You are hereSecurity
Security
BruCON Call For Papers
2009 was the first edition of BruCON, a non-profit conference meant to unite all the people in and around Belgium interested in discussing computer security, privacy and computer technology related topics. It was a great first edition thanks to the help of the sponsors and many volunteers.
I'm happy that I'll be able to play a (more significant) role in the organization of the second edition.
Do you have an interesting topic to present or a cool workshop? Have a look at the Call of Papers here.
One week before HAR
In just a week the long awaited conference HAR is taking place. Time to have a little overview:
- Tickets are unfortunately not available anymore, don't even bother coming to the event without ticket as door-sales won't be done. Next time, try to plan your holiday a little earlier.
- If you arrive early and want to help build up simply create your wiki-profile page based on the volunteer-template. Your arrival date will automagically appear in the volunteers page. Helping a hand is a great way to have fun and meet very interesting people.
- Like always we Belgians group together. This year Belhack (belsec people and the former Iguana colony) and Hacker Space Brussels join the forces. If you don't like a calm place you can join the Belgian Embassy that has a more noisy reputation.
- Print out your ticket, don't forget your tent, prep and harden your computer and phone, stop worrying, and prepare yourself to enjoy your stay.
Oh, last but not least: You will probably see many BruCON people. Did you already book that ticket?
Watchguard Fireware SSL-VPN Vulnerability
I talked a few times about this issue, but unfortunately I didn't get a response to my CVE number request. So here's the full thing:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security Advisory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Watchguard Fireware SSL-VPN MiTM Multiple Vulnerabilities
Date: November 29, 2008
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* Project: WatchGuard Firewall SSL-VPN
* Version affected:
WatchGuard Fireware 10.0 up to 10.2.2
WatchGuard Mobile VPN with SSL 10.0 for Macintosh
WatchGuard Mobile VPN with SSL 10.0.2 for Macintosh
WatchGuard Mobile VPN with SSL 10.0 for Windows
* Discovered: April 06, 2008
* Reported : April 08, 2008
* Fixed : October 07, 2008 (only for Windows)
* Advisory : November 29, 2008
* Not Fixed : Mobile VPN with SSL for Macintosh
* Security risk: High Severity
* Vulnerability: MiTM Multiple Vulnerabilities with Abritrary Code Execution
* Discovered by: Christophe Vandeplas <christophe@vandeplas.com>
-------- SHORT DESCRIPTION --------
Due to bad design of the 'WatchGuard Mobile VPN with SSL Client'
it is vulnerable to a MiTM attack resulting in multiple consequences:
- Username and password gathering
- OpenVPN configuration poisoning
- Upload of malware on the victims machine
- Redirection to another VPN server
- Full transparent MiTM for the complete VPN tunnel
- Arbitrary code execution on the victims machine
This vulnerability should be classed as high severity.
-------- REMEDIATION --------
For Windows computers update ASAP your software.
Stop using the software on Macintosh computers until Watchguard
releases a fixed Macintosh version of the client.
-------- FULL DESCRIPTION --------
-- [ How the Watchguard Fireware SSL-VPN Works
The Watchguard SSL-VPN system consists of four parts:
- OpenVPN Client
- WatchGuard Mobile VPN with SSL GUI Client (or Watchguard GUI Client)
- OpenVPN Server
- Webserver where the client-configuration resides (port 4100)
The OpenVPN Client and Server take care of the full VPN tunnel. As
authentication the 'auth-user-pass', 'server-certificate' and
'client-cert' mechanisms are used. These are good security practices.
The Watchguard GUI takes care of two different tasks. It takes care
as management interface for entering the OpenVPN credentials and it
downloads the client configuration from the webserver on port 4100.
The webserver for the client-configuration runs on port 4100 and
uses SSL for encryption. The certificate is self signed.
