穿越 Firewall 的作法

先看到「SSH over HTTPS (trofi.github.io)」這篇,原文「SSH over HTTPS」講怎麼利用 HTTPS 加上 CONNECT 指令穿過去。

作者有先介紹背景,他需要在醫院待個幾天,而醫院有免費的 WiFi 可以上網,但限制很多,基本上 TCP 的部分只有 80/tcp 與 443/tcp 會通,另外他有行動網路可以用 (但應該不是吃到飽的?),可以當作在現場直接設定 bypass 機制的工具:

I planned to spend 1-2 days in the hospital and did not plan to use the laptop.But now I am stuck here for the past two weeks and would like to tinker on small stuff remotely. The hospital has free Wi-fi access.

The caveat is that hospital blocks most connection types. It allows you only to do HTTP (TCP port 80) and HTTPS (TCP port 443) connections for most hosts. DNS (UDP port 53) and DoT (TCP port 853) seem to work as well at least for well-known DNS providers.

But SSH (TCP port 22 or most other custom ports) is blocked completely.

I wondered how hard would it be to pass SSH through HTTP or HTTPS. I had a GSM fallback so I could reconfigure remote server and try various solutions.

作者的方法就是在 TLS/SSL connection 上面跑 SSH,以前幹過,但就如同 comment 裡面提到的,Cisco 的 AnyConnect (主要是用 open-source client 的 OpenConnect 以及 open-source server 的 ocserv) 比較彈性,而且 AnyConnect 的協定會自動嘗試 UDP-based 的 DTLS,傳輸效率會比 TCP-based 的協定好,另外在 iOS 上可以直接裝 app store 裡面 Cisco 官方的 client 來用。

但從作者的其他文章看起來應該也是熟門熟路了,會這樣做應該是手上有 HTTPS 的 apache server 可以設定來用。

另外作者雖然沒寫出來,但想法應該是有 SSH 就可以在 command line 透過 -D 生出 SOCKS 服務當 proxy 讓其他程式使用,常見的應用程式大多都支援。

應該就是臨時要在醫院裡面待個一兩天時的暫時性方案,如果常態會遇到的話應該是會架 ocserv 來繞...

Cisco 併購 Splunk

Hacker News 上看到的消息,CiscoSplunk:「Cisco Acquires Splunk (splunk.com)」,對應的新聞稿:「Splunk and Cisco Unite To Accelerate Digital Resilience as One of the Leading Global Software Companies」。

看不太出來為什麼 Cisco 要買 Splunk 這家公司,不知道戰略是什麼...

另外在 Hacker News 上的討論整片都有提到 Splunk 貴到哭爸的事情... 剛好前公司也有用,那個價錢的確是很哭爸,也因此有了後續 migrate 到 Prometheus 上的計畫,不過這也是過去式了...

That's staff, the building, equipment, power, water, everything...the estimated Splunk cost was more than that.

The joke used to be 'splunk is amazing until the first invoice comes in', it's funny because it's true. Note Datadog is very similar in that regard.

現在已經比起 Splunk 出來的年代,多了很多 open source 的方案可以選擇,Splunk 的吸引力低很多了。

解 ocserv 因為沒有使用 DTLS 而導致速度很慢的問題...

最近偏好用 ocserv 來跑 VPN。在連上 full-route VPN 後測試發現速度偏慢,發現是沒有走 UDP 的 DTLS,只有 TCP 的 TLS 流量... 找了一下發現用有人遇過了,可以用 workaround 解:「OpenConnect not working with DTLS」。

作者發現是 ocserv.socket 有問題,打算整個抽開。方法是註解掉 /lib/systemd/system/ocserv.service 裡的 Requires=ocserv.socketAlso=ocserv.socket,然後在 systemd 裡一起處理:

sudo systemctl stop ocserv
sudo systemctl disable ocserv.service
sudo systemctl disable ocserv.socket
sudo systemctl daemon-reload
sudo systemctl start ocserv
sudo systemctl enable ocserv

重新連上去後跑 tcpdump 可以看到是 UDP 了,測速也可以看出來快不少...

