 So I'm here to talk about active HTTPS cookie hijacking First of all, who am I what do I do? I'm a volunteer tour developer I work on the latest tour button release for a secure tour toggling and isolation of cookies and all that stuff and a Tour set of tour scanners and libraries for monitoring tour performance and scanning a's nodes called tour flow General privacy advocate censorship Opponent I also my day job is of being a forward-and-reverse engineer for a network acceleration company called Riverbed We make awesome network acceleration gear I'm also a flexitarian which means it's a sort of like a step below vegetarian Absolutely no meat unless it's free range or particularly delicious Now the problem is I've had a lot more success converting vegetarians to flexitarianism than normals to flexitarianism So I don't know if I'm not positive yet, but maybe maybe someday I'm also a random hacker. I do all sorts of random stuff as it as the as the mood strikes me I've got an IRC bot that like pass a touring test. It was quoted as a human in a in a magazine or human consultant So that was pretty good So what am I doing? Why am I doing this? So I'm really in about two weeks. I'll be releasing code that can steal insecure HTTPS cookies I actually announced this to bug track a year ago and notified Google of the issue And there's been almost no action on it from pretty much any website for the past year And the vector the vector of it can be done for more than just local Wi-Fi networks You can leverage Dan Kaminsky's DNS hijacking attack and a whole bunch of other vectors as well We'll get into later And a whole bunch of sites are vulnerable they think that I will just you know Maybe they do development via HTTP and they slap HTTPS on later And so they just don't set the bits on the cookies for convenience So the response is to try and raise awareness to release a fully automated tool that shows just how dangerous this is The not setting the secure bit on these cookies and it's a very easy fix You know you just basically setting a property on these on on a cookie to cause it not to be transmitted So let's go back to the basics then why why does this work or what what is a cookie? How does it work? So obviously they're used for authentication and tracking in your web browser There are basically a variable to get set by a website There are a few key properties that they have and that govern when they're transmitted and that is they have a domain A path which government only transmitted for the for sites that match the domain and path And they've an expiration time and then the secure bit the SSL bit, which is what's of interest here? So What was it last year my announcement was sort of overshadowed by Robert Graham's side-jacking attack announcement at DEF CON our black hat I'm sorry and What was that basically it was a glorified sniffer that just passively captured cookies to into like non SSL websites That people were visiting on the local network and he had a like a janky proxy base in interface for that for doing that that That cookie setting in interception And he did he did try to save path info, but it was a little bit too specific in some cases and that could lead to issues But he did manage to like raise the alarm pretty good for at least that issue the lack of SSL and how dangerous that is So I'm hoping to try and do the same here and encourage sites to actually set there this property So let's take that that attack a step further If you want to grab arbitrary cookies from somebody without them actually visiting a site Basically the scenario is a user logs into a site. That's not secure Sometime in the past they set the remember me flag and then they The local attacker can then inject arbitrary Content elements like images or iframes or what have you that will cause the browser to transmit any cookies that it has for that For that domain so in this case injecting an image source for yahoo will Into a page will cause the browser of course to transmit the cookies for yahoo and it's sort of the the you know Common name for this is cross site request forgery But we don't really care about performing any particular action on the server in this case We just want to cause the client to transmit its cookies its authentication tokens So we don't care if this the request succeeds or not at the server It doesn't really matter if the actual URL is valid or an image or anything so You know the You can then say these cookies and write them to a Firefox compatible cookies dot text file So how does this HTTPS cookie hijacking thing work? So it's very similar yesterday instead of logging into the insecure Service they log into the secure service HTTPS mail.google.com for example Then with that cookie set to be persistent later they log in to www.cnn.com for example on an insecure network with a malicious attacker And we'll get into exactly what that is it turns out basically every network is a malicious network as far as this attack is concerned and You the attacker then we can inject Again the same image source, but this time without the HTTPS just HTTP and because the SSL only property is not set on these cookies They just get transmitted and then the attacker can observe and then record them and Then you can write them out to a Firefox compatible cookie dot text and load that into your browser and impersonate that user And if you're on the local network, you know the the some sites will have only allow me to connect from this IP address If you're on the local network, you can spoof that IP address You know borrow their Mac and personate them right on their their connection and that you know Or if it's behind a nap the IP is the same. So you are still able to impersonate them fully And the key point here is the user doesn't even have to be using whatever service that they you know They they