Saturday, February 21, 2015

Exploiting the Superfish certificate

As discussed in my previous blogpost, it took about 3 hours to reverse engineer the Lenovo/Superfish certificate and crack the password. In this blog post, I described how I used that certificate in order to pwn victims using a rogue WiFi hotspot. This took me also about three hours.

The hardware

You need a computer to be the WiFi access-point. Notebook computers are good choices, but for giggles I chose the "Raspberry Pi 2", a tiny computer that fits in the palm of your hand which costs roughly $35. You need two network connections, one to the Internet, and one to your victims. I chose Ethernet to the Internet, and WiFi to the victims.

The setup is shown above. You see the little Raspberry Pi 2 computer, with a power connection at the upper left, an Ethernet at the lower-left, and the WiFi to the right. I chose an "Alfa AWUS050NH" WiFi adapter, but a lot of different ones will work. Others tell me this $15 TP-Link adapter works well.. You can probably find a good one at Newegg or Amazon for $10. Choose those with external antennas, though, for better signal strength. You can't really see it in this picture, but at the top of the circuit board is a micro-SD card acting as the disk drive. You'll need to buy at least a 4-gigabyte card, which costs $4, though consider getting an 8-gig or even 16-gig card since they don't cost much more.

The operating system

It's theoretically possible to do this on Windows or Mac, but the best software for this sort of thing comes on Linux.

Normally, I'd use Kali Linux because it already has all the hacking tools compiled for it. However, since the Raspberry Pi 2 is still new, Kali doesn't have a version for that hardware ready yet. Update: Apparently @essobi has a working RP2 Kali image.

Therefore, I used the most popular Raspberry Pi 2 distro of Linux known as "Raspbian", which I downloaded from the website: http://www.raspberrypi.org/downloads/

It comes as a "disk image" that you need to write to the micro-SD card. Because it's an image, you don't simply write as a file to the disk, but overwrite all contents of the disk with this image. To do that, you need a special program. There are instructions on the download site that describe how to do this. Since I'm a Windows user, I used the "Win32 Disk Imager" program to do this.

It goes without saying, you'll need something that can write micro-SD cards. I used the SD card reader built into my Dell monitor. I purposefully chose a micro-SD card that came with a full-size SD card holder so that it would fit into my monitor. My laptop also has a full-sized SD writer I could've used.

Once the image was written, I removed the micro-SD card from my Windows machine and stuck it into the Pi, then plugged in the power to boot it up.

After powering on for the first time, it wants you to hook it up to a TV a and configure things. The default account is "pi" with a password of "pi". I created my own account called "rob" and added it to "sudoers" file. Just make sure when you set it up that SSH daemon is available. I use the Putty SSH client from my Windows desktop to talk remotely to the Pi.

The software

In this example, you need two things. First, you need the WiFi access-point software. Second, you need the MitM software.

For the WiFi software, I used the well-known hostapd project, and followed the exact instructions here http://elinux.org/RPI-Wireless-Hotspot for turning the Pi into a hot-spot. Well, nearly exactly, I have slightly different version of Pi and a different WiFi card, but otherwise it's all the same. The configuration is all straight forward with no surprises. You setup hostapd to do the WiFi, then udhcpd to assign addresses, then use the Linux built-in netfilter to do the NAT.

For the MitM sofware, I chose sslsplit (https://github.com/droe/sslsplit). There are other tools like sslstrip and mitmproxy that I could've used, but the advantage of this tool is that it makes using the CA certificate really easy.

I needed to download and compile it separately. I also needed to "apt-get install libssl-dev libevent-dev" for it to compile. Other Linux distributions, like Kali, already come with sslsplit as a precompiled package.

After I did "make install" on sslsplit, I followed the directions here, with some variations:

The first difference is that instead of generating a CA key like it describes, I use the Superfish CA. You can download that in the file test.pem from my pemcrack tool. I then ran the command to decrypt it as follows (using "komodia" as the password):

openssl rsa -in test.pem -out ca.key

Also, copied test.pem into the file ca.cer, then removed the PRIVATE KEY section to create the CA certificate.

I then created the directory /var/log/sslsplit where the logfiles will be generated.