-- [ The Flow:
The Watchguard GUI Client needs the Firebox IP, username and
password. When the user clicks on 'connect' the GUI Client connects
on the webserver on ip:4100 using SSL encryption where it downloads
the 'client.wgssl' file with the following HTTP GET:
GET /?action=sslvpn_download&username=testuser&password=testpass&filename=client.wgssl
A file called 'client.wgssl' is then downloaded on the machine.
This file is a TGZ and contains the following files:
MD5SUM - Checksums of the different files from the wgssl package
VERSION - File with version info from Watchguard
ca.crt - Certificate authority public key
client.crt - Client public key
client.ovpn - OpenVPN configuration file
client.pem - Private key for the client
The Watchguard GUI Client extracts the files and then starts up
OpenVPN with this configuration.
OpenVPN then takes care of setting up the VPN tunnel. When the
username and password are required it communicates with the
Watchguard GUI Client using the OpenVPN management interface.
The VPN tunnel is started.
-- [ The problem:
The problem resides in the way GUI Client downloads the configuration.
The webserver:4100 works with a self-signed certificate. The
validity of this certificate is never checked correctly.
The Client GUI does check the strings in the following fields:
Common Name (CN) = Fireware Web Server
Organization (O) = Watchguard
Organizational Unit (OU) = Fireware
These checks are insufficient. A full certificate check should be
performed using either the manually imported certificate before
connection or using an imported CA-cert.
This results in:
1) Anyone can generate a certificate with these values. An attacker
could run a webserver and impersonate the original SSL-VPN server.
2) The password is stored in clear-text in the GET method.
3) The checks on the content of the client.wgssl are almost nihil.
It is possible to completely replace the existing client
configuration and to add extra files in the configuration
directory of the client machine.
4) It is possible to redirect the client to another VPN server. As
we have complete control the full VPN tunnel could be MiTM-ed
without the user noticing this.
5) Combined with the 'up cmd' option of the OpenVPN configuration file
arbitrary code could be executed on the victims machine.
-------- PROOF OF CONCEPT --------
--[ Main Setup
Take an original 'client.wgssl' file, rename it to 'client.wgssl.tgz'
and extract it.
Change the 'remote' value to another IP (1.1.1.1) in the
'client.ovpn' file and recalculate the checksum.
Copy a 'malware.exe' in the same diractory. (this could be
childporn or a virus)
Compress all files again in a new .tgz package with the right
filename.
An Apache webserver has been configured to run on port 4100 using
the SSLEngine.
The SSL certificate was generated with the following values:
Common Name (CN) = Fireware Web Server
Organization (O) = Watchguard
Organizational Unit (OU) = Fireware
In the webroot of the webserver we uploaded a small script that
saves the parametes into a database and returns a client.wgssl file
as datastream.
-- [ Connect
Now open the Watchguard GUI Client and connect to the IP of the
webserver. (192.168.1.110)
The Client downloads the new 'client.wgssl' file and extracts it.
-- [ Results:
1) The Watchguard GUI accepts the fake certificate
2) When checking the logfile we see a successful download of
the configuration file:
192.168.1.120 - - [08/Apr/2008:19:06:14 +0200] "GET /?action=sslvpn_download&username=testuser&password=testpass&filename=client.wgssl HTTP/1.1" 200 12 "-" "-"
These usernames and passwords could be stored in a database using
a php script. (see PHP Sample Script)
3a) The client configuration is completely rewritten with our own
configuration file.
3b) Check the Watchguard GUI Client directory for the 'malware.exe'
file.
4a) Check the logging, you will notice that the client doesn't
connect to 192.168.1.110 but to 1.1.1.1
4b) Out of scope of this POC
5) Out of scope of this POC
-------- Technical SOLUTIONS for Watchguard --------
The WatchGuard Mobile VPN with SSL Client should correctly check the
validity of the SSL Certificate using the well-defined standards when
connecting to the configuration-website on port 4100.
The Watchguard firewall should enable the user to generate and upload
certificates and to link these certificates to the webservers.
An even better solution would be to run both OpenVPN and the
configuration-website on the same port and use the same certificates.
