Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new method of exploiting Google Chrome's OAuth2 tokens.
13. Application-Specific Passwords
‣ 16 lowercase letters
‣ Randomly-Generated by Google
‣ Individually Revokable
‣ Not intended to be memorized
sounds a bit like...
duosecurity.com
13
14. ASPs vs. OAuth Tokens
‣ ASPs have to be generated manually
‣ ASPs aren’t actually Application-Specific!
duosecurity.com
14
15. Not-So-Application-Specific
“Another weakness of ASP is the misimpression that is provides
application-limited rather than full-scope account access.”
- Authentication at Scale,
appearing in IEEE S&P Magazine vol. 11, no. 1
duosecurity.com
15
17. Detour: Android Auto-Login
Worked even for the most sensitive parts of
https://accounts.google.com:
‣ 2FA settings:
https://accounts.google.com/b/0/SmsAuthConfig?hl=en
‣ Account-Recovery Settings:
https://accounts.google.com/b/0/
UpdateAccountRecoveryOptions?hl=en&service=oz
duosecurity.com
17
18. So...
‣ ASPs can link an Android device, and
‣ With auto-login, Android devices could - with no additional
authentication - take over your account completely!
duosecurity.com
18
19. Let’s Figure Out How This Works...
Android HTTPS Interception, v1
‣ Real Device (Google Nexus S) with a
custom default gateway
‣ Linux Desktop, running sslsniff
‣ http://www.thoughtcrime.org/software/sslsniff/
‣ Custom CA certificate
duosecurity.com
19
20. Let’s Figure Out How This Works...
Android HTTPS Interception, v2
‣ Android Emulator
‣ $ emulator -http-proxy localhost:8080 @avd_name
‣ Burp Suite Proxy
‣ http://portswigger.net/burp/
‣ Custom CA certificate
duosecurity.com
20
22. Basic Workflow
‣ POST to https://android.clients.google.com/auth
‣ Send Email, EncryptedPasswd, service=ac2dm
‣ Receive “Token”
‣ POST to https://android.clients.google.com/auth
‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/
ManageAccount”)
‣ Receive “MergeSession” URL
‣ Open the MergeSession URL; get instantly logged into your
account!
duosecurity.com
22
28. Simplified Workflow
‣ POST to https://android.clients.google.com/auth
‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/
ManageAccount”)
‣ Receive “MergeSession” URL
Go from Application-Specific Password to full account takeover
with one API call!
duosecurity.com
28
29. Timeline
‣ 2012/07/16: Duo researchers confirm presence of ASP weakness.
‣ 2012/07/18: Issue reported to security@google.com.
‣ 2012/07/20: Communication with Google Security Team
clarifying the issue.
‣ 2012/07/24: Issue is confirmed and deemed “expected behavior”
by Google Security Team.
‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated
sessions from accessing sensitive account interfaces.
‣ 2013/02/25: Public disclosure by Duo.
duosecurity.com
29
30. Google’s Fix
‣ Sensitive account-settings pages are no longer accessible via
auto-login (you must enter username/password/OTP)
‣ ~Nothing else has changed
duosecurity.com
30
33. 2-step Verification Still Helps...
‣ Phishing
‣ Password-sharing between services (with insecure password
databases)
duosecurity.com
33
34. ... But ASPs Can Be Stolen
HTTPS Man-In-The-Middle
‣ Thick-client applications are
notoriously bad at checking
SSL certificates:
https://crypto.stanford.edu/
~dabo/pubs/abstracts/ssl-
client-bugs.html
Malware can grab stored
passwords...
‣ Windows: Data Protection API
‣ Encrypts data using a key derived from the
user’s logon credential
‣ Any process running under the same user
account can decrypt any DPAPI-protected
data
‣ OS X: Keychain
‣ Stronger: per-application permissions
Plaintext...
duosecurity.com
34
35. Case Study: Pidgin
‣ Plain-Text Passwords!
‣ https://developer.pidgin.im/wiki/PlainTextPasswords
‣ GTalk / “Hangouts” - (probably) low impact if compromised
‣ If we were storing a credential that only had access to your GTalk account, then storing it in
plaintext might be ~OK
‣ GMail - (probably) high impact if compromised
‣ ... all of your other accounts on the internet?!
duosecurity.com
35
36. Not Just Application-Specific Passwords
‣ Chrome on Windows / Mac /
Linux has the same “auto-
login” functionality
‣ ... but it’s using OAuth2 now!
duosecurity.com
36
37. Workflow
‣ POST to https://accounts.google.com/o/oauth2/token
‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome)
‣ receive access_token
‣ GET to https://accounts.google.com/OAuthLogin?
source=ChromiumBrowser&issueuberauth=1
‣ send access_token in Authorization header
‣ get “uberauth” token back
‣ Use “uberauth” token to construct a MergeSession URL
duosecurity.com
37
38. How Is The Refresh Token Stored?
from (e.g.) ~/Library/Application Support/Google/Chrome/
Default/Preferences:
...
