SHARE
TWEET

SChannelShenanigans

a guest Nov 12th, 2014 23,174 Never
  1. # I need a good doxbin onion back!
  2.  
  3.  
  4.  Software SUCKS! Calling out "SChannel Shenanigans"
  5.      Part one of the in depth story of MS14-666 / CVE-2014-6321
  6.  
  7.  
  8.  
  9.  So, about those "SChannel Shenanigans"... Sit down and let me set the record straight!
  10.  
  11.  This is the story of the most under-played Patch Tuesday update ever delivered. The "SChannel Shenanigans" bug is a once in a lifetime type of vulnerability, and Microsoft is mis-representing the scope and severity of this defect.
  12.  
  13.  This is also the story of an opportunity lost by indecision; Learn from my fail!
  14.  
  15.  And while software sucks, you can mitigate harsh reality with defense in depth and consistent care.
  16.  
  17.  Yes, this vulnerability must be called "SChannel Shenanigans" or the wrath of "The Exploit" be upon you and your house!
  18.  
  19.  
  20.  
  21.  Some background to understand this discussion:
  22.  
  23.  def Lsa...() {
  24.  }
  25.   ^- This is easy code like for a "Function or Method Definition",
  26.    or said another way, 'the instructions the computer carries out'. From here simply called "Methods".
  27.  
  28.  
  29.  
  30.  Attack surface and call graph describes how complicated, and how frequently a particular function may be called. The more complicated or prominently used the code, the larger the attack surface is.
  31.  
  32.  The more frequently a function is called, the larger the risk it carries if compromised. From here simply called "Surface".
  33.  
  34.  
  35.  
  36.  Privileges and capabilities are the "keys" the vulnerable process carries, which in turn can be stolen and used for more attacks if that process is compromised.
  37.  
  38.  These privileges, as held by Operating System and Platform Services processes and methods, are what give you access to everything: data stored, transmitted, remote service or networks, everything. From here simply referred to as "Privs" for short.
  39.  
  40.  
  41.  
  42.  What makes "SChannel Shenanigans" so dangerous?
  43.  
  44.  A number of things, combined, make this defect exceptionally dangerous to everyone running Windows 2000 and newer. As hinted at with first vulnerable version, the code affected is very old and very complicated.
  45.  
  46.  Old code with very large Surface explains the first aspect of risk. Next is the remote exposure of the huge Surface to attackers who may remain anonymous. This impact at a distance before verifying credentials or permitting access is the second aspect of risk.
  47.  
  48.  Finally, the frequent and pervasive use of the vulnerable Lsa Methods in all versions of affected Windows mean there are many avenues to 100% success of SYSTEM Privs. Sometimes called "God Mode" exploits when utilized to take over systems.
  49.  
  50.  
  51.  
  52.  It is as if our story code had been written like:
  53.  
  54.  < inside vulnerable SYSTEM Services >
  55.  .
  56.  def SYSTEM/AdministratorMainLoop() {
  57.   while always {
  58.    runService();
  59.    handleEvents();
  60.   }
  61.  }
  62.  
  63.  def runService() {
  64.   while always {
  65.    contactRemoteServiceMaybe();  // calls vulnerable Lsa Method
  66.    handleLocalRequestMaybe();  // calls vulnerable Lsa Method
  67.   }
  68.  }
  69.  
  70.  def handleEvents() {
  71.   while always {
  72.    acceptShadyInputsFromStrangers();  // calls vulnerable Lsa Method
  73.    passThroughShadyToOthers();  // calls vulnerable Lsa Method
  74.   }
  75.  }
  76.  .
  77.  .
  78.  .
  79.  < inside vulnerable applications >
  80.  .
  81.  def insideEveryApplicationOnWindows() {
  82.    doAnyCryptoStuff();  // calls vulnerable Lsa Method may be sandbox/restricted - doChain();
  83.  }
  84.  .
  85.  
  86.  Exploits through remote services like RDP, IIS, ActiveDirectoy(LDAP), MSSQL, are pivots to rest of your critical infrastructure. Exploits through event handling yield Privs. Exploits through least privileged sand boxed processes can in turn incur Lsa Method calls in processes with Privs, including guest virtual machines on Windows host running VMWare or VirtualBox. In every way, this was one of those rare vulnerabilities in just the right place, giving a "God Mode" so effective you begin to question your own sanity.
  87.  
  88.  Thus when tracing through a confirmed exploitable call to the vulnerable Lsa Method, and another, and another, it begins to dawn on me just how dangerous this exploit is. It cannot be sold, without falling into wrong hands. It cannot be Full Disclosure'd, without creating pandemonium. It cannot be used without the utmost caution, lest it be stolen by an observer. In fact, talking about it makes me nervous, so let's just call it "The Exploit" and you are sworn to secrecy until we... Well, what the hell do we do with it?
  89.  
  90.  
  91.  
  92.  Sadly, this is as far as we'll get in the background portion of the first part of our tale.
  93.  
  94.  