OpenVPN starting from version 2.1 supports a feature called
port-sharing where OpenVPN can share a port with a webserver or
other service.
-------- PHP Sample Script --------
<?php
// Do whatever we want with the variables
$user=$_GET['username'];
$pass=$_GET['password'];
// Return the client.wgssl configuration file
header("Content-Type: application/octet-stream");
header("content-disposition: attachment; filename=\"client.wgssl\"");
$file=file_get_contents("client.wgssl");
echo $file;
?>
-------- LINKS --------
- Watchguard Release Notes
https://www.watchguard.com/Download/Files/WSM/10_2_3/EN_ReleaseNotes_WSM...
- OpenVPN 2.1 Manual
http://openvpn.net/index.php/documentation/manuals/openvpn-21.html
ModSecurity Console signed ssl certificate
Import the CA’s / certificate chain
Place the public key of the Certificate Authority in a file (one file per item in the chain), and import the files with the following command:
[servername]$ keytool -v -import -trustcacerts -keystore keystore \ -file ../cacert1.txt -alias "ca1" [servername]$ keytool -v -import -trustcacerts -keystore keystore \ -file ../cacert2.txt -alias "ca2"
When promted for a password enter : password
Create the private key:
First we generate the private key.[servername]$ keytool -genkeypair -alias "mykey" -keystore keystore \ -validity 1825 -keyalg RSA -keysize 2048 Enter keystore password: password (not shown while typing) Re-enter new password: password (not shown while typing) What is your first and last name? [Unknown]: modseccon.home.vandeplas.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Home What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: BE Is CN=modseccon.home.vandeplas.com, OU=Unknown, O=Home, L=Unknown, ST=Unknown, C=BE correct? [no]: yes Enter key password for <mykey> (RETURN if same as keystore password):
Generate a CSR:
The CSR is the Certificate Signing Request that will be send to the Certificate Authority. This authority will need to confirm you are the owner of the domain name specified.
[servername]$ keytool -certreq -v --keystore keystore -alias "mykey" Enter keystore password: password (not shown while typing)
Copy paste the CSR (include the ---BEGIN--- and
---END---) in a file and then make sure it's signed by the Certificate Authority. Then wait for the signed certificate.
Import Signed Certificate in keytool:
Copy paste the signed certificate (include the ---BEGIN--- and
---END---) in a file like signedcert.txt.
Then import the thing into the keystore using the following command:
[servername]$ keytool -v -import -trustcacerts -keystore keystore \ -file ../signedcert.txt -alias "mykey"
(if you get an error about certificate chain, then you didn’t import the CAcertificates correctly
Copy the keystore to the right location:
Make sure ModSecurity Console is not running.[servername]$ cp keystore ./templates/com.thinkingstone.console.ConsoleComponent/ssl/keystore [servername]$ cp keystore ./var/data/main/console/ssl/keystore
Start up ModSecurity Console and enjoy your https website!
Hacking for Beer - BruCON 12 days left for early bird tickets
BruCON is an annual two-day conference by and for the security and hacker community. The conference offers lectures and workshops on a multitude of topics like computer security, privacy, information technology and its implications on society. It takes place at the Surfhouse in Brussels, Belgium on September 18 and 19.
Tickets should be purchased asap as from the 1st of July the price raises from €180 to €250. The staff didn't forget students ! Their price is €50 till the 1st of July.
The presentations on IPv6 security, MPLS hacking, Cyberwarfare, Social engineer techniques, Cloud Computing Security, Open source Information gathering, Dangers of Social networks, and much more, there will be interesting workshops and other events.
Unfortunately I won't be able to go as I'll be in Canada because of a wedding. But count me in for the second edition!
Sharing safely your internet connection with dd-wrt and multiple SSIDs.
For some time I've been a serious promoter of free internet everywhere. Nobody can deny how practical it is to take your laptop/phone and be able to browse the web without extra UMTS/3G connection.
