Independent Evaluation of VPN Systems Rob “Shoten” Shein [email protected] and Drew “Ender” Miller [email protected].

Independent Evaluation of VPN Systems

Rob “Shoten” Shein

[email protected]

and Drew “Ender” Miller

[email protected]

Agenda

• Point of this whole concept• Issues, benefits and challenges of VPN

use from the organizational perspective• Challenges and methods of VPN

development from a code/packet perspective

• A look at a “theoretical” (because we’re not allowed to tell you which VPN it is yet) VPN system that is vulnerable

Why do it?

• Once upon a time, firewalls were seen by clients as the magic bullet– Invulnerable– Perfect– All they needed for security

• Now, we know that there are good and bad firewalls, but only because others have shown the flaws in the bad ones

Why do it?

• VPNs are the new “Emperor’s Haberdasher”– Maybe the Emperor really does have some

new clothes– Then again, maybe he’s butt-ass naked

• Someone needs to look and see if we can get a glimpse of the “crown jewels”

• That someone is us

Why Do it?

• After all, who else is going to do it?– …the people who make the VPN?– …the client who doesn’t know what a

Diffie-Hellman exchange is, or how important really random numbers are in crypto?

• People without any vested interest one way or the other make the best watchdogs

Basics of VPNs

• Encrypt all traffic or just specified kinds of traffic

• Between two points or two entire networks

• Hardware or software

• Various levels of encryption, based upon export restrictions

Benefits of VPNs

• Secure and rich communications between multiple offices of a company

• Cheaper network access for remote users

• Full network access for telecommuters without opening the network to the world

Challenges

• Speed• Uptime• Connection recovery• Scalability of traffic and users• Interoperability issues with global

deployments– Crypto export restrictions

• User management, support, and client deployment

Risks of VPNs

• Since VPNs work across public networks, they must be publicly addressable– VPN gateways for entire networks that

connect only to other entire trusted networks can be hidden with firewall rules

– All other VPN gateways must be visible to anyone, even the script kiddie sitting in the third row right over there

Risks of VPNs

• Placement on the network is an issue– Put it in front of the firewall and it can be attacked

more easily– Put it on the DMZ and you have unencrypted traffic

passing across a network that should not be trusted– Put it on the back network and you hazard your

back-end systems– Put it on the firewall, and:

• Your firewall is now publicly addressable• You may suffer major performance hits on all internet traffic

(encrypted or not) due to massive overhead from the VPN

How to Bake a VPN

• Ingredients:– Crypto– Authentication controls– Rules defining what will and won’t be sent

over the connection

Ingredient One: Crypto

• The challenge: how do you give a secret to someone you trust, using a form of communication you can’t trust?

• Public Key algorithms are too slow and processor-intensive for use in VPN connections, so you have to use Symmetric (shared secret) encryption

• But how do you get the shared secret from one end to the other across an untrusted network?

• Diffie-Hellman is the solution

Diffie-Hellman In a Nutshell

• RFC 2631

• There are two parties, Dick and Jane, who need to derive a shared secret without passing anything across the network that can enable a third party to derive or learn that shared secret

• Dick and Jane both create a key pair, one public and one private

Diffie-Hellman In a Nutshell

• Dick sends his public key to Jane and Jane sends her public key to Dick

• Dick encrypts Jane’s public key with his private key, and Jane encrypts Dick’s public key with her private key

• Both encryption actions result in the same thing, ergo Dick and Jane now both have a shared secret

Diffie-Hellman In a Nutshell

• This algorithm requires random numbers for key pair generation so that nobody can guess at either key pair

• This is the potential weakness of a Diffie-Hellman implementation

• (Remember this point, it will come up later)

Diffie-Hellman: The Math

• Shared Secret

=(J_KeyPublic ^ D_KeyPrivate) mod p

=(D_KeyPublic ^ J_KeyPrivate) mod p• Public Key = g ^ KeyPrivate mod p, where

– g = h ^ {(p – 1)/q} mod p, where– 1 < h < (p – 1) such that h{(p – 1)/q} mod p > 1– g ^ q mod p = 1 unless g=1– p is a large prime number– h is a random integer and source of entropy

Ingredient One: Crypto (Does Your VPN Protect Dick?)

• Ok, so now you have the ability to do Symmetric cryptography, so now what?– What algorithm do you want to use?

• The current choice is usually Triple-DES, with an effective key size of 56*3=168 bits

• Some systems (like ISS RealSecure IDS systems and the Palm VII) use Elliptical Curve crypto

• Strong crypto requires key escrow, or cannot be exported at all

Ingredient One: Crypto (Does Your VPN Protect Dick?)

• We will be assuming use of Triple-DES for the purposes of this presentation

• We will also assume that Triple-DES is properly implemented

Ingredient Two: Authentication (Does Your VPN Know Dick?)

• How do you know that the person trying to connect should be granted access?

• Do you check who they are before or after you establish encryption with them?

• If before, how do you protect against sniffing attacks?

• If after, how the hell do you open a session in the first place without letting anyone in?

Ingredient Two: Authentication (Does Your VPN Know Dick?)

• Solutions:– Variants of CHAP– Kerberos– Signing using PKI

• Keep a copy of a public key for each user at the gateway, and the client maintains the corresponding private key

• A challenge is sent to the client at logon time, which the client signs with the user’s private key. The gateway can then verify that the client is in possession of the correct private key, and therefore must be a valid user.