  95.  
  96.  To sum up each amplifying risk factor for "SChannel Shenanigans":
  97.   a.) Before authentication. Methods called early on in many, many applications and libraries and services. Surface exposed to any attackers, and early.
  98.   b.) Always results in SYSTEM Privs, local or remote. A "God Mode" exploit with 100% success.
  99.   c.) Multiplicity of use and high exposure of flawed code. Huge Surface; everything including Windows 2000 onward is vulnerable.
  100.   d.) Legacy code carried onward, forever. This means modern protections that make exploiting Methods more difficult are not applied here. No EMET for you here, foolish Earth Human!
  101.  
  102.  
  103.  
  104.  And finally, an ultimatum or two. I did not know what to do with this before, but I do know what to do now given Microsoft's response to these defects.
  105.  
  106.  Microsoft has until the end of day Friday the 14th to change MS14-066 Exploit-ability Assessment to "0- Exploitation Detected". If they do not, I will anonymously distribute "The Exploit".
  107.  
  108.  Microsoft has until this time next month December 16th to release a patch for legacy XP customers also affected by this vulnerability. Additional time is granted given the overhead of build and test for a new platform on short notice.
  109.  
  110.  
  111.  
  112.  TL;DR:
  113.   - Pre-auth remote exec and local Priv escalate in SChannel by 1 or more from year 2011 onward.
  114.   - Every organization should run a Secure Drop for hot defect reports.
  115.   - Microsoft owes their customers full disclosure and accurate risk guidance for MS14-066.
  116.   - Microsoft owes XP legacy users a proper fix, too. With same four new cipher suites.
  117.   - Assume all software is vulnerable, defend with depth and know how to recover. Langsec Coreboot Qubes FTW!
  118.  
  119.  
  120.  
  121.  P.S. Some of you may be skeptical; that's fine. I know all about you, my dear #infosec.
  122.   The following code cleaned versions of Win2K sources listed are sha256sum hashed and as follows:
  123. private/security/schannel/lsa/bullet.c
  124. private/security/schannel/lsa/callback.c
  125. private/security/schannel/lsa/credapi.c
  126. private/security/schannel/lsa/ctxtapi.c
  127. private/security/schannel/lsa/ctxtattr.c
  128. private/security/schannel/lsa/debug.c
  129. private/security/schannel/lsa/events.c
  130. private/security/schannel/lsa/init.c
  131. private/security/schannel/lsa/libmain.c
  132. private/security/schannel/lsa/mapper.c
  133. private/security/schannel/lsa/package.c
  134. private/security/schannel/lsa/spreg.c
  135. private/security/schannel/lsa/stubs.c
  136. private/security/schannel/lsa/userctxt.c
  137. private/security/schannel/lsa/usermode.c
  138. private/security/schannel/spbase/asn1enc.c
  139. private/security/schannel/spbase/cache.c
  140. private/security/schannel/spbase/capi.c
  141. private/security/schannel/spbase/cert.c
  142. private/security/schannel/spbase/certmap.c
  143. private/security/schannel/spbase/ciphfort.c
  144. private/security/schannel/spbase/cliprot.c
  145. private/security/schannel/spbase/context.c
  146. private/security/schannel/spbase/cred.c
  147. private/security/schannel/spbase/debug.c
  148. private/security/schannel/spbase/defcreds.c
  149. private/security/schannel/spbase/keyxfort.c
  150. private/security/schannel/spbase/keyxmsdh.c
  151. private/security/schannel/spbase/keyxmspk.c
  152. private/security/schannel/spbase/oidenc.c
  153. private/security/schannel/spbase/pct1cli.c
  154. private/security/schannel/spbase/pct1msg.c
  155. private/security/schannel/spbase/pct1pckl.c
  156. private/security/schannel/spbase/pct1srv.c
  157. private/security/schannel/spbase/protutil.c
  158. private/security/schannel/spbase/rng.c
  159. private/security/schannel/spbase/sigfort.c
  160. private/security/schannel/spbase/sigsys.c
  161. private/security/schannel/spbase/specmap.c
  162. private/security/schannel/spbase/srvprot.c
  163. private/security/schannel/spbase/ssl2cli.c
  164. private/security/schannel/spbase/ssl2msg.c
  165. private/security/schannel/spbase/ssl2pkl.c
  166. private/security/schannel/spbase/ssl2srv.c
  167. private/security/schannel/spbase/ssl3.c
  168. private/security/schannel/spbase/ssl3key.c
  169. private/security/schannel/spbase/ssl3msg.c
  170. private/security/schannel/spbase/tls1key.c
  171. private/security/schannel/utillib/enc.c
  172. private/security/schannel/utillib/keys.c
  173. private/security/schannel/utillib/test.c
  174. private/security/schannel/pkiutil/pkialloc.cpp
  175. private/security/schannel/pkiutil/pkiasn1.cpp
  176.  
  177.  
  178.  Please, for your own sake, don't call my bluff Microsoft!
RAW Paste Data
Top