I then ran the command:

sslsplit -D -l connections.log -S /var/log/sslsplit -k ca.key -c ca.cer ssl 0.0.0.0 8443

Once this was running, I ran the netfilter command to redirect all SSL traffic:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

And that's it! All normal traffic goes through like a normal WiFi access point, but SSL traffic on port 443 get's MitMed with the Superfish CA!

Running the exploit

I have a little victim laptop that I infected with the Superfish adware. I used it to browse to the BofA website. As you can see in the home page screen, there is a lock indicating the session is "secure".


You can see the sign in form to the left. I typed "barry123457" and clicked the "Sign In". Because of SSL, as promised by the lock icons, what I just submitted to the website should be encrypted. But because of the Superfish CA problem, Lenovo customers can be exploited so that such private information can be viewed.

Back on my Raspberry Pi 2, I navigated to the log direct. The encrypted sessions will be placed as individual files with their time stamp, IP addresses, and port numbers.
These files contain the raw traffic, which is HTTP. The HTTP headers themselves are text, but the payload is usually binary. To make things easier, I just strip out the binary using strings(1).

strings 20150221T022602Z-[192.168.42.51]:50867-[171.161.198.200]:443.log >barry.txt

This was the session where I attempted to log into the BofA website using the AccountID of "barry123457". While this transaction went over SSL, you can see clearly that sslsplit was able to intercept it. AS you can see, in the middle of the post information is the string "barry123457".



Conclusion

Thus, this example proves that this exploit is practical, not merely theoretical as claimed by the Lenovo CTO. Exploiting this was a straightforward application of commonly available tools. The only thing out of the ordinary was sslsplit, but that's a tool commonly used by corporations for security purposes, and not some special "hacking" purpose.




Update: cheap USB adapters

While most WiFi adapters work with Linux as a client, they don't all work with hostapd (or other hacking tools).

The cheapest USB adapters on Newegg use the the RTL8192CU driver, which doesn't support hostapd natively. I could get it to work by downloading a special version of their driver and a special version of hostapd, but it's a lot of effort.

To see your desired adapter is supported, look on this website. Note that it's case-sensitive, so sometimes you'll get adapters spelled in ALL CAPS on an ecommerce site, but have to search for which driver it uses in lower-case. I did this for some cheap USB adapters on NewEgg's website and got these results. Whether or not the driver supports hostapd can usually be found on this website.


Shouldn't work without recompiling drivers:
RTL8192CU: Netis WF-2120, Netis WF-2111, Edimax EW-7811Un, TP-LINK_TL WN725N, Netis WF-2119, TP-LINK TL-WN823N, Rosewill RNX-N250UBE, Wireless N300 Wi-Fi, Sabrent USB-A11N, Encore ENUWI-1XN42, Encore ENUWI-2XN42, Encore ENUWI-2XN45
R8712u: Belkin F9L1001, TRENDnet TEW-648UB, TRENDnet TEW-649UB, ASUS USB-N10, Rosewill RNX-N150UBE, Rosewill RNX-N180UBE, EnGenius EUB9603H

May work with Kali:
rtl8187: Sabrent NT-WGHU

Should work:
rt2800usb: Rosewill RNWD-N1501UB, TP-LINK TL-WN727N, ASUS USB-N13, Edimax EW-7711USn, Tenda W311Ma, TP-LINK TL-WDN3200, Alfa AWUS050NH, Alfa AWUS051NH
ath9k_htc: Rosewill RNX-N150HG, TP-LINK TL-WN722N, TP-LINK TL-WN721N



Update: Here's doing it with OpenWRT.

16 comments:

Giles said...

Just to be clear - the victim laptop would have to join your wifi AP, right? So if you were (say) running a coffee shop with wifi for customers, this would be easy, but it would be harder in (say) Starbucks because you'd have to somehow fool people into joining your AP instead of the real one.

Janne Koschinski said...

It would be possible to create an AP with the same name as the official Starbucks AP, and send deauth packets making connection with the official Starbucks AP for everyone but you impossible.

Users will now try to join the official one, and, not being able to do so, try yours instead. From that point on you can easily MitM everything.

Christian Vogel said...

If you've joined the same wireless network as a victim (say, at starbucks) you could try and make your victim use your PC as a gateway, e.g. by setting up a rogue DHCP server, or by arp spoofing.

https://en.wikipedia.org/wiki/ARP_spoofing

This might, or might not, work depending on the setup and level of filtering of the WiFi access point(s).