log into via the the hostile network How did we go all the way up there? All right, so as I said before this is not just the problem with Open wireless networks There's tons of vectors for this you can do the of course that are poisoning attack our spoofing attack on a switch network wired switch network You can do the DHCP server exhaustion where you request all the all the leases from a DHCP server So that it runs out stops answering and then you start answering for it So then you say all the gateways over here route everything through me, please and then you can do this attack Dan Kaminsky's DNS hijacking attack I've been a I believe he said that somewhere between 30 to 40 percent of the DNS servers out there still have a Fixed source port so that the hits attack and still work and that was the estimate of a few days ago He may have been scanning continuously more. I've heard higher estimates from other people significantly higher. So The other thing is we saw a couple of cable modem talks to Yesterday where they were able to read the down sniff the downstream traffic and inject traffic into there This attack really needs upstream to be able to capture the client the cookies sent by the client So the attacker sort of needs a custom cable modem that they've hacked to be able to read You know capture the upstream frequencies as well. So at this point without a hardware hack It's might not be possible, but still a sophisticated attacker can potentially hack their modem to do this And there is Docsis encryption, but it's weak. It's 56 bit. So I think that can be that can be cracked If it's even enabled So how how is this attack executed without sophistication people, you know, there's this utility airpoon Which I pronounce poon because there's no oh and poon so I Figure poon is just a little bit more dirty or dirty enough to be a little shocking. So it's pretty quality But probably nobody's gonna adopt that anyways So you basically can use this tool and could inject these elements for your target domain and then use wire shark as a script to To grab those cookies and then write them out manually Why your shark has a scriptable interface used to be called TF the real it's probably called T wire shark now basically shell scripting type stuff So so what is this utility that I'm gonna be releasing it's a fully automated pile work on tool It basically caches DNS responses. So you see a DNS Request for a particular domain you cash that name and then you listen for SSL connections to port 4 for 3 for an IP You look up in your cash DNS table. What was a domain for that? They say oh here is the domain For for this IP. I'm gonna I want to that's a target. I want to inject that into that user later So you store it into a queue for injection and then next time the that target IP connects to any HTTP website CNN or whatever then you inject that This this DNS name into that stream and cause them and transmit their cookies. So it can be fully automated And then the then the tool will write any resulting Cookies out to a cookies dot text file they can use in Firefox 2. I haven't done Firefox 3 support yet It's SQL light. There are Python libraries for that. I just haven't gotten to it yet Okay, so there is a little bit of configuration though It's not you know, there's not a 100% automobile automatable, but it is quite close So you need the path for it to be able to entice sites to transmit if they have a path restriction like mail.google.com Has the path restriction set but that's not a problem. I mean you just that's the same for every site So you can just have a table of common sites You can also you might also want to steal arbitrary cookies for non SSL sites as well You can provide a target list for that. So I want to always grab Facebook cookies or whatever in addition to any other injection So I so cookie monsters been doing without cookies for quite a while So they've been starting to feed him fruit. So cookies are sometimes food, you know So he's getting pretty pissed off. So I think I think we need to feed him some cookies now Let's see So the first target So I've been mentioning. Oh, let's just do this first one. I've been mentioning mail.google.com as a target interestingly enough Damn it. Oh This is this is not that important. I don't know if I can change the font size So I'm just running the tool it has some command line arguments It's probably good that you can't see the font because there's a web key on there that I don't want people injecting stuff into So it's just I'm just running the tool from this command line It has few arguments to say the interface the key and Mac address that you want to watch So now I'm going to go over and hit addons dot mozilla.org now addons dot mozilla.org has a Has a feature where you can if you're an add-on developer You can be a trusted add-on developer and now what this does is allows you to Upload add-ons and have them instantly be propagated to all the users that have subscribed to that Particular add-on so if there's a vulnerability in this site, you know And you can capture the cookies of somebody you can potentially cause a whole bunch of users to install malicious firefox extensions That then go on themselves that have full access to your system They can run arbitrary code and then when the update comes to try and revert it. They're already running other malware So the doffcon network has not been the greatest But at this point I already have enough information to be able to inject the content element if the network will hold up for the Success of the next request So let's see here. Let me double check here So now I'm going to go to CNN and Know there was a quick little refresh It it transmits some data from addons dot mozilla.org and then the the page load CNN is normal Now successive reloads of this user might be like well, that was kind of weird that I had a little white page for a little while there What the hell was that? You know they hit reload and the tool is noted that it's already captured the cookies So the second time around it doesn't you know, it doesn't it doesn't inject the white screen So now I'm I'm going to in copy these cookies over to my firefox profile So I guess I could try and do a k-term so I could show you that What is it? Okay console I'll show you that there's nothing on my sleeve here if I can change the font We're doing in time Which one how's that there there there? 