Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q

1,646 views

Published on

NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q

Published in: Technology
  • Login to see the comments

NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q

  1. 1. Labs.mwrinfosecurity.com | © MWR Labs 1 Labs.mwrinfosecurity.com | © MWR Labs Your Q is my Q NoSuchCon 2014 Paris, France Message Queue Security G. Geshev
  2. 2. Labs.mwrinfosecurity.com | © MWR Labs 2 Introduction Georgi Geshev • Security Researcher at MWR Labs • Research Interests • Vulnerability Development • IPv6 Network Reconnaissance • Message Queues
  3. 3. Labs.mwrinfosecurity.com | © MWR Labs 3 Agenda • MQ Concepts • Attack Surface • Case Studies • Attack Scenarios • Common Issues • MQ Hardening
  4. 4. Labs.mwrinfosecurity.com | © MWR Labs 4 Disclaimer • This is not a talk on new classes of bugs, i.e. none of the vulnerabilities are MQ specific. • This is a talk on problems found to be common across some popular MQ implementations.
  5. 5. Labs.mwrinfosecurity.com | © MWR Labs 5 MQ Concepts • Message-oriented Middleware (MOM) • Asynchronous Message Exchange • Decoupling – Space, Time and Synchronization Decoupling • Publish & Subscribe – Publishers Create Messages – Subscribers Consume Messages – Topic, Content and Type Based Subscriptions
  6. 6. Labs.mwrinfosecurity.com | © MWR Labs 6 MQ Concepts Producer Consumer Broker
  7. 7. Labs.mwrinfosecurity.com | © MWR Labs 7 MQ Concepts Producer Consumer Broker
  8. 8. Labs.mwrinfosecurity.com | © MWR Labs 8 MQ Concepts Producer Consumer Broker
  9. 9. Labs.mwrinfosecurity.com | © MWR Labs 9 MQ Concepts Producer Consumer Broker
  10. 10. Labs.mwrinfosecurity.com | © MWR Labs 10 MQ Protocols
  11. 11. Labs.mwrinfosecurity.com | © MWR Labs 11 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP
  12. 12. Labs.mwrinfosecurity.com | © MWR Labs 12 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols
  13. 13. Labs.mwrinfosecurity.com | © MWR Labs 13 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols • Binary Protocols: – AMQP (Advanced Message Queuing Protocol) – MQTT (MQ Telemetry Transport) – OpenWire
  14. 14. Labs.mwrinfosecurity.com | © MWR Labs 14 MQ Protocols • MQ Transport Protocols • TCP, UDP, HTTP • MQ Application Protocols • Binary Protocols: – AMQP (Advanced Message Queuing Protocol) – MQTT (MQ Telemetry Transport) – OpenWire • ASCII Protocols: – STOMP (Streaming Text Oriented Messaging Protocol) – XMPP
  15. 15. Labs.mwrinfosecurity.com | © MWR Labs 15 MQ Security • Transport over SSL/TLS • Authentication and Authorisation Mechanisms: • Certificates, Kerberos, LDAP, etc. • Persistent Storage • SQL Databases • File Based Databases • Redundant Brokers • Clustering • Broker Networks
  16. 16. Labs.mwrinfosecurity.com | © MWR Labs 16 Misconfigurations • Default Administrative Credentials • Management Interfaces Exposed • Java Management Extension (JMX) • Java Remote Method Invocation (RMI) • Java Debug Wire Protocol (JDWP) • Default Queues • Anonymous Access – Publish – Subscribe
  17. 17. Labs.mwrinfosecurity.com | © MWR Labs 17 Demo • ActiveMQ 5.6.0 • Debian 7.5.0 • Ubuntu 14.04.1 • Default Configuration • Java Management Extension (JMX) • Custom script to identify RMI service endpoint via JMX. • RMI Registry endpoint is only locally exposed.* • Port forwarding to access the RMI service. • Deploying and executing a JAR payload.
  18. 18. Labs.mwrinfosecurity.com | © MWR Labs 18 Case Studies • Sending Serialised Objects • Sending System Commands • Rendering Untrusted Messages in Administrative or Monitoring Consoles • Cross-Site Scripting • Inserting Unsanitised Messages in Databases • SQL Injection
  19. 19. Labs.mwrinfosecurity.com | © MWR Labs 19 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS
  20. 20. Labs.mwrinfosecurity.com | © MWR Labs 20 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client
  21. 21. Labs.mwrinfosecurity.com | © MWR Labs 21 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client
  22. 22. Labs.mwrinfosecurity.com | © MWR Labs 22 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client
  23. 23. Labs.mwrinfosecurity.com | © MWR Labs 23 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker
  24. 24. Labs.mwrinfosecurity.com | © MWR Labs 24 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker
  25. 25. Labs.mwrinfosecurity.com | © MWR Labs 25 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker Broker vs. Client
  26. 26. Labs.mwrinfosecurity.com | © MWR Labs 26 Attack Scenarios • Attacker’s Perspective • Anonymous • Client • Broker • Attacks • Man-in-the-Middle • Authentication Bypasses • Implementation Specific • DoS Anonymous vs. Client Client vs. Client Client vs. Broker Broker vs. Client Broker vs. Broker
  27. 27. Labs.mwrinfosecurity.com | © MWR Labs 27 Bug Hunting
  28. 28. Labs.mwrinfosecurity.com | © MWR Labs 28 Bug Hunting • Source Code Audit • Pattern Based
  29. 29. Labs.mwrinfosecurity.com | © MWR Labs 29 Bug Hunting • Source Code Audit • Pattern Based • Fuzzing • Stateless – Radamsa • Stateful – MITM Fuzzing • Patching • Traffic Generation • Unit Tests • Performance Harness Tools • Code Samples