Ingredient Three: Rulebase (Does Your VPN Allow Dick?)

• What does and doesn’t get encrypted?• If this is wrong:

– Privileged traffic will potentially be sent in the clear– The VPN will interfere with non-privileged

communications by attempting to establish VPN sessions to sites/hosts that do not have the capability to participate in a session

• The rulebase often defines what strength of encryption to use; this is for interoperability with foreign implementations

What Was the Point of All That?

• Now, we know where to hit the VPN

• Ingredient One:– Attack key exchange for session

establishment– Look for weak entropy (seeding from the

system clock, anyone?)

What Was the Point of All That?

• Ingredient Two:– Get a VPN client and attempt

authentication– See if you can get any kind of session at all

What Was the Point of All That?

• Ingredient Three– See if the rulebase can be subverted, to

force encryption to a weaker level

• Remember, VPNs are publicly addressable…try overflows

Case Study: A VPN That Doesn’t Protect Dick

• Imagine (heh) a theoretical (heh heh) software-based VPN

• We will walk through a validation and verification of this VPN system that did not require having access to source code or information more detailed than that available on the install CD

Case Study: A VPN That Doesn’t Protect Dick

• Ok, it’s not theoretical at all…but we can’t tell you which one it is yet, because it has been implemented somewhat widely and there are still a lot of unpatched systems

• We cannot disclose who makes it, what it’s called, nor who is using it

• Don’t ask, please• No, we are NOT feds, so don’t try to spot us

First Step: RTFM

• We examined all publicly available documentation, including PDF files located on the install disk. The goal was to find hints as to what might not be so secure

• We hit something straight off: the reason this product is exportable with strong crypto

First Problem

• The product has a mechanism for re-creation of session keys after the fact. This is to enable decryption of captured sessions by law enforcement and other governmental <cough> authorities

• The product has an exemption because of this, rendering it exportable with Triple-DES but no key escrow

First Problem

• All session keys are based upon one shared secret between client and gateway; compromise this, and you can generate session keys at will

• The real problem is that from a business standpoint, it actually makes sense to do this– Otherwise, the product would be harder to

sell, thanks to export controls

Second Step: Installation

• We set up a small lab, with a single gateway and a set of clients

• We then proceeded to perform network connections and sniff the traffic, looking for data formats that can be identified and decoded

• Possible attacks against data:– Tests for sufficient entropy in encrypted data– Identification of vulnerable data before the session is

fully established– Identification of standard data format so that buffer

overflow attacks can be tried

Anatomy of the Session

• Entirely TCP-based; no UDP or ICMP• Based on HTTP• Data between gateway and client is

sent as specialized GET methods, with “Pragma: no-cache” to prevent caching by cache proxies

• A great deal of care was taken to ensure that this will work in proxy-based networks

Session Establishment Sequence

• Time request from client to gateway (for synchronization purposes)

• Time response from gateway to client

• Then, “Packet X” from client to gateway

Packet Capture: Packet X

• This is the critical packet. It contains a set of information that is used to generate the session key.

• Passes from client to gateway in TCP

• This packet contains the user name, the client software version, plus two fields of additional data that originally were a mystery

Packet X Dissection

• Packet X Dump

• Packet X Decode Only

• Packet X, With Fields Separated

Packet X Anatomy

• Expected HTTP GET action, plus two fields• All fields are delimited• Two fields are not binary• The namespace of the two fields is all upper

and lowercase letters, plus numbers, plus the “+” and “/” symbols

• The fields stay pretty constant in size, padded with the “=“ character

• Can anyone guess what this is?– Hint: there are 64 characters in the namespace

Packet X Anatomy

• The two fields are Base-64 encoded

• One is part of a public key

• The other is the random number used to generate the session key

Problem Two

• That’s right…the source of entropy passes across the wire in the clear from the client to the gateway

• That’s also right…the client (probably a Win98 box) is the source of the random number

• Not a very good source of entropy, not that you need to worry when you can sniff the number outright

Next Step: Attack Packet X

• Now we know how this system works to some degree at the packet level

• Let’s try buffer overflows and invalid data in various data fields

Problem Three

• Guess what?

• No, really…guess!

• Wow, good guess!

Problem Three: The Gory Details

• Packet X passes from client to gateway• Packet X contains the name of the user• Therefore, Packet X must come from an

untrusted source• A properly malformed Packet X can be used

to root the gateway• A differently malformed Packet X can also be

used to DoS the gateway with a single packet

First, the DoS Packet

• This packet contains a large number of 0xFF bytes, all of which are out of scope for anything that should belong in the data section of Packet X

• Remember, Packet X is an HTTP action, and consequently cannot contain binary data without violating the HTTP standard

• But, if you fed it this packet, it would be just fine…until you disconnected

• Then, BOOM! 100% processor utilization until you reboot

ALL YOUR BASE

Then, the Buffer Overflow Packet

• We’re going to show you this one• Here it is• You see, it’s not expecting a user name larger

than 31 bytes• This kills the VPN service itself, in one packet• It also overflows the VPN service• No, we are not going to give you the offsets,

exploit code, or nuclear weapons

ARE BELONG TO US

Deep Gratitude

Questions?