18 alright, so here's the profile that I'm going to use There is no cookies dot text here. I'm going to copy it over from the from the file that I just just created What oh there's wait, oh there's a cook oops less Check the sleeve no, it's empty and there's an there's there's this sketchiness We'll get rid of that just so you know that I'm not screwing around with that all right, um Copy cookies So here's the cookies file Less cookies a text and there are all here's all the cookies that have been written out Now we'll hit now we'll fire up a different browser I guess I guess there could be tons of things up my sleeve still So just have to have to trust me and check the tool in a couple of weeks So now we'll hit in this other browser, which is a different profile as Torbott install this one doesn't Hit and unset mozilla.org and now I'm still I'm still logged in so there's the developer tools I can go and potentially upload a malicious extension The same thing is applicable to Gmail however about 20 minutes before the talk they changed How the cookie headers were being transmitted and the tool stopped working? So That was a little strange. I mean it could have been me being doing something retarded I was trying to do a couple of last-minute changes But it sure looks like the cookie headers being transmitted away that like wouldn't normally be you know It's truncated. Basically the HP header is not long enough to include it So you see here So hit All right, so let's hit HBS mail.google.com and So we loaded the page restore the map and then we'll hit CNN see if this works No, it's not getting it Something changed. Oh, well, that's broken. It'll be fixed by the time I release the tool apologies So Google so all right, let's go back to this All right, so cookie monsters feel much better. We've given them at least add-ons. I'm those a lot of org Gmail is the Gmail So vulnerable in the default configuration. So let's do What can you do to protect yourself? So okay, so about a week ago Google did announce that we have they have a HTTPS preff you know if it if You set this preff in your options you you're aware of it Then you can say oh, I want Gmail to be HTTPS only so The problem with this though is that if you if you don't not aware of it The default behavior of Gmail if you're familiar you log in via HTTPS It'll keep you an HTTPS afterwards and you'll think that you're secure But you're really not The could the cookie is still set without the secure bit if you haven't said this preff and you're not aware of it So it's my opinion that it really should be the case that Gmail is You know should know since already is tracking the fact that you are logging in via HTTPS and knows to redirect you to HTTPS Afterwards the cookie should still have that property, but it does not So that would be the ideal fix You can also use this force HTTPS Firefox add-on, but it's very complicated You have to edit some browser preferences to be able to specify that you want to force specific domains There the UI is not not done yet The other thing you do is just log out of your SSL services when you're done and clear your cookies regularly And not access things the outside of SSL So as I said before there is a another potential vector where a large portion of the internet can be Their Gmail captured especially if they're not aware of this this attack basically you there the metasploit module for the DNS hijack has been out for a while the computer academic underground. I think put it out So you basically scan for these vulnerable DNS servers You can hijack Google.com by using the glue of spoofing the glue record after you spoof the sequence number And then you can inject these content elements into the domain for the page that you're for the Page that you're targeting be a good idea to target Google.com because people probably hit Google For before doing pretty commonly to do a search and then you only have to do one hijack And you can modify this tool to passively collect these these cookies at your IP and it's a two-line change and then question question question profit Additional services are vulnerable it are additional service that are vulnerable are Google Docs all the Google services haven't been upgraded as well So the the all those cookies have you know still are insecure you can grab There's a lot of corporations will store sensitive stuff in their Google Docs the Google domain For example the preft to set for the domain wide is $50 a seat so it's it can cost you know a great deal of Money to be able to pay for the right to set this pref across the domain And the individual preft has not been rolled out to the your individual user accounts for the Google domain services yet so Little bit. Thanks. I want to thank Damon McCoy. He helped out of with additional wireless drivers and Headers for the injection so it would work on arbitrary networks Colin Jackson for his force HPS work a lot of conversations with Nick Weaver He actually his blog describes a bounce attack that you can use to get arbitrary Google session cookies for any arbitrary service So if you Google for his blog posts on the topic he outlines that there So that's another potential vulnerability And then of course all the Lorcan and Python pile our kind of authors in the deep packet team