Quicklinks: Home | RFP | Contact |

New Paper: SSL/TLS Hardening and Compatibility report 2010

Subscribe to the RSS feed in case you are interested in updates

At last. What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort. I really hope this comes in handy for you and was worth the effort. This is the "Release candidate" version of the paper, should no errors be found it will be the final version.

This paper aims at answering the following questions :
  • What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
  • What SSL/TLS ciphers do modern browsers support ?
  • What SSL/TLS settings do server and common SSL providers support ? 
  • What are the cipher suites offering most compatibility and security ?
  • Should we really disable SSLv2 ? What about legacy browsers ?
  • How long does RSA still stand a chance ?
  • What are the recommended hashes,ciphers for the next years to come

The paper includes two tools :
  • SSL Audit (alpha) :  SSL scanner scanning remote hosts for SSL/TLS support (Video)
  • Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool (Video)
Without further ado here is the complete package

PS: In order to know whether this type of publication is useful to some and whether I should spend time on such publications in the future, I would appreciate a heads-up if you find this to be interesting. Thierry

 

Harden SSL/TLS - Tool release

Subscribe to the RSS feed in case you are interested in updates
 
“Harden SSL/TLS” allows hardening the SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.

^This tool specifically allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use.



Advanced mode
· re-enable ECC P521 mode on Windows7 and 2008R2
· Set TLS Cache size and timeout

Known issues:
· none

Author :
Thierry ZOLLER for G-SEC
Download: Harden TLS/SSL (beta)
Download: Documentation


 

SSL/TLS Audit (alpha) - Tool Release

Subscribe to the RSS feed in case you are interested in updates

Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool called SSL Audit. (More to follow in the next days - stay tuned).

SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites over all SSL and TLS versions.


Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :
· IIS7.5 (Schannel)
· IIS7.0 (Schannel)
· IIS 6.0 (Schannel)
· Apache (Openssl)
· Apache (NSS)
· Certicom
· RSA BSAFE




 

TLS / SSLv3 renegotiation vulnerability explained (Update #2)(

Subscribe to the RSS feed in case you are interested in updates

This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing.

  • Updated 18.11.2009 : Added SMTP over TLS attack scenario, added s_client testcase
  • Updated 30.11.2009 : Added FTPS analysis, new attacks against HTTPS (injecting responses and downgrading to HTTP)  
  • Updated 09.12.2009 : Proof of concept files for TRACE and 302 redirect using TLS rengotiation flaw

Download "TLS / SSLv3 renegotiation vulnerability explained"

posted by Thierry Zoller

Related post: Vulnerabilities like it's 1999 SSLv3 / TLS Man in the Middle vulnerability - update #8

 

SSLv3 / TLS Man in the Middle vulnerability - update #9

Subscribe to the RSS feed in case you are interested in updates


  • Updated 17:50 GMT+1 / 05.2009 - added Mitigation / Impact 
  • Updated 16:40 GMT+1 / 06.2009 - added IETF draft 
  • Updated 14:35 GMT+1 / 07.2009 - added SSLTLS Test Tool 
  • Updated 16:34 GMT+1 / 07.2009 - added OpenSSL patch 
  • Updated 13:00 GMT+1 / 09.2009 - added GNUTLS patch 
  • Updated 19:40 GMT+1 / 09.2009 - added Mikestoolbox.net testing TLS renegotiation support 
  • Updated 21:29 GMT+1 / 09.2009 - added Apache patch, Mozilla Bug ID, Redhat Bug ID, Mozilla patch disabling tls renegotiation, Tomcat mitigation 
  • Updated 21:00 GMT+1 / 12.2009 - added a whitepaper trying to explain the vulnerability and it's implications to a broader audience

After some in-house tests, we can confirm that the vulnerability presented at http://www.extendedsubset.com/ indeed real and should pose a significant threat to most. The vulnerability has been discovered by Marsh Ray, Steve Dispensa and Martin Rex.

We are currently looking into possible mitigations and will update this blog post regularly with more information regarding said vulnerability.

