Cracking the Foundation: Attacking WCF Web Services

Transcription

1 Cracking the Foundation: Attacking WCF Web Services Shmoocon February 7, 2010 Brian Holyfield Gotham Digital Science labs@gdssecurity.com

2 Attacking WCF Web Services Session Objectives Introduction to WCF Tools & Techniques for Attacking WCF Services Session Outline WCF Overview Silverlight WCF Web Services WCF and WS-Security Duplex Services

3 WTF is WCF? Core Communications Framework for.net Applications and Services Introduced in.net 3.0, enhanced in.net 3.5 Various protocol bindings and message formats Backwards compatible for legacy services

4 What s new with WCF?

5 ABCs of WCF Endpoints WCF Services are exposed through Endpoints Each Endpoint has three required elements Address Binding Contract (commonly referred to as the A-B-C s)

6 WCF Addresses Where can I find the service? Every WCF Service has a Unique Address Transport Protocol Location Often use.svc file extension when hosted in IIS [transport]://[machine or domain][:optional port]/[optional uri]

7 WCF Bindings How do I talk to the service? Bindings specify how a service communicates Transport Protocol Encoding (Message Format) Several out-of-the-box bindings, or can be customized

8 WCF Bindings WCF Transport Protocols NET.TCP HTTP/HTTPS Named Pipes (IPC) Peer to Peer (P2P) Message Queuing (MSMQ) WCF Encoding Formats Text (SOAP, XML, JavaScript) Binary MTOM

9 WCF Contracts What can I do with the service? Nothing is part of a service contract by default Opt-In Approach Must explicitly indicate exposed methods

10 Attacking WCF Services Example 1: Silverlight 3 Client Service Example 2: WCF Duplex Abuse Example 3: WS-Security & Message Encryption

11 Example 1: Silverlight Client Service WCF commonly consumed by Silverlight for browser services Broad Support for WCF in Silverlight 3+ By default, uses.net Binary SOAP Messages Content-Type: application/soap+msbin1 MC-NBFS Protocol Specification

12 HTTP/S Proxies and MC-NBFS Limited (if any) support for MC-NBFS/MSBin1 in most common proxy tools Fiddler: Binary XML Inspector (Richard Berg) Read Only inspection of Binary XML Messages

13 MSBin1 Burp Proxy Plug-In Plug-In for Burp Suite MSBin1 Burp Plug-In (Gotham Digital Science) Leverages Richard Berg s XML Encoder/Decoder Allows full edit/update of Binary XML Messages Implements processproxymessageand processhttpmessage methods of BurpExtender Available for free at

14 MSBin1 Burp Proxy Plug-In Editing Encoded Response Data Both processproxymessage and processhttpmessage are invoked BEFORE response edit, not after Workaround: Chain 2 proxy instances to perform encoding and decoding of intercepted requests X-WCF-Proxy: must-encode header

15 MSBin1 Burp Proxy Plug-In Workaround for Burp Extender API Limitations Silverlight Client WCF Service Burp Proxy 1 Decode & Edit Requests Encode Edited Responses Burp Proxy 2 Decode & Edit Responses Encode Edited Requests Attacker

16 Obtaining WCF MetaData HTTP-GET Same as legacy ASMX Retrieved by appending?wsdl to the address Metadata Exchange (MEX) Binding Based on WS-MetadataExchange Standard W3C Working Draft (25 June 2009)

17 MetaDataHelper Page

18 Obtaining WCF MetaData By default, no metadata is published WSDL and MEX are enabled by default in Visual Studio WCF configuration [snip] <endpoint address="mex" binding="mexhttpbinding" contract="imetadataexchange"/> [ ] <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment --> <servicemetadata httpgetenabled="true"/> [snip]

19 Basic MEX Request Structure POST /MyService.svc/mex HTTP/1.1 Content-Type: application/soap+xml; charset=utf-8 Host: wcf.example.com Content-Length: 565 <s:envelope xmlns:s=" xmlns:a=" <s:header> <a:action> </a:action> <a:to> </a:to> </s:header> <s:body/> </s:envelope>

20 MetaDataover SSL A note about MetaDataover SSL Default Visual Studio Template: <servicemetadata httpgetenabled="true"/> Does NOT include: <servicemetadata httpsgetenabled="true"/>

21 Manual Testing Utilities Leveraging MetaData for Manual Testing WcfTestClient Automatically Parses WSDL or MEX Ships with Visual Studio WCF Storm Supports most WCF bindings Free Lite Version available

22 Obtaining MetaDatafrom XAP Files Silverlight client can be decompiled to obtain service metadata from the XAP file Service Endpoints Methods & Data Types Download, Unzip, Decompile.NET Reflector w/ FileGenerator Plug-In XAP Reflector

23 WS-Discovery Open protocol standard for multicast discovery of services on a local network.net Framework v4+ (still in Beta) UDP Port Message Types Hello Announce a service has joined the network Bye Announce a service is leaving the network Probe Search for a service by type or scope Resolve Search for a service by name 23

24 Example 2: WCF Duplex Services WCF also supports Duplex communication Provides a callback channel for clients WSDualHttpBinding NetTcpBinding NetPeerTcpBinding Ideal for push notification

