand both of them the pictures below provide a side by side comparison. This was taken from Avaya document: Compare and Contrast SPB and TRILL.

Avaya is a SPB promoted so the comparison is a bit waited towards SPB but nevertheless it gives some inside view into both protocols.



References

http://cciethebeginning.wordpress.com/2008/11/20/differences-between-stp-and-rstp/
http://etherealmind.com/spb-attention/
http://en.wikipedia.org/wiki/IEEE_802.1aq
http://en.wikipedia.org/wiki/TRILL_(computing)
http://www.avaya.com/uk/resource/assets/whitepapers/SPB-TRILL_Compare_Contrast-DN4634.pdf
http://nanog.org/meetings/nanog50/presentations/Monday/NANOG50.Talk63.NANOG50_TRILL-SPB-Debate-Roisman.pdf
http://www.ebrahma.com/2012/06/trill-vs-spb-similarities-differences/
http://wikibon.org/wiki/v/Network_Fabrics,_L2_Multipath_and_L3

Monday, March 31, 2014

How to list numbers next to ACL rules on Cisco

How to list numbers next to the ACL rules on Cisco

sh  access-list outside-acl | e \ \
access-list 101; 86 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip object-group WHITELIST-IPS any 0xc4d2a54e
access-list 101 line 2 extended permit icmp any any object-group ICMP-ALLOWED (hitcnt=576916) 0x994c9516
access-list 101 line 3 extended deny ip any host 192.168.199.254 (hitcnt=31708) 0x8e8cc2a6
access-list 101 line 5 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 6 remark RULES CONTROLLED BY AUTOMATION
access-list 101 line 7 remark !*!*!*!*!*!*!*!*!*!
access-list 101 line 8 extended permit ip host 1.1.1.1 host 10.179.72.125 (hitcnt=0) 0xa9809ff7
access-list 101 line 9 extended permit ip any host 10.179.72.125 (hitcnt=0) 0xa9809ff7

Sunday, March 30, 2014

How to automatically prefill command on the Linux bash

Linux Bash is one of the most famous Linux shells. It offers a great number of features like for example spawning and controlling process, redirecting streams, supporting scripts and a flexible way to control you editing line.

Problem

How to automatically pre-populate a command on the shell after prompt.

Solution description

The shell has tree default streams: stdout, stdin and stderr. By manipulating the stdin of the process we can simulate typing a command.

Reference implementation

The original script can be found here: https://github.com/rtomaszewski/experiments/blob/master/type-command.c

Demonstration
  • Compile first the program
gcc -o type-command type-command.c
  • Run for the firs time
# ./type-command
type-command: the variable TYPE_CMD_ENABLED is not set, set it to 'no' to surpress this message; set the TYPE_CMD_TYPE for the command to type

Example: export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
  • Export the variable to controls if the program should try to type a command or not
# export TYPE_CMD_ENABLED=yes
# ./type-command
#
  • Specify the command that you wish to be typed
# export TYPE_CMD_ENABLED=yes; export TYPE_CMD_TYPE=date
# ./type-command
# date
Sun Mar 30 19:27:55 UTC 2014>

References

http://stackoverflow.com/questions/10866005/bash-how-to-prefill-command-line-input
http://stackoverflow.com/questions/11198603/inject-keystroke-to-different-process-using-bash
http://unix.stackexchange.com/questions/48103/construct-a-command-by-putting-a-string-into-a-tty

http://fossies.org/linux/misc/old/console-tools-0.3.3.tar.gz%3at/console-tools-0.3.3/vttools/writevt.c

http://man7.org/linux/man-pages/man4/tty_ioctl.4.html
http://man7.org/linux/man-pages/man3/tcflush.3.html
http://www.tldp.org/LDP/lpg/node143.html

Saturday, March 29, 2014

How to create a sequence of replace commands to change your file

Use existing plugin: RegReplace

We could write a custom plugin using the Sublime API or try to use a plugin that promises to offer this functionality already: https://github.com/facelessuser/RegReplace

Demonstration

We have a following structured but not consistently formatted data that we would like to adjust so it is easier toread and work with.