Then, even though you haven't put up your own access-point, your victim will send all packets to you, you can mess with them, and forward them to the real outbound router (often, the integrated access-point/router/...).

Patch Eudor said...

This is cross posted to the Hacker News thread covering this article as well.

This is cool and all but if the victim has Superfish installed there's no need to use the Superfish private to MitM the connection. The Superfish software is not properly passing the validation state of the public cert when it connects to a website like Bank of America as an example.

The software is simply not triggering appropriate warnings in the browser when provided an obviously fake certificate that has been generated in a way to bypass browser warnings. It's also not properly validating revoked certs. Both of these situations are very bad. Allowing any self-signed cert would lead me to believe that this could have easily been exploited in the wild without prior knowledge of this vulnerability.

I've notified the software vendor of the impacted software and they are working diligently to patch all of their software. As such, I not going to provide a how-to guide on how to exploit users here but you pretty much did that anyway. I also notified both Superfish and Lenovo of this issue on Thursday (US), neither of which have responded.

Anyway, the following is an example of the improper status pass through based on doing something that might be quite obvious to those who understand how the browser validates a public against the fully qualified domain name.
This is what the browser should do when it encounters a self-signed cert delivered by an SSL/TLS MitM solution:

http://defaultstore.com/six.png

However, it's not doing this for this self-signed public cert:

http://defaultstore.com/four.png

Note both certs show "verify_fail." at the beginning and those who know how browser cryptography works will understand what has likely gone wrong with their implementation.

The ramifications of this are fairly significant. An attacker running sslsplit as example, configured like many instances are that we actually see in the wild can MitM Superfish software connected HTTPS sessions without the Superfish private. This means that a bad guy didn't actually need to know about this software and reverse it to compromise connections.

Andrea Faulds said...

> (These Kingston chips are the ones I'm using, but they are kinda crappy. They sometimes connect as 'read-only'; I don't know why).

They're not crappy, Kingston cards are fine. You've accidentally moved the "lock" slider and put the card into read-only mode.

Stuart Feichtinger said...

I second that. I once spent a very frustrating week troubleshooting a microSD card that would suddenly become "read-only" half way through imaging. It turned out the lock slider on the SD card adapter was loose. It would get pushed towards "lock" when I insterted it into my reader and back to unlocked when I took it out. Once I figured this out, a piece of scotch tape over the slider permantly fixed the issue.

rdm said...

As a minor side tangent: technically speaking, "theoretical" means "practical", at least somewhat.

That said, it's rather popular to believe that "theoretical" means "hypothetical", so it's good that you have shown that this is indeed a practical issue.

Bilim, Teknoloji ve Endustri said...

I thought Superfish was functioning as a proxy meaning that the traffic sent out from the PC should be signed by BankOfA public key eventually rather than the Superfish public key. Otherwise BankOfA site would not keep working. Is not that right?

Nathan Heafner said...

if im not mistaken, the traffic is signed with superfishes ssl and sent to wherever that goes, and then whoever/where ever is signing the superfish cert makes a connection to the destination (in this case BOA) and makes a ssl connection on your behalf. Correct me if im wrong.

macubergeek said...

In order for hostapd to work, the wireless card has to support AP mode. You can determine if your card supports AP mode by inserting it into the usb slot and using the command:
iw list
Your card should come up as physical interface 1
scroll down to Mode area. If you don't see AP mode, it doesn't.

Jasben Bolt said...

In software project management, software testing, and software engineering,
verification and validation (V&V) is the process of checking that a software system meets specifications and that it fulfills its intended purpose.It may also be referred to as software quality control.

software validation

martha lynn said...


Hello I am mrs Martha Lynn,I am out here to spread this good news to the
entire world on how I got my ex Lover.I was going crazy when my
husband left me and my two kids for another woman last month, But when
i met a friend that introduced me to Dr LOGOGO the great messenger to
the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO
about how my ex Lover left me and my two kids and also how i needed
to get a job in a very big company.He only said to me that i have come
to the right place were i will be getting my heart desire without any
side effect.He told me what i need to do,After it was been done,24
hours later,My Ex Lover. called me on the phone and was saying sorry
for living me and the kids before now and one week after my Husband
called me to be pleading for forgiveness,I was called for interview in
a very big company here in South Africa were i needed to work as the managing
director..I am so happy and overwhelmed that i have to tell this to
the entire world to contact Dr.LOGOGO on his personal email address and
get all your problem solve..No problem is too big for him to
solve..Contact him direct on: logogospiritualtemple@gmail.com and your
problem will be solve,email at logogospiritualtemple@gmail.com

martha lynn said...


