handling vulnerability reports - networkshop44

Handling vulnerability reportsGraham Rymer, University of Cambridge

Computer LaboratoryJon Warbrick, University of Cambridge Information

Services

23/03/2016

Handling vulnerability reports

23/03/2016

Handling vulnerability reports

We’d like to tell you our story…Introduction

Some background

»Raven: University’s central web authentication system

»Launched September 2004

»Supports two ‘web redirect’ protocols:› Locally-developed

‘Ucam WebAuth’› SAML (via the

Shibboleth Consortium’s software)23/03/201

6Handling vulnerability reports

More background

»Information Services provides and supports› an Apache module for Ucam WebAuth› a Java support library

»Also› Protocol documentation› Some other examples (including one in PHP)› A catalogue of 3rd party implementations

23/03/2016

Handling vulnerability reports

Looking for bugs...

»Reference platform »Dynamic analysis (i.e.

debugging). Wireshark very helpful

»Static analysis (i.e. reading source code). Some bugs transparent to tools. Human brain is still useful!

23/03/2016

Handling vulnerability reports

Attack vectors...

»Expectations:› Weak session management (i.e. session cookies)› Implementation errors› Problems inherent in protocol itself

23/03/2016

Handling vulnerability reports

We found...

»Reality:› Robust session management!› Implementation errors› Problems inherent in protocol itself

23/03/2016

Handling vulnerability reports

Worst problem...

»WLS response messages vulnerable:› RSA signatures could be forged in special

circumstances› Exploited “key rollover” functionality enabled

attacker to enforce that arbitrary public key be used to verify RSA signature

23/03/2016

Handling vulnerability reports

A platform-dependent bug...

23/03/2016

Handling vulnerability reports

msg = apr_psprintf(r->pool,"WLS response contains invalid key ID (contains '/') %s", kid);

Looks for forward slash directory seperator only, not relevant on

Windows

Graham spoils my Sunday afternoon

23/03/2016

Handling vulnerability reports

Monday morning plan

»Check other supported agents»Clarify the protocol»Fix Apache and PHP agents»Rebuild packages»Announce»Liaise inside Information Services › CERT› high-profile users

23/03/2016

Handling vulnerability reports

Announcement Thursday

23/03/2016

Handling vulnerability reports

Meanwhile, what about 3rd party modules?

23/03/2016

Handling vulnerability reports

Following up with SHODAN...

mod_ucam_webauth -2.0.2 win32 org:"University of Cambridge" after:12/03/2015

23/03/2016

Handling vulnerability reports

Summary...

»Do you use web authentication to protect highly prized information assets?

»Does your institution maintain its own proprietary technology for doing this?

»Are you checking the code base?»Maybe someone else already is?!

23/03/2016

Handling vulnerability reports

jisc.ac.uk

23/03/2016

Handling vulnerability reports

Jon WarbrickGraham Rymer

University of Cambridge