Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Friday May 3rd, 2020 4
0:02
edition of the Sans and its Storms and
0:07
Stormcast. My name is Johannes
0:09
Ulrich and I'm recording from
0:12
Jacksonville, Florida. When teaching web
0:14
application security, one of the things
0:16
that often comes up is simple
0:18
authentication bypasses and I do mention
0:21
things like a stupid cookie that
0:23
says user equals admin. You
0:26
would think this wouldn't work but well
0:28
that's exactly what I was writing about
0:30
today. It used
0:32
exactly this type of vulnerability
0:35
a cookie user equals admin
0:37
addition the vulnerability that is
0:40
likely being exploited here
0:42
uses a command injection vulnerability
0:44
where when you're trying to change
0:47
your password it will also
0:49
inject commands for you. Just
0:52
to clarify LBLink don't confuse
0:55
it with TP link. LBLink is
0:57
a Chinese OEM as far
0:59
as I can tell their
1:01
routers may be sold under
1:04
various trademarks Minga
1:07
WRAC 1200 apparently
1:10
same vulnerability so likely
1:12
same manufacturer and
1:14
same firmware. One problem with
1:16
sort of these routers that
1:19
are sold under different trade
1:21
names is that it
1:23
can be difficult to figure out
1:25
where to actually get firmware for
1:27
these devices before you buy any
1:29
kind of device like this always
1:31
try to find a manufacturer's website
1:34
check out if firmware is easily
1:37
available from the website and while
1:39
you're there also check if they
1:41
have any kind of end-of-life policy
1:43
to make sure you're not buying a device
1:45
that will no longer receive
1:47
any updates and
1:50
talking about routers and related
1:53
devices we do have an
1:55
update for Aruba OS that's
1:57
part of HP Enterprise
2:00
A number of different vulnerabilities are
2:02
being addressed here. Four of them
2:04
are buffer overflows with a critical
2:07
rating and the CVS score of 9.8.
2:11
At least it's not a weak
2:13
default password. And
2:16
if you're brave enough to
2:19
actually try to parse XML
2:21
in JavaScript using the NPM
2:23
library XML Crypto which is
2:26
the XML Crypto library available
2:28
in NPM, well it didn't
2:30
really do much to actually
2:32
verify the certificates
2:34
being included in
2:37
an XML message. So when
2:39
you're creating a signed or
2:41
encrypted XML message you have
2:43
the ability to include any
2:45
certificates in a key info
2:47
block. Of course you would expect
2:50
that the certificates are being verified
2:52
that they are signed with some
2:54
kind of trust anchor. Well XML
2:57
Crypto thought that this really just
2:59
for people who are sort of
3:02
non-trusting and think that users may
3:04
occasionally like slip in a bad
3:06
document. So they just skipped that
3:08
check and that way
3:10
it was possible to submit
3:13
fake signed XML documents by
3:15
just including the key that you
3:17
used to sign your fake document. This
3:20
issue has been fixed in version 4
3:22
through 6 of
3:24
this library. It's possible that you're
3:26
still using versions before
3:30
4. Basically that's the major version
3:32
of the library. In that case
3:34
well it's up to you to
3:36
actually check the key info certificates
3:39
before you trust the output of
3:41
XML Crypto. And
3:44
Lumen's black lotus lab did
3:47
find some compromised small office home
3:49
office routers that were infected with
3:51
malware that essentially placed the
3:53
good old machine in the middle attack. plenty
4:01
of ways to basically
4:03
make these we
4:05
do have strict transport security
4:08
we do have secure parameters
4:10
on cookies but of course
4:12
developers are stupid and are
4:15
not using these particular precautions
4:17
and that's exactly what Cuddlefish
4:19
that's what they're calling this
4:22
Malabar takes advantage of in
4:24
that it will intercept HTTP
4:27
connections try to then redirect
4:30
users to HTTP or
4:32
spoofed HTTP versions of
4:34
websites and then
4:36
steals credentials that way interestingly
4:38
it specifically goes after cloud
4:41
credentials like a cloud flare
4:43
auth keys AWS secret key
4:46
not sure if they're looking here
4:49
sort of for development sites that
4:51
may not use HTTPS properly it's
4:54
amazingly simple to actually
4:56
configure these services correctly if
4:58
you're using them in actual
5:00
cloud flare or AWS actually
5:03
in some cases it's almost
5:05
more work to not configure
5:07
these services correctly hey
5:10
but don't be afraid of additional
5:13
router vulnerabilities I just read another
5:15
paper where someone suggested to use
5:17
AI to fix home router vulnerabilities
5:19
not going to link to the
5:22
paper because it's just a waste
5:24
of time thanks for listening hope
5:26
this wasn't a waste of time
5:29
and talk to you again on
5:31
Monday bye
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More