Upload File

handling vulnerability reports - networkshop44

16
Handling vulnerability reports Graham Rymer, University of Cambridge Computer Laboratory Jon Warbrick, University of Cambridge Information Services 23/03/2016Handling vulnerability reports

Upload: jisc

Post on 19-Jan-2017

1.419 views

Category:

Education


0 download

Report

TRANSCRIPT

Page 1: Handling vulnerability reports - Networkshop44

Handling vulnerability reportsGraham Rymer, University of Cambridge

Computer LaboratoryJon Warbrick, University of Cambridge Information

Services

23/03/2016

Handling vulnerability reports

Page 2: Handling vulnerability reports - Networkshop44

23/03/2016

Handling vulnerability reports

We’d like to tell you our story…Introduction

Page 3: Handling vulnerability reports - Networkshop44

Some background

»Raven: University’s central web authentication system

»Launched September 2004

»Supports two ‘web redirect’ protocols:› Locally-developed

‘Ucam WebAuth’› SAML (via the

Shibboleth Consortium’s software)23/03/201

6Handling vulnerability reports

Page 4: Handling vulnerability reports - Networkshop44

More background

»Information Services provides and supports› an Apache module for Ucam WebAuth› a Java support library

»Also› Protocol documentation› Some other examples (including one in PHP)› A catalogue of 3rd party implementations

23/03/2016

Handling vulnerability reports

Page 5: Handling vulnerability reports - Networkshop44

Looking for bugs...

»Reference platform »Dynamic analysis (i.e.

debugging). Wireshark very helpful

»Static analysis (i.e. reading source code). Some bugs transparent to tools. Human brain is still useful!

23/03/2016

Handling vulnerability reports

Page 6: Handling vulnerability reports - Networkshop44

Attack vectors...

»Expectations:› Weak session management (i.e. session cookies)› Implementation errors› Problems inherent in protocol itself

23/03/2016

Handling vulnerability reports

Page 7: Handling vulnerability reports - Networkshop44

We found...

»Reality:› Robust session management!› Implementation errors› Problems inherent in protocol itself

23/03/2016

Handling vulnerability reports

Page 8: Handling vulnerability reports - Networkshop44

Worst problem...

»WLS response messages vulnerable:› RSA signatures could be forged in special

circumstances› Exploited “key rollover” functionality enabled

attacker to enforce that arbitrary public key be used to verify RSA signature

23/03/2016

Handling vulnerability reports

Page 9: Handling vulnerability reports - Networkshop44

A platform-dependent bug...

23/03/2016

Handling vulnerability reports

msg = apr_psprintf(r->pool,"WLS response contains invalid key ID (contains '/') %s", kid);

Looks for forward slash directory seperator only, not relevant on

Windows

Page 10: Handling vulnerability reports - Networkshop44

Graham spoils my Sunday afternoon

23/03/2016

Handling vulnerability reports

Page 11: Handling vulnerability reports - Networkshop44

Monday morning plan

»Check other supported agents»Clarify the protocol»Fix Apache and PHP agents»Rebuild packages»Announce»Liaise inside Information Services › CERT› high-profile users

23/03/2016

Handling vulnerability reports

Page 12: Handling vulnerability reports - Networkshop44

Announcement Thursday

23/03/2016

Handling vulnerability reports

Page 13: Handling vulnerability reports - Networkshop44

Meanwhile, what about 3rd party modules?

23/03/2016

Handling vulnerability reports

Page 14: Handling vulnerability reports - Networkshop44

Following up with SHODAN...

mod_ucam_webauth -2.0.2 win32 org:"University of Cambridge" after:12/03/2015

23/03/2016

Handling vulnerability reports

Page 15: Handling vulnerability reports - Networkshop44

Summary...

»Do you use web authentication to protect highly prized information assets?

»Does your institution maintain its own proprietary technology for doing this?

»Are you checking the code base?»Maybe someone else already is?!

23/03/2016

Handling vulnerability reports

Page 16: Handling vulnerability reports - Networkshop44

jisc.ac.uk

23/03/2016

Handling vulnerability reports

Jon WarbrickGraham Rymer

University of Cambridge

http://www.jisc.ac.uk/

Managing and monitoring large scale data transfers - Networkshop44

Development of Jisc security programme - Networkshop44

Multiprotocol label switching (mpls) - Networkshop44

Microsoft Internet Explorer Cursor Icon File Handling Vulnerability

IPv6 experience from a large enterprise - Networkshop44

Using sdn to secure the campus - Networkshop44

Network engineering surgery - Networkshop44

Vscene - Networkshop44

Edupert best practices in supporting end users - Networkshop44

IPv6 at Mythic Beasts - Networkshop44

Abuse helper app - Networkshop44

Software defined networking - huawei - Networkshop44

IPv4 address planning - Networkshop44

Dealing with pervasive monitoring - Networkshop44

Telephony developments at pirbright - Networkshop44

Campus network refresh - Networkshop44

Network performance lessons from the coal face - Networkshop44

Vulnerability Handling - Europa

Jisc update network operations - Networkshop44

Data networking at UCL - Networkshop44

Internet in space - Networkshop44

Next gen insight networkshop44

Hyper efficient data centres – key ingredient intelligence networkshop44

Application of Assent in the safe - Networkshop44

SafeShare - Networkshop44

Ipv6 deployment at the university of reading - Networkshop44

Trust and identity in the Géant project - Networkshop44

End to end performance networkshop44

Greenbone vulnerability assessment - Networkshop44

Ipv6 deployment at the university of warwick - networkshop44

Finding vulnerabilities - networkshop44

Customer distributed denial of service (DDoS) experiences - Networkshop44

IPv6 deployment status - Networkshop44

The simplification of the campus network Juniper - Networkshop44

Code review - networkshop44