Hacking The Framework Nimrod Luria Head Of Consulting Services, 2Bsecure. Security MVP.NET Security User Group Leader. Microsoft affiliate consultant.

Hacking The FrameworkHacking The Framework

Nimrod LuriaNimrod LuriaHead Of Consulting Services, 2Bsecure.Head Of Consulting Services, 2Bsecure.Security MVPSecurity MVP.NET Security User Group Leader..NET Security User Group Leader.Microsoft affiliate consultant.Microsoft affiliate [email protected]@2Bsecure.co.il

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)

Attack sophistication vs. Attack sophistication vs. Intruder Technical Intruder Technical KnowledgeKnowledge

Warm Up - DemoWarm Up - Demo

Why you shouldn’t use Custom Why you shouldn’t use Custom validator validator

Why should we be aware of Why should we be aware of security? security?

1st Scenario : 1st Scenario : In my current smart card company, most of the information In my current smart card company, most of the information stored within our SDK are highly confidential. We do not stored within our SDK are highly confidential. We do not want our SDK to be manipulated by our competitors. want our SDK to be manipulated by our competitors. 2nd Scenario : 2nd Scenario : You took a year to write a software and in the process You took a year to write a software and in the process consumed a lot of resources and time for its development. consumed a lot of resources and time for its development. Then you sell your software, you find that all your hard work Then you sell your software, you find that all your hard work in past 12 months were easily manipulated. Therefore, steps in past 12 months were easily manipulated. Therefore, steps must be taken to ensure this does not happen. must be taken to ensure this does not happen. 3rd Scenario : 3rd Scenario : One day, my manager came to me and asked me this One day, my manager came to me and asked me this question.question.Questions: Are .NET assemblies that secure?Questions: Are .NET assemblies that secure?Answer: Nothing is secure, but all we can do is to try to Answer: Nothing is secure, but all we can do is to try to make things harder for a hacker. make things harder for a hacker.

ReflectorReflector

DemoDemo

Don’t trust the RegistryDon’t trust the Registry

Back in 1990s, you may have noticed that some Back in 1990s, you may have noticed that some shareware programs implements this kind of shareware programs implements this kind of verification technique. When you install the verification technique. When you install the software, it will create a key in the Windows software, it will create a key in the Windows registry. Basically what it does, is stores the serial registry. Basically what it does, is stores the serial number inside the registry as either a plain text or number inside the registry as either a plain text or encrypted version. Yes, I have seen people placing encrypted version. Yes, I have seen people placing plain text in registry. So when your program runs, plain text in registry. So when your program runs, it will check the registry to verify the existence it will check the registry to verify the existence that particular key. If you have a wrong serial that particular key. If you have a wrong serial number or that particular key is not there, it will number or that particular key is not there, it will prompt you an error. Right now I will try to prompt you an error. Right now I will try to simulate this verification technique in C# step by simulate this verification technique in C# step by step. step.

DemoDemo

Manipulating The RegistryManipulating The RegistryListening with RegMonListening with RegMon

Internal Representation of Methods by the CLRInternal Representation of Methods by the CLR

Let’s Change the codeLet’s Change the code

How to use ILdasm and ILasm to How to use ILdasm and ILasm to manipulate the code.manipulate the code.

Type Type ildasm CrackingIL.exe ildasm CrackingIL.exe /out=CrackingIL.il/out=CrackingIL.il Open CrackingIL.il with any text editor Open CrackingIL.il with any text editor Just remove all the codes from IL_0000 to Just remove all the codes from IL_0000 to IL_0075.(Clean FrmSecureApp_Load IL_0075.(Clean FrmSecureApp_Load event)event)type 'ilasm CrackingIL.il'. type 'ilasm CrackingIL.il'. You are done ! You are done !

protect your .NET protect your .NET assemblies from being assemblies from being tamperedtamperedStrong Name key is a RSA 1024 bit Strong Name key is a RSA 1024 bit

encryption, and to break it is not that encryption, and to break it is not that easy at all. You need to have huge easy at all. You need to have huge computing power to get that private computing power to get that private key. key. Why Strong Name?? Why Strong Name??

Strong Name, is it strong enough ?Strong Name, is it strong enough ?

It did not encrypt my codes nor did it It did not encrypt my codes nor did it hide my codes from decompilers such hide my codes from decompilers such as .NET Reflector. It isn't even related as .NET Reflector. It isn't even related to obfuscation. So then what is Strong to obfuscation. So then what is Strong Name for? Some marketing tool to Name for? Some marketing tool to convince the public that the convince the public that the assemblies it protects is secure? assemblies it protects is secure?

What people doing in the What people doing in the industry ?industry ?

