Real World Application Threat Modelling By Example. 44Con 2013

Size: px

Start display at page:

Download "Real World Application Threat Modelling By Example. 44Con 2013"

Lily Poole
5 years ago
Views:

1 Real World Application Threat Modelling By Example 44Con 2013

2 Agenda Threat modelling 101 Our goals Doing it

3 Threat modelling 101 Why threat model? Help with risk analysis (defensive) Help with efficient effort investment (offensive)

4 Threat modelling 101 Attacker centric aka attack trees Software, system, design or architecture centric Asset centric aka traditional risk analysis

5 Threat modelling 101

6 Our goals Asses a virtual appliance with zero initial knowledge Map its attack surface Develop a threat model

7 Our goals another perspective

8 Target Djigzo Encryption Gateway

9 Steps?

10 Steps Enumeration / Discovery Dataflow Threat model

11 Phase 1 - Enumeration

12 Step #0 Tools Notepad / VIM / Whatever Mind Mapper (FreeMind etc.) Diagram Drawer (Visio etc.) OS specific tooling (enumeration / debug)

13 Step #1 Get shell Possible approaches Mount virtual disk image Live CD add a user Single user mode Allowed functionality Allowed functionality Default username and password

14 Step #2 Get root Possible approaches Mount virtual disk image Live CD add a user Single user mode Product configuration issue Product configuration issue They allow a shell They made a mistake / overlooked

15 Step #3 Enumerate?

16 Step #3 Enumerate Product functionality Technologies in use Processes Listening ports Process to port mappings Users processes are running as Mooch around the interfaces (*scientific) Dig into the database (if there is one)

17 Step #3 Enumerate Product functionality Source: Administration / Installation manual Console administration interface Web administration interface gateway encryption solution

18 Step #3 Enumerate Technology Linux Postfix Java Apache Tomcat 6 Spring (web framework) Apache James (mail) Tanuk Software Wrapper (allow Java to run as a daemon) Jetty web server (SOAP interface) Postgres

19 Step #3 Enumerate Processes

20 Step #3 Enumerate Listening Ports

21 Step #3 Enumerate Processes to ports

22 Step #3 Enumerate Listening Ports Port Process Description Verified who 22 SSHD SSH daemon No need 25 Master Postfix mail transfer agent No need / experience 8080 Java Tomcat /etc/tomcat6/server.xml 8443 Java Tomcat /etc/tomcat6/server.xml

23 Step #3 Enumerate Listening Ports Port Process Description / Function Verified how 5400 Java RMI for JMX /etc/djihzo/spring/services.xml 5432 Postgres Database server Obvious from the process name 8005 Java Tomcat shutdown port Internet knowledge 9000 Java SOAP interface /etc/djigzo/djigzo.properties Java Mail content filter port /etc/djigzo/james/config.xml /etc/james/smtp_server.xml /etc/postfix/main.cf Master Postfix mail transfer agent mail reinjection /etc/djigzo/james/config.xml /etc/postfix/main.cf Java Wrapper /etc/djigzo/djigzo.wrapper.conf Java Unknown

24 Step #3 Enumerate Listening Ports

25 Step #3 Enumerate Listening Ports

26 Step #3 Enumerate Listening Ports

27 Step #3 Enumerate What s missing?

28 Step #3 Enumerate Processes

29 Step #3 Enumerate Open Handles ls /proc/[pid]/fd

30 Step #3 Enumerate Missing Process

31 Step #3 Enumerate Missing Process

32 Step #3 Enumerate Missing Process

33 Step #3 Enumerate Mooch

34 Step #3 Enumerate Mooch

35 Step #3 Enumerate Mooch

36 Step #3 Enumerate Firewall Rules

37 Step #3 Enumerate Database

38 Step #3 Enumerate Other Tools Tool checksec.sh find tcpdump lsof strace ltrace unzip JD-GUI Purpose Operating system and binary defense in depth File system permissions, SUID binaries etc. Sniff loopback adapter for database, SOAP and other IPC traffic List open files for a particular process or path System call trace see which system calls are being made by a process Library call tract see which library calls are being made by a process For extracting JAR and WAR files containing the Java classes Java decompiler for the Java classes

39 Summary so far We have a shell and file system access We have root on the appliance We know the technologies We know product functionality We know roughly how it is built We know what speaks to what We have mooched around the interfaces We have had a quick look at the database

40 Phase 2 Dataflow

41 Step #0 Dataflow - High-level

42 Step #1 Dataflow With Boundaries

43 What s still missing?

44 What still missing High-level: Logging, Platform defences etc. Low-level: Detailed functional flows e.g. authentication, actions, commands, mail transiting

45 Phase 3 Threat Model based on High-Level

46 Threats: The Microsoft Way

47 Threats?

48 Threats: Web Interface

49 Threats: Admin Console

50 Threats: Daemon

51 Threats: Mail Transfer Agent

52 So what s next? We now test, assess and or ask the architects / developers what has been considered and any present mitigations

53 How do we summarize? Threat Impact / Risk Mitigation Residual Risk Malformed PDF document Memory corruption leading to arbitrary code execution in the main daemon or wrapper process Written in Java Denial of Service

54 Phase 4 Going Deeper

55 Going deeper Rip into database Application passwords stored in clear-text File system contents Soap interface credentials in clear-text Certificates are dynamically generated == a more complete real world threat model

56 Going deeper Grab the Tomcat configurations Work out the filter chains See which URLs don t need authentication Chain URLs back to Java classes Grab the JAR and WAR files contain the classes Disassemble Review code == a more complete real world threat model

57 Conclusions for now

58 The ideal process

59 Challenges Development may not have the deep threat / mitigation knowledge Brainstorming with a security person helps here Organisations under estimate the effort, size and complexity required to do threat modelling right

60 Conclusions Threat modelling requires good understanding of security risks Developing a good threat model takes a lot of time / effort and resource Enumeration of technologies and interfaces is key Think about possible attacks and how they are mitigated Verify threats either statically or dynamically this presentation was only the beginning

Offices Sydney European Offices Amsterdam -

61 Thanks! Questions? UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich - Germany Zurich - Switzerland Ollie Whitehouse ollie.whitehouse@nccgroup.com

Phishing Stories. Shaun Jones

Phishing Stories. Shaun Jones Phishing Stories Shaun Jones Agenda What is Phishing? Phishing Story I Intranets are actually pretty useful Phishing Story II Why do I need two factor auth Phishing Story III Everybody gets shells! What