Being from the principle that you can't get what you don't give I share my internet for a few years. For simplicity and laziness I did it the dirty way: Two wireless SSIDs , WPA2 and unencrypted, connected to the same LAN. My own traffic being fully encrypted from the laptop to the AP, but anonymous people would have full access to my network. It was not something I really liked.
As I just moved in and have brand new internet it was time to configure this correctly.
The plan is the following:
- Create two networks: one private, one public
- The networks should not be able to communicate
- Don't buy extra hardware (aka use only my Linksys)
vlan2. That's because I connect the public network to a physical connector of my router for testing purposes.
Change firmware to DD-WRT
I did this a long time ago, but if you didn't do it yet check out the official DD-WRT website for the firmware and manuals.
The two SSIDs
In the Wireless > Basic Settings page click on Add in the Virtual Interfaces section. Your newly created interface will have the name wl0.1. The primary wireless is still called wl0.
Don't forget to configure encryption on your primary wireless in the Wireless > Wireless Security page.
Splitting the private and public network
On the Setup > Networking page create a bridge called br2. Enter the IP address of the router in that network. (this should be a different network than your private net.). Apply Settings.
In the Assign to Bridge section of the same page click on Add and choose br2 then wl0.1. Apply Settings.
Activating a DHCP on the public network
At the bottom of the Wireless > Basic Settings page you can add another DHCP server. Make sure it's connected to the br2 interface.
Firewall changes
We need to add a few rules to our firewall to allow and block traffic.
To make sure this is executed at boot I added the following rules in Administration > Commands of the webinterface.
iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -I FORWARD -i br2 -o ppp0 -s 192.168.107.0/24 -j ACCEPT iptables -I FORWARD -i br0 -j ACCEPT iptables -I INPUT -i br2 -p udp --dport 67:68 --sport 67:68 -j ACCEPT iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br0 -j ACCEPT iptables -I OUTPUT -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP
Now is the time to test everything. Try to connect to your private network, browse the web. Now join the free-internet SSID and try the same. Try connecting to a host in your private-net, this shouldn't work.
It's not a bad idea to reboot your router once more, just to be certain everything is set correctly the day you have a power outage.
Consequences
There are a few consequences by opening your internet connection to outsiders. Here's an exhaustive incomplete list:
- Limited download: a visitor can download a ton of traffic on your account. Make sure you don't have to low limits. I've never had issues with this.
- Limited speed: someone else can slow down your internet. I've never had issues with this. You could solve this with the QoS features of DD-WRT.
- Illegal behavior: people could use your connection for illegal activities
To protect myself from the illegal activities I plan to set up a portal page using the NoCatSplash feature of DD-WRT. I also plan to log every mac-address that connect to my wireless and the timestamp.
Installing BackTrack 4 beta on a USB disk
You might have noticed BackTrack 4 Beta is out for a few days. Since it brings some interesting new features I planned to upgrade/reinstall my BT3 USB to the latest edition.
For the Linux users there is a quick install guide that enumerates the different commands needed to setup the system.
Having at that precise moment only a Windows system laying around I had to follow another procedure. The easiest way is the following:
- First format your partition as FAT32. Windows refuses to format partitions bigger than 30GB in FAT32 (to force users to use NTFS). It's only a GUI limitation so you can still use the CLI to
format d: /fs:fat32. - Now download Unetbootin. It's a kind of assistant to install ISO's to your USB disk. (Thanks for the tip Security4all)
- In Unetbootin choose Disk image and specify the path to the BT4b iso file.
- In the Type I had to choose manual as Unetbootin didn't detect my disk as USB disk.
- Just press the OK button and wait.
I noticed there was no bootloader installed on the USB disk so I had to to this manually. It's fairly simple:
Browse to the disk located on your computer and execute the d:\boot\bootinst.bat script. The script will try to autodetect the drive letter and will ask a confirmation. Double check it and confirm.
Now boot your system from the USB disk and here it is: BackTrack 4 beta.




