handling vulnerability reports - networkshop44
TRANSCRIPT
Handling vulnerability reportsGraham Rymer, University of Cambridge
Computer LaboratoryJon Warbrick, University of Cambridge Information
Services
23/03/2016
Handling vulnerability reports
23/03/2016
Handling vulnerability reports
We’d like to tell you our story…Introduction
Some background
»Raven: University’s central web authentication system
»Launched September 2004
»Supports two ‘web redirect’ protocols:› Locally-developed
‘Ucam WebAuth’› SAML (via the
Shibboleth Consortium’s software)23/03/201
6Handling vulnerability reports
More background
»Information Services provides and supports› an Apache module for Ucam WebAuth› a Java support library
»Also› Protocol documentation› Some other examples (including one in PHP)› A catalogue of 3rd party implementations
23/03/2016
Handling vulnerability reports
Looking for bugs...
»Reference platform »Dynamic analysis (i.e.
debugging). Wireshark very helpful
»Static analysis (i.e. reading source code). Some bugs transparent to tools. Human brain is still useful!
23/03/2016
Handling vulnerability reports
Attack vectors...
»Expectations:› Weak session management (i.e. session cookies)› Implementation errors› Problems inherent in protocol itself
23/03/2016
Handling vulnerability reports
We found...
»Reality:› Robust session management!› Implementation errors› Problems inherent in protocol itself
23/03/2016
Handling vulnerability reports
Worst problem...
»WLS response messages vulnerable:› RSA signatures could be forged in special
circumstances› Exploited “key rollover” functionality enabled
attacker to enforce that arbitrary public key be used to verify RSA signature
23/03/2016
Handling vulnerability reports
A platform-dependent bug...
23/03/2016
Handling vulnerability reports
msg = apr_psprintf(r->pool,"WLS response contains invalid key ID (contains '/') %s", kid);
Looks for forward slash directory seperator only, not relevant on
Windows
Graham spoils my Sunday afternoon
23/03/2016
Handling vulnerability reports
Monday morning plan
»Check other supported agents»Clarify the protocol»Fix Apache and PHP agents»Rebuild packages»Announce»Liaise inside Information Services › CERT› high-profile users
23/03/2016
Handling vulnerability reports
Announcement Thursday
23/03/2016
Handling vulnerability reports
Meanwhile, what about 3rd party modules?
23/03/2016
Handling vulnerability reports
Following up with SHODAN...
mod_ucam_webauth -2.0.2 win32 org:"University of Cambridge" after:12/03/2015
23/03/2016
Handling vulnerability reports
Summary...
»Do you use web authentication to protect highly prized information assets?
»Does your institution maintain its own proprietary technology for doing this?
»Are you checking the code base?»Maybe someone else already is?!
23/03/2016
Handling vulnerability reports
jisc.ac.uk
23/03/2016
Handling vulnerability reports
Jon WarbrickGraham Rymer
University of Cambridge