Entries tagged as komodia
adguard https maninthemiddle netfiltersdk privdog protocolfilters security superfish tls vulnerability android antivirus apache breach browser ca cacert ccc certificate certificates cloudflare cms cookies crime crypto cryptography csrf dell edellroot encryption facebook freak hash heist http joomla kaspersky letsencrypt mitm nginx ocsp ocspstapling openssl revocation rss samesite sha1 sha256 sni ssl time transvalid update updates web websecurity windowsxp x509 cccamp cccamp15 0days 27c3 addresssanitizer adobe aead aes afra aiglx algorithm altushost antivir aok apt asan auskunftsanspruch axfr azure badkeys barcamp bash berlin berserk bias bigbluebutton bleichenbacher blog bodensee botnetz braunschweig bsi bsideshn bufferoverflow bugbounty bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass c cbc cccamp11 cellular cfb chcounter chrome chromium clamav clang clickjacking cmi code compiz conflictofinterest cookie crash cve darmstadt datenschutz deb debian deolalikar diffiehellman dingens diploma diplomarbeit distributions dns domain drupal easterhegg eff email english eplus fedora fileexfiltration firefox firewall fortigate fortinet forwardsecrecy freesoftware freewvs frequency fsfe ftp fuzzing gajim gallery gcc gentoo ghost gimp git glibc gnupg gnutls gobi google gpg gsm gsoc gstreamer hackerone hacking hannover heartbleed helma infoleak informationdisclosure internetscan ircbot itsecurity jabber javascript jodconverter karlsruhe key keyexchange leak lessig libreoffice linux luckythirteen malware mantis math md5 memorysafety mephisto microsoft milleniumproblems mobilephones modulobias moodle mozilla mpaa mplayer mrmcd mrmcd100b mrmcd101b multimedia mysql napster nessus newspaper nist nss ntp ntpd observatory onlinedurchsuchung openbsc openbts openleaks openpgp openvas osmocombb otr owncloud packagemanagement padding panda papierlos password passwordalert passwort passwörter pdo pgp phishing php pnp poodle privacy privatekey provablesecurity pss python rand random rc2 redhat rhein rpm rsa rsapss s9y salinecourier schlüssel science serendipity server session sha2 sha512 shellbot shellshock sicherheit signatures slides smime snallygaster sniffing spam sqlinjection squirrelmail staatsanwaltschaft stacktrace study stuttgart subdomain sunras support talk taz thesis tlsdate toendacms überwachung ubuntu unicef unicode useafterfree userdir utf-8 verschlüsselung virus vlc vortrag vulnerabilities webapps webmontag wiesbaden windows wiretapping wordpress xgl xine xmpp xsa xss zerodays zugangsdaten zzuf certificateauthority libressl openbsd symantec bugtracker core coredump github nextcloud segfault webroot webserver
Thursday, August 13. 2015
More TLS Man-in-the-Middle failures - Adguard, Privdog again and ProtocolFilters.dll
In February the discovery of a software called Superfish caused widespread attention. Superfish caused a severe security vulnerability by intercepting HTTPS connections with a Man-in-the-Middle-certificate. The certificate and the corresponding private key was shared amongst all installations.The use of Man-in-the-Middle-proxies for traffic interception is a widespread method, an application installs a root certificate into the browser and later intercepts connections by creating signed certificates for webpages on the fly. It quickly became clear that Superfish was only the tip of the iceberg. The underlying software module Komodia was used in a whole range of applications all suffering from the same bug. Later another software named Privdog was found that also intercepted HTTPS traffic and I published a blog post explaining that it was broken in a different way: It completely failed to do any certificate verification on its connections.
In a later blogpost I analyzed several Antivirus applications that also intercept HTTPS traffic. They were not as broken as Superfish or Privdog, but all of them decreased the security of the TLS encryption in one way or another. The most severe issue was that Kaspersky was at that point still vulnerable to the FREAK bug, more than a month after it was discovered. In a comment to that blogpost I was asked about a software called Adguard. I have to apologize that it took me so long to write this up.
Different certificate, same key
The first thing I did was to install Adguard two times in different VMs and look at the root certificate that got installed into the browser. The fingerprint of the certificates was different. However a closer look revealed something interesting: The RSA modulus was the same. It turned out that Adguard created a new root certificate with a changing serial number for every installation, but it didn't generate a new key. Therefore it is vulnerable to the same attacks as Superfish.
I reported this issue to Adguard. Adguard has fixed this issue, however they still intercept HTTPS traffic.
I learned that Adguard did not always use the same key, instead it chose one out of ten different keys based on the CPU. All ten keys could easily be extracted from a file called ProtocolFilters.dll that was shipped with Adguard. Older versions of Adguard only used one key shared amongst all installations. There also was a very outdated copy of the nss library. It suffers from various vulnerabilities, however it seems they are not exploitable. The library is not used for TLS connections, its only job is to install certificates into the Firefox root store.
Meet Privdog again
The outdated nss version gave me a hint, because I had seen this before: In Privdog. I had spend some time trying to find out if Privdog would be vulnerable to known nss issues (which had the positive side effect that Filippo created proof of concept code for the BERserk vulnerability). What I didn't notice back then was the shared key issue. Privdog also used the same key amongst different installations. So it turns out Privdog was completely broken in two different ways: By sharing the private key amongst installations and by not verifying certificates.
The latest version of Privdog no longer intercepts HTTPS traffic, it works as a browser plugin now. I don't know whether this vulnerability was still present after the initial fix caused by my original blog post.
Now what is this ProtocolFilters.dll? It is a commercial software module that is supposed to be used along with a product called Netfilter SDK. I wondered where else this would be found and if we would have another widely used software module like Komodia.
ProtocolFilters.dll is mentioned a lot in the web, mostly in the context of Potentially Unwanted Applications, also called Crapware. That means software that is either preinstalled or that gets bundled with installers from other software and is often installed without users consent or by tricking the user into clicking some "ok" button without knowing that he or she agrees to install another software. Unfortunately I was unable to get my hands on any other software using it.
Lots of "Potentially Unwanted Applications" use ProtocolFilters.dll
Software names that I found that supposedly include ProtocolFilters.dll: Coupoon, CashReminder, SavingsDownloader, Scorpion Saver, SavingsbullFilter, BRApp, NCupons, Nurjax, Couponarific, delshark, rrsavings, triosir, screentk. If anyone has any of them or any other piece of software bundling ProtocolFilters.dll I'd be interested in receiving a copy.
I'm publishing all Adguard keys and the Privdog key together with example certificates here. I also created a trivial script that can be used to extract keys from ProtocolFilters.dll (or other binary files that include TLS private keys in their binary form). It looks for anything that could be a private key by its initial bytes and then calls OpenSSL to try to decode it. If OpenSSL succeeds it will dump the key.
Finally an announcement for visitors of the Chaos Communication Camp: I will give a talk about TLS interception issues and the whole story of Superfish, Privdog and friends on Sunday.
Update: Due to the storm the talk was delayed. It will happen on Monday at 12:30 in Track South.