"oauth2LoginRefreshToken": {
"status": "Successful",
"value": "1/0209_TGZzDyfxwozFV..."
}
...
duosecurity.com
38
39. OAuth2 Won’t (automagically) Save You
Unexpected threat models:
‣ Access to your tabs/bookmarks/history/etc. vs access to your
entire Google account!
duosecurity.com
39
40. 2. Passing The Hash In Windows
Networks... Even When
Passwords Are “Disabled”
(borrowing in part from
http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf)
duosecurity.com
40
41. Local vs Domain Logins
‣ Local
‣ Password hashes are stored on your
workstation
‣ Domain
‣ Password hashes stored on the Domain
Controller
‣ Your workstation will cache them, sometimes
‣ Both Local and Domain
accounts can be administrators
on your workstation
Workstation
Workstation
Workstation
Other ServerDomain Controller
duosecurity.com
41
43. NTLM Authentication
‣ Challenge-Handshake Protocol
‣ Uses NTLM Hash of user’s password, not the password itself!
‣ One-way hash function
‣ No salting, no PBKDF2 ...
‣ Extremely pervasive in Windows ecosystems
‣ RPCs
‣ SMB mounts
‣ ...
duosecurity.com
43
44. Pass-The-Hash
NTLM Authentication only
requires the NTLM Hash!
‣ Gain local admin rights on a
single workstation (somehow...)
‣ Extract NTLM Hashes
‣ Use them to compromise other
machines in the network!
Workstation
Workstation
Domain Controller
Workstation
Other Server
duosecurity.com
44
45. What About Smart-Cards?
Public/Private Key-pair and Certificate stored on cryptographic
hardware
‣ Private Key can “never” be extracted
‣ Authenticate by asking the smartcard to digitally-sign a value
(basically, Challenge-Handshake)
‣ Windows can do Certificate-based user authentication
Sounds much better, right?
duosecurity.com
45
46. What About Smart-Cards?
“In order to support NTLM authentication [MS-NLMP] for
applications connecting to network services that do not support
Kerberos authentication, when PKCA is used, the KDC returns the
user's NTLM one-way function (OWF) in the privilege attribute
certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section
2.6.1).”
- [MS-PKCA]: Public Key Cryptography for Initial Authentication
(PKINIT) in Kerberos Protocol
http://msdn.microsoft.com/en-us/library/cc238455.aspx
duosecurity.com
46
47. Evaluation
Smart-cards still can help...
‣ Weak Passwords
‣ Shared Passwords between accounts / systems
But Pass-The-Hash attacks can still be a threat!
duosecurity.com
47
49. Real-world ecosystems tend to have multiple, distinct
authentication scenarios...
... passwords (or similar stored-secret authentication
methods) are likely to continue to exist in some
scenarios ...
...in each scenario, we must carefully balance privileges
with trust
duosecurity.com
49
50. Authentication Scenarios and Trust
Rights
‣ What is the maximum set of
permissions that should be
granted to a user?
Integrity Level
‣ How strongly has a user /
client authenticated?
duosecurity.com
50
51. 4. Amazon Web Services: Identity
and Access Management (IAM)
duosecurity.com
51
52. Identity And Access Management (IAM)
‣ A single AWS account can have multiple users
‣ Flexible Rights-Expression Language, based on:
‣ Resources (e.g. EC2 Instances, DNS zones, ...)
‣ Actions (e.g. start instance, stop instance, ...)
‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...)
duosecurity.com
52
53. IAM Policy Example
{
"Version":"2012-10-17",
Statement: [{
"Action":["ec2:StopInstances","ec2:TerminateInstances"],
"Effect":"Deny",
"Resource":["*"],
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"true"}
}
}]
}
Deny specific actions if a user didn’t use 2-factor authentication
duosecurity.com
53
54. 2-Factor Authentication for API Clients
Amazon Secure Token Service
‣ Provide API credentials and a one-time-passcode to a specific
endpoint
‣ Get a new set of temporary credentials back
duosecurity.com
54
55. Evaluation
AWS gives you all the tools to build strong, flexible authorization
policies...
... but you have to actually build them!
AWS is intended for developers (and other savvy types)
duosecurity.com
55