Thursday, August 13. 2015
More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll
In February the discovery of a software called Superfish caused widespread attention. Superfish caused a severe security vulnerability by intercepting HTTPS connections with a Man-in-the-Middle-certificate. The certificate and the corresponding private key was shared amongst all installations.The use of Man-in-the-Middle-proxies for traffic interception is a widespread method, an application installs a root certificate into the browser and later intercepts connections by creating signed certificates for webpages on the fly. It quickly became clear that Superfish was only the tip of the iceberg. The underlying software module Komodia was used in a whole range of applications all suffering from the same bug. Later another software named Privdog was found that also intercepted HTTPS traffic and I published a blog post explaining that it was broken in a different way: It completely failed to do any certificate verification on its connections.
In a later blogpost I analyzed several Antivirus applications that also intercept HTTPS traffic. They were not as broken as Superfish or Privdog, but all of them decreased the security of the TLS encryption in one way or another. The most severe issue was that Kaspersky was at that point still vulnerable to the FREAK bug, more than a month after it was discovered. In a comment to that blogpost I was asked about a software called Adguard. I have to apologize that it took me so long to write this up.
Different certificate, same key
The first thing I did was to install Adguard two times in different VMs and look at the root certificate that got installed into the browser. The fingerprint of the certificates was different. However a closer look revealed something interesting: The RSA modulus was the same. It turned out that Adguard created a new root certificate with a changing serial number for every installation, but it didn't generate a new key. Therefore it is vulnerable to the same attacks as Superfish.
I reported this issue to Adguard. Adguard has fixed this issue, however they still intercept HTTPS traffic.
I learned that Adguard did not always use the same key, instead it chose one out of ten different keys based on the CPU. All ten keys could easily be extracted from a file called ProtocolFilters.dll that was shipped with Adguard. Older versions of Adguard only used one key shared amongst all installations. There also was a very outdated copy of the nss library. It suffers from various vulnerabilities, however it seems they are not exploitable. The library is not used for TLS connections, its only job is to install certificates into the Firefox root store.
Meet Privdog again
The outdated nss version gave me a hint, because I had seen this before: In Privdog. I had spend some time trying to find out if Privdog would be vulnerable to known nss issues (which had the positive side effect that Filippo created proof of concept code for the BERserk vulnerability). What I didn't notice back then was the shared key issue. Privdog also used the same key amongst different installations. So it turns out Privdog was completely broken in two different ways: By sharing the private key amongst installations and by not verifying certificates.
The latest version of Privdog no longer intercepts HTTPS traffic, it works as a browser plugin now. I don't know whether this vulnerability was still present after the initial fix caused by my original blog post.
Now what is this ProtocolFilters.dll? It is a commercial software module that is supposed to be used along with a product called Netfilter SDK. I wondered where else this would be found and if we would have another widely used software module like Komodia.
ProtocolFilters.dll is mentioned a lot in the web, mostly in the context of Potentially Unwanted Applications, also called Crapware. That means software that is either preinstalled or that gets bundled with installers from other software and is often installed without users consent or by tricking the user into clicking some "ok" button without knowing that he or she agrees to install another software. Unfortunately I was unable to get my hands on any other software using it.
Lots of "Potentially Unwanted Applications" use ProtocolFilters.dll
Software names that I found that supposedly include ProtocolFilters.dll: Coupoon, CashReminder, SavingsDownloader, Scorpion Saver, SavingsbullFilter, BRApp, NCupons, Nurjax, Couponarific, delshark, rrsavings, triosir, screentk. If anyone has any of them or any other piece of software bundling ProtocolFilters.dll I'd be interested in receiving a copy.
I'm publishing all Adguard keys and the Privdog key together with example certificates here. I also created a trivial script that can be used to extract keys from ProtocolFilters.dll (or other binary files that include TLS private keys in their binary form). It looks for anything that could be a private key by its initial bytes and then calls OpenSSL to try to decode it. If OpenSSL succeeds it will dump the key.
Finally an announcement for visitors of the Chaos Communication Camp: I will give a talk about TLS interception issues and the whole story of Superfish, Privdog and friends on Sunday.
Update: Due to the storm the talk was delayed. It will happen on Monday at 12:30 in Track South.
Comments
Display comments as
(Linear | Threaded)
Hello Hanno!
First, thank you for the research and for reporting it to us back then!
I have some clarifications on that issue.
1. We do not simply use nfsdk, but a fork of it.
2. Also we report all security-related changes made by us back to nfsdk author and it usually works. At least this horrible shared key issue is fixed now.
First, thank you for the research and for reporting it to us back then!
I have some clarifications on that issue.
1. We do not simply use nfsdk, but a fork of it.
2. Also we report all security-related changes made by us back to nfsdk author and it usually works. At least this horrible shared key issue is fixed now.
Also let's return to the main question - what to do if one needs to get to the encrypted traffic?
I know your answer - just don't do this, browser extension. But it's not enough.
Let's take a look at some situations when extension is not an option:
1. The browser does not support extensions. Like Edge.
2. What about apps? For instance, blocking annoying skype ads.
3. Mobile. We have an android app and users are begging for SSL filtering there.
Don't you think there should be some more reliable way to both filter encrypted traffic on the local computer/device and to leave SSL validation to browser?
I know your answer - just don't do this, browser extension. But it's not enough.
Let's take a look at some situations when extension is not an option:
1. The browser does not support extensions. Like Edge.
2. What about apps? For instance, blocking annoying skype ads.
3. Mobile. We have an android app and users are begging for SSL filtering there.
Don't you think there should be some more reliable way to both filter encrypted traffic on the local computer/device and to leave SSL validation to browser?
One thing you can do is SNI-based interception - connections to "clean" websites are passed through without messing with them, while suspicious domains get redirected to an interstitial using a per-device CA.
This way, you aren't reimplementing certificate verification, and software with hardcoded certificate fingerprints can be passed through.
This way, you aren't reimplementing certificate verification, and software with hardcoded certificate fingerprints can be passed through.
We do this already. There is a list of domains for which SSL filtering is disabled by default. Banking websites and some websites with sensitive personal information. Also user can add any domain manually to this list.
tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems
Tracked: Nov 23, 17:39