Page 1
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
With Great Power Comes Great Pwnage
Area41 Security Conference Zürich, June 10th 2016
[email protected] [email protected]
Page 2
© Compass Security Schweiz AG Slide 2 www.compass-security.com
Hello
Page 3
© Compass Security Schweiz AG Slide 3 www.compass-security.com
Agenda
Introduction to SAML
Use-Cases
Protocol Details
SAML Attacks
Demo
Remediation
Page 4
© Compass Security Schweiz AG Slide 4 www.compass-security.com
Introduction: SAML
Security
Assertion
Markup
Language
Page 5
© Compass Security Schweiz AG Slide 5 www.compass-security.com
Introduction: Components
Identity Provider (IdP) • Checks the identity of
subjects • Issues SAML assertions • Provides the result to
SPs
Client / User Entity that wants to assert a particular identity
Service Providers (SP) • Provides services to
subjects • Trusts the identification
from the IdP based on the assertions it receives
Page 6
© Compass Security Schweiz AG Slide 6 www.compass-security.com
USE-CASES
Page 7
© Compass Security Schweiz AG Slide 7 www.compass-security.com
Use-Case: IG B2B BrokerGate
21 Insurers (13 online) Broker portal as
Service Providers
941 Brokers, 4295 Users
Mirilex GmbH
Mentor Assekuranz
AG
Sfaeras SA
Tectron AG Finanzberatung
Page 8
© Compass Security Schweiz AG Slide 8 www.compass-security.com
SAML 2.0 IdP
Use-Case: IG B2B BrokerGate
941 Brokers, 4295 Users
Mirilex GmbH
Mentor Assekuranz
AG
Sfaeras SA
Tectron AG Finanzberatung
21 Insurers (13 online) Broker portal as
Service Providers
Page 9
© Compass Security Schweiz AG Slide 9 www.compass-security.com
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
Jan13
Mrz13
Mai13
Jul13
Sep13
Nov13
Jan14
Mrz14
Mai14
Jul14
Sep14
Nov14
Jan15
Mrz15
Mai15
Jul15
Sep15
Nov15
Logins per Month
User Accounts
Use-Case: IG B2B BrokerGate
Page 10
© Compass Security Schweiz AG Slide 10 www.compass-security.com
Use-Case: SWITCHaai
University
Webmail eLearning
Student Admin
Hospital
Library
eJournals
Research DB
Where are you from?
Page 11
© Compass Security Schweiz AG Slide 11 www.compass-security.com
Use-Case: SWITCHaai
Page 12
© Compass Security Schweiz AG Slide 12 www.compass-security.com
Use-Case: SWITCHaai
On Average: 52 SAML authentication requests per minute
Page 13
© Compass Security Schweiz AG Slide 13 www.compass-security.com
SAML 2.0 FUNDAMENTALS
Page 14
© Compass Security Schweiz AG Slide 14 www.compass-security.com
SAML The Overall Picture
With an Assertion a IdP confirms to a
SP the identity of an subject including the
used authentication method
SAML defines a number of protocol
messages, e.g.
authentication request, artifact resolution
or single logout
Bindings specify how the various
messages can be carried over underlying
transport protocols, e.g. HTTP redirect or
POST
SAML profiles define how the SAML
assertions, protocols, and bindings are
combined and constrained to provide
greater interoperability in particular usage
scenarios, e.g. Web Browser SSO Profile
Page 15
© Compass Security Schweiz AG Slide 15 www.compass-security.com
SP-Initiated SSO with Redirect and POST Bindings
Web Browser SSO Profile
Page 16
© Compass Security Schweiz AG Slide 16 www.compass-security.com
Web Browser SSO Profile (Artifact)
SP-Initiated SSO with POST/Artifact Bindings
Page 17
© Compass Security Schweiz AG Slide 17 www.compass-security.com
SAML Assertion
Security Assertion
Version AssertionID IssueInstant
Issuer
IdP EntityId
Subject
NameID
UserId
Conditions
AudienceRestriction
SP EntityID
NotBefore NotAfter
AuthnStatement
AuthnContext
AuthInstant
AuthnContextClassRef
Attribute
Attribute
Attribute
Digital Signature
X.509 Signing Certificate
Digest Signature Algorithm, Transforms Sig Value
Page 18
© Compass Security Schweiz AG Slide 18 www.compass-security.com
XML Signature
c14n sha1
Digest Assertion
rsa
rsa
+
Page 19
© Compass Security Schweiz AG Slide 19 www.compass-security.com
SAML ATTACKS
Page 20
© Compass Security Schweiz AG Slide 20 www.compass-security.com
SAML Attacks
Technologies SAML
XML Signatures
X.509 Certificates
Page 21
© Compass Security Schweiz AG Slide 21 www.compass-security.com
Page 22
© Compass Security Schweiz AG Slide 22 www.compass-security.com
SAML Attacks - SAML
Log out other users due to a guessable IDs
Replay an eavesdropped SAML Message
Google for Messages, Stack Overflow
Page 23
© Compass Security Schweiz AG Slide 23 www.compass-security.com
SAML Attacks - XML
Signature Exclusion (simply delete Signature)
XML Signature Wrapping Paper «On Breaking SAML: Be Whoever You Want to
Be», 2012
Page 24
© Compass Security Schweiz AG Slide 24 www.compass-security.com
SAML Attacks - XML
Normal Message
Page 25
© Compass Security Schweiz AG Slide 25 www.compass-security.com
SAML Attacks - XML
Manipulated Message (XSW)
Page 26
© Compass Security Schweiz AG Slide 26 www.compass-security.com
SAML Attacks Certificate Tampering
Precondition: Certificate is embedded in the message
«clone» a certificate, generate new key material
Use a certificate signed by other official CA
Use a revoked certificate
Page 27
© Compass Security Schweiz AG Slide 27 www.compass-security.com
Demo Exploit
Found in June 2015 by Compass Security
using SAML POST-Binding
not matching all attributes of the X.509 certificate embedded
in the assertion against the certificate from the identity provider (IdP)
Page 28
© Compass Security Schweiz AG Slide 28 www.compass-security.com
Demo Exploit
+
Page 29
© Compass Security Schweiz AG Slide 29 www.compass-security.com
SAMLRaider
SAMLRaider Extension for Burp
https://github.com/SAMLRaider/SAMLRaider
Page 30
© Compass Security Schweiz AG Slide 30 www.compass-security.com
Demo Exploit
Page 31
© Compass Security Schweiz AG Slide 31 www.compass-security.com
REMEDIATIONS
Page 32
© Compass Security Schweiz AG Slide 32 www.compass-security.com
SAML Attacks - Mitigation
Configuration:
Use artifact binding (no content on client)
If POST-binding is necessary:
Use encrypted messages
Implementation:
Only process signed XML tree (delete other content)
Use key material on the SP or IdP and not embedded keys
Page 33
© Compass Security Schweiz AG Slide 33 www.compass-security.com
Questions?
Credits and Links:
Emanuel Duss, Bachelor Thesis and SAMLRaider
Bachelor Thesis https://eprints.hsr.ch/464/
SAMLRaider on Github: https://github.com/SAMLRaider/SAMLRaider
Page 34
© Compass Security Schweiz AG Slide 34 www.compass-security.com