Archives for November 2014

One week after “Patch Tuesday” and contrary to standard operating procedures Microsoft has released a Critical security update (MS14-068) to fix a security hole in all supported versions of Windows. MS14-068 addresses a vulnerability in the Kerberos Key Distribution Center (KDC) component, used within a domain environment for authenticating users. The vulnerability allows an unprivileged authenticated user to elevate their privileges to those of a domain administrator. The KDC component is available remotely and the vulnerability can be initiated as long as the miscreant has domain credentials. This has severe consequences for businesses and shows why Microsoft took steps to release an out-of-band patch. The patch was actually rumored to have been included in November’s patch cycle and then pulled last minute.

Additional Information

The vulnerability takes advantage of improper validation of signatures, which can allow certain elements of a service ticket to be forged. An attacker can trick the KDC by sending forged tickets impersonating any user in the domain, resulting in compromise of the domain. The vulnerability was privately reported to Microsoft however, within the Bulletin released, Microsoft stated that they were “aware of limited targeted attacks that attempt to exploit the vulnerability.”

Quick reminder about Kerberos: http://msdn.microsoft.com/en-us/library/bb742516.aspx

When the user first authenticates to the Authentication Service (AS) they are passed through the KDC and provided a TGT (Ticket Granting Ticket). The TGT contains an area called PAC (Privilege Attribute Certificate), which holds the user’s information. When the user wants to access a service they will present their TGT to the KDC, which will validate the PAC information and copy it to the ST (Service Ticket). The ST is then used to gain access to a service. The break down in validation occurs in the way that PAC information is validated. MS14-068 amends the way in which the validation occurs.

Log Analysis

As per the instructions in the following blog post http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx, it is possible to detect attempts to execute this vulnerability. However, it should be noted that log data can be amended and should not be relied on for identification of earlier exploitation.

Patch-Patch-Patch

It is therefore recommended that all Domain Controllers in your environment be updated immediately with all other servers being updated in due course. The priority is Domain Controllers due to their overarching dominion of all other entities within the network.

Now for some scaremongering, the only assurance you can have that you have not been ‘pwned’ is to rebuild your entire domain. This is due to the multiple ways in which it is possible to hide backdoors and amend entities or information stored in an Active Directory Domain.

Unearthing Haemorrhages

To date much effort has been focused on remediating common sources of Heartbleed, without taking into account that the vulnerability affects more than just common ports (such as 443 for HTTPS). Many online testing tools limit the scope of tests for Heartbleed to a subset of ports, thereby providing limited assurance and are focused on externally facing assets. During recent engagements, we are still finding Heartbleed, often on internal management systems where the disclosure of sensitive information could aid a malicious insider. It is also important to understand that the vulnerability may not only lie within an Operating System but also in any application containing and utilising a vulnerable OpenSSL library. Therefore an organisation’s approach to patching must be holistic and take both of these areas into account.

For those requiring defensible assurance, any service implementing SSL on any port should be tested and if required, treated. Additionally, whether vulnerabilities are found or not it may be possible that the Heartbleed bug was already exploited prior to discovery or patching. There are techniques that can be employed to flag telltale larger-than-typical TLS heartbeat responses from a server and additionally, reveal exactly what information was compromised.

However, a single test cannot provide certainty that the vulnerability will not be reintroduced into the system via the installation of an unpatched vulnerable application or embedded system. Therefore, it is vital that your ongoing assurance activity continues to check for issues long after they have left the media spotlight.

If you would like support in completing any assurance activity then please get in touch using:
contact-us@7elements.co.uk.

Background

The security bug, CVE-2014-0160, known as Heartbleed was disclosed in April 2014. Heartbleed directly affects the Transport Layer Security (TLS) cryptographic protocol that uses affected OpenSSL cryptography libraries (versions 1.0.1 to 1.0.1f). The aim of TLS is to provide communications security and privacy over the Internet. Applications that utilise this protocol range from Virtual Private Networks to email and web services.

Heartbleed exploits vulnerable OpenSSL libraries to compromise secret keys used to encrypt traffic, allowing access to transmitted data including usernames and passwords.

Additional Remediation

Research from the University of Maryland has identified that while many system administrators quickly applied patches to correct the Heartbleed vulnerability, many failed to properly implement revocation of current certificates and ensure the re-issuing of new new certificates. The final step of revocation and re-issue is vital,  as the Heartbleed vulnerability could have been used to gain access to the private keys of a server.

Links

http://heartbleed.com/

http://www.umiacs.umd.edu/~tdumitra/papers/IMC-2014.pdf

How to Detect a Prior Heartbleed Exploit

http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html

On October 15^th 2014, the security team at Drupal announced that all Drupal 7 web sites were vulnerable to SQL Injection attacks.