To reformat the text we can use the above plugin and define a series of regex that match and modify text.
  • Installed RegReplace plugin.
  • Create a reg_replace.sublime-settings in your Sublime2\Data\Packages\User\ directory and define the regex commands we want to use.
{
    "replacements": {
        // add teh .<digit> when is missing
        "ig_order_add_dot_digit": {
            "find": "([0-9][0-9]) at",
            "replace": "\\1.0 at"
//            "greedy": true,
//            "case": false
        },
        "ig_order_add_dot_digit2": {
            "find": "([0-9][0-9]) *- ",
            "replace": "\\1.0 - ",
            "greedy": true
        },
        "ig_order_fix_spaces": {
            "find": "/(201[0-9]) *",
            "replace": "/\\1 "
        },
        "ig_order_fix_spaces2": {
            "find": "-   -    -  ",
            "replace": "-    -    -     "
        },
        "ig_order_change_android_str": {
            "find": "AndroidApp",
            "replace": "AndrAp"
        },
        "ig_order_remove_str": {
            "find": "/s ",
            "replace": " ",
            "greedy": true
        },
        "ig_order_fix_header": {
            "find": "(Date) *(Time) *(Activity) *(Market) *(Period) *(Channel) *(Currency) *(Size) *(Level) *(Stop) *(Type) *(Limit) *(Result)",
            "replace": "Date        Time    Activity Market                                               Period              Channel Cur Size Level  Stop Type Limit Result",
            "greedy": true
        },



        "ig_transactions_fix_header": {
            "find": "(Type) *(Date) *(Ref) *(Market) *(Period) *(Opening) *(Ccy) *(Size) *(Closing) *(P/L)",
            "replace": "Type    Date        Ref         Market                                                  Period            Opening Ccy Size    Closing P/L",
            "greedy": true
        },
       "ig_transactions_add_dot_digit": {
            "find": "([0-9][0-9]) +£",
            "replace": "\\1.0 £"
        },
        "ig_transactions_add_dot_digit2": {
            "find": "(£ +.*\\..* +)([0-9]+) +",
            "replace": "\\1\\2.0 "
        },
        "ig_transactions_fix_plus_minus_sign": {
            "find": "([0-9]+\\.[0-9]+ +[0-9]+\\.[0-9]+ +)([0-9]+\\.[0-9]+)",
            "replace": "\\1 \\2"
        }

    }
}
  • Define the final  regex command to run and associate a a keyboard short in Default (Windows).sublime-keymap file
[
{ 
    {
        "keys": ["alt+ctrl+t"],
        "command": "reg_replace",
        "args": {"replacements": [
                                    // orders
                                    "ig_order_add_dot_digit",
                                    "ig_order_add_dot_digit2",
                                    "ig_order_fix_spaces",
                                    "ig_order_fix_spaces2",
                                    "ig_order_change_android_str",
                                    "ig_order_remove_str",
                                    "ig_order_fix_header",

                                    // transactions
                                    "ig_transactions_fix_header",
                                    "ig_transactions_add_dot_digit",
                                    "ig_transactions_add_dot_digit2",
                                    "ig_transactions_fix_plus_minus_sign"


                                ],  "find_only": true}
    }
]
  • When you activate the regex chain command it will first show what part of the file are going to be changed
  • Accept the "yes" option at the bottom and reformat the file

How to write a plugin for Sublime editor

Below is a list of links for Sublime API and Sublime commands if you want to write a custom plugins.

Sublime API

https://www.sublimetext.com/docs/api-reference
https://www.sublimetext.com/docs/2/api_reference.html

Commands

http://sublimetext.info/docs/en/core/commands.html
http://www.sublimetext.com/docs/commands

Debug best practices

Once you follow the steps below everything you do in the editor will be logged on the console.
  • Open Sublime console: Ctrl+~
  • Enable verbose and debug within the editor
sublime.log_commands(True)
sublime.log_input(True)
  • Example commands to try on the console 
view.run_command("goto_line", {"line": 7})
view.window().run_command("show_minimap", {"key": True})