Your superior comes to you and asks Your superior comes to you and asks you to implement a Strong Name key you to implement a Strong Name key in your assemblies. And then when in your assemblies. And then when you reply, why Strong Name, they you reply, why Strong Name, they would say this is what other people would say this is what other people are doing in the industry; we should are doing in the industry; we should follow them as well. follow them as well.

It’s seems to be strongIt’s seems to be strong

But It’s NOT !But It’s NOT !

How to break Strong How to break Strong Name .NET AssembliesName .NET Assemblies

Questions: Questions: Question : Is Strong Name key secure? Question : Is Strong Name key secure?

Answer : Yes, Strong Name key uses RSA 1024 Answer : Yes, Strong Name key uses RSA 1024 bit encryption. bit encryption.

Question : Is Strong Name key breakable? Question : Is Strong Name key breakable? Answer : If you have enough computing power, Answer : If you have enough computing power, time and knowledge on how to break RSA, the time and knowledge on how to break RSA, the answer is yes. answer is yes.

Question : Can Strong Name key be Question : Can Strong Name key be removed from .NET assemblies? removed from .NET assemblies?

Answer : Yes, it can be removed very easily if Answer : Yes, it can be removed very easily if you know how. you know how.

DemoDemo

Removing the signature.Removing the signature.Tempering the code.Tempering the code.

Hijacking .NET Hijacking .NET

type members defined with a private type members defined with a private access modifier access modifier are notare not actually actually private private Even though the method is private, Even though the method is private, calling clients can still set the state of calling clients can still set the state of the object whenever they want using the object whenever they want using reflection. reflection.

DemoDemo

Calling private methods using Calling private methods using reflectionreflection

The SolutionThe SolutionModifying Rotors Source CodeModifying Rotors Source Code

[DebuggerStepThroughAttribute][DebuggerStepThroughAttribute][Diagnostics.DebuggerHidden][Diagnostics.DebuggerHidden]public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder binder,CultureInfo culture) binder,CultureInfo culture) {{            InternalSetValue(obj, val, invokeAttr, binder, InternalSetValue(obj, val, invokeAttr, binder,             culture, true, binder == Type.DefaultBinder);            culture, true, binder == Type.DefaultBinder);} } to: to: [DebuggerStepThroughAttribute][DebuggerStepThroughAttribute][Diagnostics.DebuggerHidden][Diagnostics.DebuggerHidden]public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder public override void SetValue(Object obj,Object val,BindingFlags invokeAttr,Binder binder,CultureInfo culture) binder,CultureInfo culture) {{      // Add the check.         // Add the check.         if (this.IsPrivate)      if (this.IsPrivate)      {      {            throw new Exception("Access denied!!!             throw new Exception("Access denied!!!                   Cannot set the value of private fields.");                  Cannot set the value of private fields.");      }      }      InternalSetValue(obj, val, invokeAttr, binder,       InternalSetValue(obj, val, invokeAttr, binder,             culture, true, binder == Type.DefaultBinder);            culture, true, binder == Type.DefaultBinder);} } 

VS 2005 ExploitVS 2005 Exploit

DemoDemo

SSolutionsolutions

To make sure that only trusted To make sure that only trusted assemblies are calling your assembly assemblies are calling your assembly you can use you can use StrongNameIdentityPermission StrongNameIdentityPermission Class Class You should use sn.exe –o <infile> You should use sn.exe –o <infile> <outfile> to get the signature.<outfile> to get the signature.You can use imperative or declarative You can use imperative or declarative checks.checks.<StrongNameIdentityPermissionAttribute(SecurityAction.LinkDemand, _<StrongNameIdentityPermissionAttribute(SecurityAction.LinkDemand, _

PublicKey:="002400000480000094000...")> _PublicKey:="002400000480000094000...")> _

Public Class myClassPublic Class myClass

......

Evidence Evidence

Use the wizardsUse the wizards

Encrypt Your codeEncrypt Your code

ReactorReactorCryptKeyCryptKeyPreemptive .NET obfuscation Preemptive .NET obfuscation

In Got We Trust !In Got We Trust !

Don’t trust any code.Don’t trust any code.Use sandbox to test downloaded code Use sandbox to test downloaded code or 3or 3rdrd party assemblies. party assemblies.Use CASUse CASFollow the least privilege principle.Follow the least privilege principle.Review your code.Review your code.Test your applications for security.Test your applications for security.

??

Thank You !Thank You !

Nimrod LuriaNimrod Luria

Head Of Consulting Services, 2Bsecure.Head Of Consulting Services, 2Bsecure.

Security MVPSecurity MVP

.NET Security User Group Leader..NET Security User Group Leader.