0:00

Hello and welcome to the Friday May 3rd, 2020 4

0:02

edition of the Sans and its Storms and

0:07

Stormcast. My name is Johannes

0:09

Ulrich and I'm recording from

0:12

Jacksonville, Florida. When teaching web

0:14

application security, one of the things

0:16

that often comes up is simple

0:18

authentication bypasses and I do mention

0:21

things like a stupid cookie that

0:23

says user equals admin. You

0:26

would think this wouldn't work but well

0:28

that's exactly what I was writing about

0:30

today. It used

0:32

exactly this type of vulnerability

0:35

a cookie user equals admin

0:37

addition the vulnerability that is

0:40

likely being exploited here

0:42

uses a command injection vulnerability

0:44

where when you're trying to change

0:47

your password it will also

0:49

inject commands for you. Just

0:52

to clarify LBLink don't confuse

0:55

it with TP link. LBLink is

0:57

a Chinese OEM as far

0:59

as I can tell their

1:01

routers may be sold under

1:04

various trademarks Minga

1:07

WRAC 1200 apparently

1:10

same vulnerability so likely

1:12

same manufacturer and

1:14

same firmware. One problem with

1:16

sort of these routers that

1:19

are sold under different trade

1:21

names is that it

1:23

can be difficult to figure out

1:25

where to actually get firmware for

1:27

these devices before you buy any

1:29

kind of device like this always

1:31

try to find a manufacturer's website

1:34

check out if firmware is easily

1:37

available from the website and while

1:39

you're there also check if they

1:41

have any kind of end-of-life policy

1:43

to make sure you're not buying a device

1:45

that will no longer receive

1:47

any updates and

1:50

talking about routers and related

1:53

devices we do have an

1:55

update for Aruba OS that's

1:57

part of HP Enterprise

2:00

A number of different vulnerabilities are

2:02

being addressed here. Four of them

2:04

are buffer overflows with a critical

2:07

rating and the CVS score of 9.8.

2:11

At least it's not a weak

2:13

default password. And

2:16

if you're brave enough to

2:19

actually try to parse XML

2:21

in JavaScript using the NPM

2:23

library XML Crypto which is

2:26

the XML Crypto library available

2:28

in NPM, well it didn't

2:30

really do much to actually

2:32

verify the certificates

2:34

being included in

2:37

an XML message. So when

2:39

you're creating a signed or

2:41

encrypted XML message you have

2:43

the ability to include any

2:45

certificates in a key info

2:47

block. Of course you would expect

2:50

that the certificates are being verified

2:52

that they are signed with some

2:54

kind of trust anchor. Well XML

2:57

Crypto thought that this really just

2:59

for people who are sort of

3:02

non-trusting and think that users may

3:04

occasionally like slip in a bad

3:06

document. So they just skipped that

3:08

check and that way

3:10

it was possible to submit

3:13

fake signed XML documents by

3:15

just including the key that you

3:17

used to sign your fake document. This

3:20

issue has been fixed in version 4

3:22

through 6 of

3:24

this library. It's possible that you're

3:26

still using versions before

3:30

4. Basically that's the major version

3:32

of the library. In that case

3:34

well it's up to you to

3:36

actually check the key info certificates

3:39

before you trust the output of

3:41

XML Crypto. And

3:44

Lumen's black lotus lab did

3:47

find some compromised small office home

3:49

office routers that were infected with

3:51

malware that essentially placed the

3:53

good old machine in the middle attack. plenty

4:01

of ways to basically

4:03

make these we

4:05

do have strict transport security

4:08

we do have secure parameters

4:10

on cookies but of course

4:12

developers are stupid and are

4:15

not using these particular precautions

4:17

and that's exactly what Cuddlefish

4:19

that's what they're calling this

4:22

Malabar takes advantage of in

4:24

that it will intercept HTTP

4:27

connections try to then redirect

4:30

users to HTTP or

4:32

spoofed HTTP versions of

4:34

websites and then

4:36

steals credentials that way interestingly

4:38

it specifically goes after cloud

4:41

credentials like a cloud flare

4:43

auth keys AWS secret key

4:46

not sure if they're looking here

4:49

sort of for development sites that

4:51

may not use HTTPS properly it's

4:54

amazingly simple to actually

4:56

configure these services correctly if

4:58

you're using them in actual

5:00

cloud flare or AWS actually

5:03

in some cases it's almost

5:05

more work to not configure

5:07

these services correctly hey

5:10

but don't be afraid of additional

5:13

router vulnerabilities I just read another

5:15

paper where someone suggested to use

5:17

AI to fix home router vulnerabilities

5:19

not going to link to the

5:22

paper because it's just a waste

5:24

of time thanks for listening hope

5:26

this wasn't a waste of time

5:29

and talk to you again on

5:31

Monday bye