  30. 30. Labs.mwrinfosecurity.com | © MWR Labs 30 Bug Hunting • Source Code Audit • Pattern Based • Fuzzing • Stateless – Radamsa • Stateful – MITM Fuzzing • Patching • Outdated Libraries • e.g. Vulnerable XStream in ActiveMQ < 5.10.0 • Traffic Generation • Unit Tests • Performance Harness Tools • Code Samples
  31. 31. Labs.mwrinfosecurity.com | © MWR Labs 31 AMQP State Machine
  32. 32. Labs.mwrinfosecurity.com | © MWR Labs 32 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) Credentials tommy foobar ronly ronly client secret
  33. 33. Labs.mwrinfosecurity.com | © MWR Labs 33 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) Username: * Password: foobar Message Content Credentials tommy foobar ronly ronly client secret
  34. 34. Labs.mwrinfosecurity.com | © MWR Labs 34 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) B: Does ‘*’ user exist? Credentials tommy foobar ronly ronly client secret
  35. 35. Labs.mwrinfosecurity.com | © MWR Labs 35 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) A: Yes, user ‘tommy’ exists. Credentials tommy foobar ronly ronly client secret
  36. 36. Labs.mwrinfosecurity.com | © MWR Labs 36 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) B: Authenticate with ‘tommy:foobar’? Credentials tommy foobar ronly ronly client secret
  37. 37. Labs.mwrinfosecurity.com | © MWR Labs 37 LDAP Wildcard Interpretation Attacker Broker LDAP Server (Authenticator) A: Authenticated. Credentials tommy foobar ronly ronly client secret
  38. 38. Labs.mwrinfosecurity.com | © MWR Labs 38 XML External Entities Processing Attacker Broker
  39. 39. Labs.mwrinfosecurity.com | © MWR Labs 39 XML External Entities Processing Attacker Broker Malicious XML Message 1. Adversary enqueues an XML message which contains XML external entities.
  40. 40. Labs.mwrinfosecurity.com | © MWR Labs 40 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities.
  41. 41. Labs.mwrinfosecurity.com | © MWR Labs 41 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector. XPath / XQuery Selector
  42. 42. Labs.mwrinfosecurity.com | © MWR Labs 42 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector.
  43. 43. Labs.mwrinfosecurity.com | © MWR Labs 43 XML External Entities Processing Attacker Broker 1. Adversary enqueues an XML message which contains XML external entities. 2. Then requests dequeuing an XML message which matches a criteria expressed with XPath/XQuery based selector. 3. The broker will evaluate the XPath expression and attempt to match it against the messages in the queue. This will cause the broker to resolve any external entity references.
  44. 44. Labs.mwrinfosecurity.com | © MWR Labs 44 Demo (1) • Anonymous vs. Client / Broker • Authentication Bypass*
  45. 45. Labs.mwrinfosecurity.com | © MWR Labs 45 Demo (2) • Client vs. Broker • XML External Entity Processing
  46. 46. Labs.mwrinfosecurity.com | © MWR Labs 46 Common Vulnerabilities • XML External Entities Processing • Brokers: 6 – Java, Python and C++ • Clients: 2* • LDAP Wildcard Interpretation Bug • Brokers: 3 – Java • Unserialisation of Untrusted Data • Brokers: 2* – Java and Python
  47. 47. Labs.mwrinfosecurity.com | © MWR Labs 47 Hardening MQ Applications
  48. 48. Labs.mwrinfosecurity.com | © MWR Labs 48 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. Applications
  49. 49. Labs.mwrinfosecurity.com | © MWR Labs 49 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. Applications
  50. 50. Labs.mwrinfosecurity.com | © MWR Labs 50 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* Applications
  51. 51. Labs.mwrinfosecurity.com | © MWR Labs 51 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. Applications
  52. 52. Labs.mwrinfosecurity.com | © MWR Labs 52 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. Applications
  53. 53. Labs.mwrinfosecurity.com | © MWR Labs 53 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications
  54. 54. Labs.mwrinfosecurity.com | © MWR Labs 54 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources.
  55. 55. Labs.mwrinfosecurity.com | © MWR Labs 55 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources. • Enable integrity checking. Ideally, authenticated encryption.
  56. 56. Labs.mwrinfosecurity.com | © MWR Labs 56 Hardening MQ • Limit the number of transport and application protocols. • One application protocol over one (SSL) transport. • Remove default accounts. • Disable JMX/RMI/JDWP/etc.* • Separate administration VLAN. • Disable anonymous client access. • Whitelist explicit P&S client IP addresses. Applications • Perform validation on received messages. Do not assume trusted sources. • Enable integrity checking. Ideally, authenticated encryption. • Whitelist objects if unserialising from messages.
  57. 57. Labs.mwrinfosecurity.com | © MWR Labs 57 Acknowledgments • MWR Labs • Red Hat and Apache’s Security Teams • NoSuchCon Organisers
  58. 58. Labs.mwrinfosecurity.com | © MWR Labs 58 References • XML Out-of-Band Data Retrieval (BlackHat Europe 2013) • Timur Yunusov (@a66at) • Alexey Osipov (@Gi_sUngiven) • XML External Entities Out-of-Band Exploitation • Ivan Novikov (@d0znpp) • Exploiting JMX RMI • Braden Thomas
  59. 59. Labs.mwrinfosecurity.com | © MWR Labs 59 Questions • Feedback • @munmap • georgi.geshev @ mwrinfosecurity . com

×