Security Now 266
Topic: The OAuth protocol examined
Recorded: September 15, 2010
Published: September 15, 2010
Security Now 266: Inside OAuth
News and Errata
12:37 - 15:21
- Microsoft's 2nd Tuesday of the Month Update:
- 9 Bulletins, 4 are rated critical and 5 are important
- Vulnerability in Print Spooler Service Could Allow Remote Code Execution, Receiving a specially-formed printer request into a file and printer sharing share and take over a machine remotely.
- Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution, Opening a specially crafted media file or receiving specially crafted streaming content from a Web site or any application that delivers Web content can execute arbitrary code on a machine.
- Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution, Viewing a specially crafted document or web page containing embedded OpenType fonts can execute arbitrary code on the user's system.
- Vulnerability in Microsoft Outlook Could Allow Remote Code Execution, Opening a specially crafted e-Mail message using Microsoft Outlook which is connected to an Exchange server with Online Mode can execute arbitrary code on the user's system.
- Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution
- Vulnerability in Remote Procedure Call Could Allow Remote Code Execution
- Vulnerability in WordPad Text Converters Could Allow Remote Code Execution
- Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege
- Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege
15:22 - 24:44
- Adobe has 2 new 0-Day Vulnerability Problems:
- Adobe Reader & Acrobat:
- "SING unique name Buffer Overflow Vulnerability"
- Boundary error within the "CoolType.dll" code library when processing the "unique name" entry of SING tables in fonts. Can be exploited to cause a stack-based buffer overflow.
- Confirmed vulnerable: v8.2.4 and v9.3.4 and earlier
- Adobe to Accelerate their scheduled October 12th release to the week of October 4th.
- Microsoft has a "EMET" - Enhanced Mitigation Experience Toolkit. (v2.0)
- The exploit against Adobe Reader uses ROP (Return Oriented Programming) to bypass DEP (Data Execution Prevention)
- EMET Forces ASLR upon non-ASLR-aware DLLs. (icucnv36.dll)
- In order to enable EMET for Adobe Reader and Acrobat you have to install EMET and run the following simple command line as an Administrator.
- C:\Program Files (x86)\EMET>emet_conf.exe --add "c:\program files (x86) \Adobe\Reader 9.0\Reader\acrord32.exe
- There is a new Firefox add on called "gPDF", it will open PDF's in the Google Viewer
24:45 - 29:30
- Adobe Reader & Acrobat Flash Player
- Critical Vulnerability in Flash Player 10.1.82.76 and earlier for Windows, Mac, Linux, Solaris,and Flash Player 10.1.92.10 for Android.
- Also affected: Reader v9.3.4 for Windows, Mac, Unix and Acrobat v9.3.4 and earlier for Windows & Mac.
- Flash Player to be fixed during the week of September 27th.
29:31 - 31:13
- Firefox is now at v3.6.9 after a HUGE round of vulnerability fixes:
- 14 CVE (common vulnerabilities and exploit database) and Mozilla bulletins
31:14 - 31:34
- Google Chrome has been updated to v6.0.472.53
- multiple remote execution vulnerabilities fixed.
31:35 - 32:07
- Apple's iOS 4 has been updated
- 24 problems fixed, mostly residing in WebKit
32:08 - 34:26
- The IE 9 Beta came out today
- Its meant to be faster and more standards compliant
34:27 - 42:23
- The Bad Guys are further ahead of us than we knew:
- "Stuxnet" worm is leveraging at least three other previously unknown security holes in Windows, including one of the vulnerabilities that Microsoft just patched yesterday.
- The "Stuxnet" worm was the one using the shortcut .LNK exploit.
- Then the guys at Kaspersky Labs recently discovered that Stuxnet could also spread through a previously unknown Windows print sharing vulnerability.
- And Microsoft has confirmed that Stuxnet also targets two other previously unknown privilege escalation vulnerabilities.
- Stuxnet is also smarter then previously understood:
- It can leverage an old 2008 vulnerability, but that would set off alarms on corporate networks.
- So it senses its environment and only uses the old 2008 exploit if it determines that it's on a "SCADA Control System" network.
- Siemens has been quoted by IDG News as saying that Stuxnet had successfully infected SCADA (Supervisory Control And Data Acquisition) systems in at least 14 operational plants located in the U.K., North America and Korea with the largest number of infections, by, far, in Iran.
- Joe Weiss, managing partner at Applied Control Systems in Cupertino said that troubling as Stuxnet is for Windows, the real target appears to be SCADA control systems which are interfaced to Windows. Thus Windows is just the way in.
- Symantec reported:
- Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems.
- In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet.
- Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.
- Joe Weiss of Cupertino's Applied Control Systems added:
- “The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system.
- At least one aspect of what Stuxnet does is take control of the process and to be able to do…whatever the author or programmer wants it to do.
- That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down.
- This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”
42:24 - 46:34
- Steve likes a Firefox addon called "Better Privacy"
- It deals with LSO (Local Shared Objects) (super / flash cookies) by detecting and deleting them
46:35 - 47:45 Jeff Crews (La Grande Oregon)
Spinrite fixed a broken hard drive
OAuth: "Secure delegated access to protected resources."
47:46 - 01:25:16
- Users need a means to allow applications to act on there behalf
- In the past you would have gave the third party service your password
- This is a problem as you can not revoke the access you have given the application without changing your password
- Also if you use a one time password to authenticate with a service then you cant give it to a third party application
- In 2006 a group of people tried to figure out how to solve this problem
- From a users perspective OAuth works like this:
- Your at a site which wants access too some resources else where on the net
- You get sent over to the site you want to provide permission for
- You agree to give permission for the third party to use this application on your behalf and are returned to the original site you were on
- Some definitions:
- Client - web site wanting access to a user's protected resources (E.g. Bit.ly)
- Server - web site containing the user's protected resources (E.g. Twitter)
- User - owner of the protected resources at the server site. (E.g You)
- What happens behind the scenes
- The server makes it known that it supports OAuth
- It needs to make available to developers the end point URLS, the URLS where its OAuth API is accessible
- The client must have identified its self with the server before by asking the server for credentials
- The server supplies the client with a way to identify the itself (Client Identifier) and a secret token this is used as a signing key to sign its communications to prove that it is who it says it is (Client Shared Secret)
- When a user wants to give a service access the client sends the user to the server
- Behind the scenes it has also told the server it is going to send you and opens a session obtaining a temporary request token from the server
- In the redirecting URL it includes the client identifier and a temporary request token and a time stamp and the URL to send the user back to
- The server receives this it asks the user to confirm that it wants to give permission to the client
- The server bounces the User back to the Client carrying an "authorization token" which can be used to access the Server's information on behalf of the User.
- The client now has the "temporary request token" and "the authorisation token"
- The client sends this information back to the server and asks for permanent formal credentials to access the resources
- The client gets this and stores it along with the users username to use in the future to access the resources on behalf of the user
- Ryan Pauls problems:
- Applications that are installed on a users computer can not keep secrets as they can be fully examined by the user
- Ryan Paul examined a twitter application (twitters official application for Android) installed on his phone that was using OAuth
- He was able to find the consumer key and consumer secret for the application
- This means that a bad guy can create a client and use Twitters consumer key and secret and Twitter will not be able to differentiate been the bad guys application and its own
Go To Meeting
- Ad Times: 0:58-1:15 and 9:36-12:33
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|