Details
Patches
Advisories 
Impacts :
Currently known to exist
  • In general an attacker positioned in the middle of a connection may inject arbritary content into the beginning of an authenticated stream it will be interesting to see what potential impact this vulnerability has within each of the applications / protocols supporting it. IMAPS, FTPSSL, POP3 etc
  • For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)  
Posted by Thierry Zoller

     

    Solving the HACK.LU 2009 reversing challenge like it's 1998

    Subscribe to the RSS feed in case you are interested in updates


    Here is quick overview of one possible way to solve the Hack.lu 2009 crackme  (reversing challenge) with the classical JZ/JNZ method (hence the 1998 reference).

    Disclaimer : If you are used to reversing software, you can skip this post, there is nothing new for you to glimpse here.  This is one way to solve this crackme, of course you could try to reverse engineer the serial generation algorithm. In reality, if you'd  use a serial system like this in a shareware type of application nobody would bother to do so. 


    Although there are no classical packer signatures to be detected (PEid, ExeInfoPE), looking at the results of entropy tests it is clear that the sample is compressed/crypted in some way or another.  Entropy being the measure for randomness/chaos.

    Examples : 
    • AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA has an entropy of 0 
    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx has an entropy of 96,04%



     Entropy measurement of crackme.exe



    There are several ways to measure whether a binary (or parts of it) are compressed/encrypted, I happen to use gynvaels' excellent tool ENT (not to be confused by a similar entropy measurement tool) as it offers several advantages such as mapping to .code and .data section of a PE file. As we can see above the entropy of the code section (Green) is that of normal code, the data section is high on entropy at the very end of it.

    Luckily for us it doesn't use stolen bytes or more advanced methods to hinder dumping from memory while the sample decrypted/decompressed itself.

    So we proceed with
    • Loading the sample in Ollydbg - Wait until it hits OEP
    • Dump the process using Ollydump 
    • fix import table
    • Search for "serial"
    • Look for branching code 
    • Patch branching code from JZ to JNZ

    Patching the Jump Zero to a Jump Not Zero instruction

    This is it








    Posted by Thierry Zoller


     

    Advisory : Computer Associates multiple products - arbritary remote code execution

    Subscribe to the RSS feed in case you are interested in updates


    G-SEC released an advisory today that affects various Computer Associates products. The most interesting part is the multitude of ways this vulnerability can be triggered, if you skim through the list of affected products you can draw your own picture. Network, USB, Email, CD, DVD, OLE2 (DOC, XLS) and more.

    Picture courtesy of Norton AV Gaming edition

    List of affected products :
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
    • CA Anti-Virus 2007 (v8)
    • CA Anti-Virus 2008
    • CA Anti-Virus 2009
    • CA Anti-Virus Plus 2009
    • eTrust EZ Antivirus r7.1
    • CA Internet Security Suite 2007 (v3)
    • CA Internet Security Suite 2008
    • CA Internet Security Suite Plus 2008
    • CA Internet Security Suite Plus 2009
    • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
    • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1
    • CA Threat Manager Total Defense
    • CA Gateway Security r8.1
    • CA Protection Suites r2
    • CA Protection Suites r3
    • CA Protection Suites r3.1
    • CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1
    • CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1
    • CA ARCserve Backup r11.5 on Windows
    • CA ARCserve Backup r12 on Windows
    • CA ARCserve Backup r12.0 SP1 on Windows
    • CA ARCserve Backup r12.0 SP 2 on Windows
    • CA ARCserve Backup r12.5 on Windows
    • CA ARCserve Backup r11.1 Linux
    • CA ARCserve Backup r11.5 Linux
    • CA ARCserve for Windows Client Agent
    • CA ARCserve for Windows Server component
    • CA eTrust Intrusion Detection 2.0 SP1
    • CA eTrust Intrusion Detection 3.0
    • CA eTrust Intrusion Detection 3.0 SP1
    • CA Common Services (CCS) r3.1
    • CA Common Services (CCS) r11CA Common Services (CCS) r11.1
    • CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)
    • CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1
    posted by Thierry Zoller on the 13/10/2009

     

    Subscribe to: Posts (Atom)