Hello I am mrs Martha Lynn,I am out here to spread this good news to the
entire world on how I got my ex Lover.I was going crazy when my
husband left me and my two kids for another woman last month, But when
i met a friend that introduced me to Dr LOGOGO the great messenger to
the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO
about how my ex Lover left me and my two kids and also how i needed
to get a job in a very big company.He only said to me that i have come
to the right place were i will be getting my heart desire without any
side effect.He told me what i need to do,After it was been done,24
hours later,My Ex Lover. called me on the phone and was saying sorry
for living me and the kids before now and one week after my Husband
called me to be pleading for forgiveness,I was called for interview in
a very big company here in South Africa were i needed to work as the managing
director..I am so happy and overwhelmed that i have to tell this to
the entire world to contact Dr.LOGOGO on his personal email address and
get all your problem solve..No problem is too big for him to
solve..Contact him direct on: logogospiritualtemple@gmail.com and your
problem will be solve,email at logogospiritualtemple@gmail.com

martha lynn said...


Hello I am mrs Martha Lynn,I am out here to spread this good news to the
entire world on how I got my ex Lover.I was going crazy when my
husband left me and my two kids for another woman last month, But when
i met a friend that introduced me to Dr LOGOGO the great messenger to
the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO
about how my ex Lover left me and my two kids and also how i needed
to get a job in a very big company.He only said to me that i have come
to the right place were i will be getting my heart desire without any
side effect.He told me what i need to do,After it was been done,24
hours later,My Ex Lover. called me on the phone and was saying sorry
for living me and the kids before now and one week after my Husband
called me to be pleading for forgiveness,I was called for interview in
a very big company here in South Africa were i needed to work as the managing
director..I am so happy and overwhelmed that i have to tell this to
the entire world to contact Dr.LOGOGO on his personal email address and
get all your problem solve..No problem is too big for him to
solve..Contact him direct on: logogospiritualtemple@gmail.com and your
problem will be solve,email at logogospiritualtemple@gmail.com

martha lynn said...


Hello I am mrs Martha Lynn,I am out here to spread this good news to the
entire world on how I got my ex Lover.I was going crazy when my
husband left me and my two kids for another woman last month, But when
i met a friend that introduced me to Dr LOGOGO the great messenger to
the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO
about how my ex Lover left me and my two kids and also how i needed
to get a job in a very big company.He only said to me that i have come
to the right place were i will be getting my heart desire without any
side effect.He told me what i need to do,After it was been done,24
hours later,My Ex Lover. called me on the phone and was saying sorry
for living me and the kids before now and one week after my Husband
called me to be pleading for forgiveness,I was called for interview in
a very big company here in South Africa were i needed to work as the managing
director..I am so happy and overwhelmed that i have to tell this to
the entire world to contact Dr.LOGOGO on his personal email address and
get all your problem solve..No problem is too big for him to
solve..Contact him direct on: logogospiritualtemple@gmail.com and your
problem will be solve,email at logogospiritualtemple@gmail.com

martha lynn said...


Hello I am mrs Martha Lynn,I am out here to spread this good news to the
entire world on how I got my ex Lover.I was going crazy when my
husband left me and my two kids for another woman last month, But when
i met a friend that introduced me to Dr LOGOGO the great messenger to
the oracle of Dr. LOGOGO healing home,I narrated my problem to DR LOGOGO
about how my ex Lover left me and my two kids and also how i needed
to get a job in a very big company.He only said to me that i have come
to the right place were i will be getting my heart desire without any
side effect.He told me what i need to do,After it was been done,24
hours later,My Ex Lover. called me on the phone and was saying sorry
for living me and the kids before now and one week after my Husband
called me to be pleading for forgiveness,I was called for interview in
a very big company here in South Africa were i needed to work as the managing
director..I am so happy and overwhelmed that i have to tell this to
the entire world to contact Dr.LOGOGO on his personal email address and
get all your problem solve..No problem is too big for him to
solve..Contact him direct on: logogospiritualtemple@gmail.com and your
problem will be solve,email at logogospiritualtemple@gmail.com