25 WSDualHttpBinding WSDualHttpBinding designed for HTTP Duplex Callback channel is a listening port on the client Uses Microsoft-HTTPAPI/2.0 Client informs service of callback address during initial request WCF server issues an acknowledgement response to callback address

26 WSDualHttpBinding CreateSequence Action: CreateSequence Reply To: Port 80 HTTP/ Accepted Client Port Action: CreateSequenceResponse Reply From: HTTP/ Accepted Service

27 WSDualHttpBinding CreateSequence Action: CreateSequence Reply To: Action: CreateSequenceResponse Reply From: Client1 HTTP/ Accepted Timeout Target

28 WSDualHttpBinding CreateSequence Action: CreateSequence Reply To: Target1 HTTP/ Accepted Client1 Target2

29 WSDualHttpBinding CreateSequence Action: CreateSequence Reply To: Target1 HTTP/ Accepted Client1 Action: CreateSequence Reply To: Target2

30 WSDualHttpBinding CreateSequence Action: CreateSequence Reply To: Target1 HTTP/ Accepted Client1 Action: CreateSequence Reply To: HTTP/ Accepted Target2

31 Abusing WSDualHttpBinding Port scanning via WSDualHttpBinding callback <s:envelope xmlns:s=" xmlns:a=" <s:header> <a:action s:mustunderstand="1"> </a:action> <a:messageid>urn:uuid:foobar</a:messageid> <a:replyto> <a:address> </a:replyto> <a:to s:mustunderstand="1"> </a:to> </s:header> <s:body> <CreateSequence xmlns=" </CreateSequence> </s:body> </s:envelope>

32 Abusing WSDualHttpBinding Port scanning via WSDualHttpBinding callback <s:envelope xmlns:s=" xmlns:a=" <s:header> <a:action s:mustunderstand="1"> </a:action> <a:messageid>urn:uuid:foobar</a:messageid> <a:replyto> <a:address> </a:replyto> <a:to s:mustunderstand="1"> </a:to> </s:header> <s:body> <CreateSequence xmlns=" </CreateSequence> </s:body> </s:envelope>

33 WsDualScanner Converts any WSDualHttpBindingservice into a remote port scanner Works behind the firewall (DMZ/Intranet) Relatively slow, but effective (timeouts) Probe 1 (Ignore Response) Probe 2 (Measure Response Time for Probe 1) Probe 3 (Measure Response Time for Probe 2) Probe 4 (Measure Response Time for Probe 3)

34 Proof of Concept: Azure Cloud 10.X.X.X myapp.cloudapp.net

35 Example 3: Secure WCF Bindings Secure Bindings support Message Security Based on WS-Security standards NetTCPBinding(Binary XML Message Format) wshttpbinding(soap/xml over HTTP/S) many more Multiple credentials options Windows, Certificate, Username, Anonymous, IssuedToken

36 Determining WCF Security Settings Analyze Binding Security Settings Primarily Driven off Mode Transport (clientcredentialtype) Message (clientcredentialtype) TransportWithMessage None Refer to both Transport and Message settings

37 WCF Message Security Message security uses WS-Security Specification Alternative to TLS/SSL Supports message signing, encryption, or both Supports negotiation by default Dynamically negotiates token Can be anonymous or require credentials Requires at least one certificate

38 WS-S Anonymous Message Encryption SOAP security negotiation with ' for target ' failed. Requires a valid server certificate Signed by trusted CA or in Trusted People store Try disabling certificate validation via behaviorconfiguration on the client Certificate may be provided within meta data Client -> Endpoint -> Identity -> Certificate

39 WS-S Message Encryption Disabling certificate verification <behaviors> <endpointbehaviors> <behavior name="nocertvalidation"> <clientcredentials> <servicecertificate> <authentication certificatevalidationmode="none" revocationmode="nocheck" /> </servicecertificate> </clientcredentials> </behavior> </endpointbehaviors> </behaviors>

40 WS-S Username Credentials Username & Password passed with message WCF does not allow over un-encrypted transport Passed in SOAP Header as defined by standards <o:security s:mustunderstand="1" xmlns:o=" <o:usernametoken> <o:username>wcftest</o:username> <o:password>3mb3dd3d!</o:password> </o:usernametoken> </o:security>

41 Writing a Custom WCF Test Client Much easier than it sounds Usually requires less than 10 lines of custom code!! Use svcutilto generate the following artifacts using WSDL or MEX medatata: [Service Name].cs Client class with accessible web methods and complex data types output.config Configuration file with endpoint information (address, bindings, contract)

42 Writing a Custom WCF Test Client Custom WCF client in less than 10 LOC public class MyClient { public static void Main() { try { CalculatorClient client = new CalculatorClient(); double sum = client.add(1, 1); Console.WriteLine("1 + 1 = " + sum); } catch (Exception e) { Console.WriteLine(e.Message); } } }

43 Writing a Custom WCF Test Client Quick and Dirty Test Client Step 1: Generate [class].cs and App.config svcutil <metadatapath> /out:myclient.cs/config:myclient.exe.config Step 2: Add console processing logic using System; main() Step 3: Compile MyClient.cs file with csc.exe

44 Summary WCF provides many new security features Attacks more difficult, but not impossible Perhaps some enhancement opportunities Toolset for attacking WCF services is limited Dictated by Binding and Security Options in use Silverlight adoption will drive consumption

45 Brian Holyfield Gotham Digital Science QUESTIONS