A German security firm, SektionEins, discovered the flaw, advising:

“A malicious user can inject arbitrary SQL queries. And thereby control the complete Drupal site. This leads to code execution as well… can be exploited by remote attackers without any kind of authentication…”

Drupal 7 and all following releases can be easily compromised (with the exception of the newly released 7.32 or 8 beta2). Drupal 6 is also vulnerable if it utilises the DBTNG module used for Drupal 7 PDO database compatibility. This highly critical vulnerability, CVE-2014-3704, allows anyone to execute PHP code on a vulnerable server. Remote attackers are able to delete everything, install backdoors into the website, change any data in the database including passwords and modify any data hosted on the server. The vulnerability hands over complete control of website content, and low skilled attackers are able to exploit this by deploying easily found attack scripts.

First Steps:

The first step is to check your version of Drupal, immediately. If you have 7.32 or 8 beta2 then you do not need to do anymore. If you do not have 7.32 or 8 beta2 then you should upgrade without delay.

Drupal upgraded, now what?

We will outline the bad news and then discuss some restorative and assuring good news.

The Bad News

When the security team at Drupal warned the world on Wednesday 15th October 2014 of the SQL injection vulnerability users were warned to assume their websites were compromised if not updated by October 15, 11pm UTC.

The reason for Drupal’s caution is that a late patch will potentially not affect vulnerabilities, such as backdoors, already introduced into the system. It is also possible that an attacker, once gaining control of the site in question, will have patched it themselves to retain control and stop other hackers gaining from the potential spoils of the vulnerability.

Drupal have advised, that sites not updated within the six hour timeframe, should be taken offline. All files and databases then have to be deleted and then the site must be restored from backups made before October 15th 2014. Finally, the website must be updated before bringing it back online as the backup will be vulnerable.

The Vulnerability

The bug was introduced in early 2011, allowing the execution of arbitrary code remotely with only one HTTP request and no knowledge of the site is required to conduct the attack.

Drupal handles all database queries by using prepared statements with placeholders conveniently indicating where in the SQL query the input from the user should be included.

SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

Above, variables are bound to :name_0 and :name_1. As this is a prepared statement the attacker cannot inject values into it thereby controlling the SQL query. The placeholder number must be correct so Drupal expands :name to :name_0, :name_1 using a function, this function however is flawed. The flaw is that it incorrectly expands the array to :name_$key0, :name_$key1. SQL queries can now be manipulated as an attacker has control over $key0 and $key1 as seen below.

SELECT * FROM {users} WHERE name IN (:name_test) OR name = ‘Admin’ --, :name_test)

The above query results in an SQL injection giving full control of the database to the attacker. SektionEins have also published a blog demonstrating a proof of concept for an attack that takes one GET request with a cookie that will not be shown in any log.

Password Change Attack

We recreated a password attack in our lab and discovered that the only indication of the standard attack was the log below:

127.0.0.1 - - [03/Nov/2014:08:49:51 -0500] "POST /?q=node&destination=node HTTP/1.0" 200 8889 "-" "-"

This log was linked to changing the username and password of the administrator using the following script.

The Good News

The advice given by Drupal to restore the website back to backups made before October 15th 2014 is what could be considered wiping the slate clean instead of trying to identify if the slate is dirty first. Drupal’s advice may also not guarantee the site was not already compromised, due to the vulnerability existing since early 2011. A proportional response should be the first step to take. We will outline steps that can be taken that will help identify the potential impact of this vulnerability on a given site. As the attacks are so simple it is likely many are being perpetrated by ‘script kiddies’. Assuming this makes it unlikely that enough foresight or effort was dedicated to removing attack trails such as footprints in logs.

Steps to take
1. A forensic investigation of the logs can reveal suspicious activity and its timing.
2. The database can be investigated for users added and modified.
3. Files can be compared to files in backup to identify changes to existing files and discover any new files created.
4. Traffic leaving the network can be analysed to uncover potential attacker connections.

Ultimately, a risk based decision needs to be made between the likelihood of a successful attack having been perpetrated against your website and the impact and complexity of restoring the site to its state prior to October 15^th 2014. It may be pertinent to seek assurance before deciding to commit to a full rebuild of your website as it may not have been breached. This will offset the chance of the loss of incremental changes that were committed to the site after the October 15 backup cutoff date and the time the site will need to be offline and inaccessible.

If you would like support in completing an investigation please get in touch using:
contact-us@7elements.co.uk.

Links

Drupal “Public Service Announcement”
https://www.drupal.org/PSA-2014-003

Drupal FAQ
https://www.drupal.org/node/2357241

Drupal flowchart of treatment steps and options
http://drupal.geek.nz/blog/your-drupal-website-has-backdoor

SektionEins Blogpost
https://www.sektioneins.de/en/blog/14-10-15-drupal-sql-injection-vulnerability.html