這次 PKCS #1 1.5 的 ROBOT 攻擊,Cisco 沒打算修...

1998 年就發現的 security issue 因為 workaround 也很複雜,所以不是每一家都修對方法,於是 19 年後又被爆破了。這次叫做 ROBOT:「1998 attack that messes with sites’ secret crypto keys is back in a big way」。

可以看到中獎的表:

這次的攻擊在 client 端無法修正,只能在 server 端修正:

Do I need to update my browser?
No. This is an implementation bug in servers, there is nothing clients can do to prevent it.

如果 server 端無法盡快修正的話,想辦法避開 RSA encryption 可以躲開這個問題,而且因為現代瀏覽器都有非 RSA 的替代方案,這樣做應該都還有退路,可以維持連線的可能性:

Disable RSA encryption!
ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.

但使用 Cisco ACE 就哭了,因為 Cisco ACE 只支援 RSA encryption,而 Cisco 官方以產品線已經關閉,不再提供維護而沒有提供更新的計畫,所以就進入一個死胡同...

不過 Cisco 自己也還在用 Cisco ACE 就是了,不在意就不會痛的感覺 XD

I have a Cisco ACE device.
Cisco informed us that the ACE product line was discontinued several years ago and that they won't provide an update. Still, we found plenty of vulnerable hosts that use these devices.

These devices don't support any other cipher suites, therefore disabling RSA is not an option. To our knowledge it is not possible to use these devices for TLS connections in a secure way.

However, if you use these products you're in good company: As far as we can tell Cisco is using them to serve the cisco.com domain.

Cisco 與 Fortinet 防火牆的 RCE 漏洞

NSA 使用這些漏洞來大量監聽企業的流量:「Leaked Exploits are Legit and Belong to NSA: Cisco, Fortinet and Snowden Docs Confirm」。

Cisco 已經確認這個安全性漏洞了,全系列包括已經停產的 Cisco PIX、上個世代的 Cisco ASA 5500 (但還有些型號還在賣),以及目前主力的 Cisco ASA 5500-X,另外還包括了安全模組系列也中獎:「Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability」。

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 4100 Series
  • Cisco Firepower 9300 ASA Security Module
  • Cisco Firepower Threat Defense Software
  • Cisco Firewall Services Module (FWSM)*
  • Cisco Industrial Security Appliance 3000
  • Cisco PIX Firewalls*

標星號的是目前已經沒有在維護的產品,這次只確認受到影響,但不會更新:

Cisco Firewall Service Modules and Cisco PIX Firewalls have passed the last day of software support milestone as stated in the published End of Life (EoL) documents. Further investigations into these devices will not be performed, and fixed software will not be made available.

這次 Cisco 的安全性問題是 SNMP 的洞造成的:

Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.

這個洞被 NSA 用來寫 exploit 植入系統:

This flaw was included inside two NSA exploits, dubbed EPICBANANA as well as JETPLOW, which is an enhanced version of EPICBANANA, but with better persistence capabilities, Cisco's Omar Santos said in a blog post.

在 NSA 洩漏出來的文件裡可以看到 ace02468bdf13579 這個特殊辨識字串,而在受感染的樣本上也找到了這個痕跡:

而且不只是 Cisco,其他幾家也中獎了,可以參考「The NSA Leak Is Real, Snowden Documents Confirm」這邊更多的資訊 @_@

Stack Overflow 公開 2016 的架構

Stack Overflow 公開了 2016 年現在的系統架構:「Stack Overflow: The Architecture - 2016 Edition」。

Stack Overflow 的重要性可以從前陣子 Twitter 上流傳的一張讓大家笑的很開心的圖看出來:

身為目前「程序猿」(!) 最重要的 debug (!!) 資料來源,而且是目前少數用 ASP.NETMicrosoft SQL Server 作為網站與資料庫的架構,並且是放在傳統 IDC 機房而非 Cloud Service 的知名網站,大家也很好奇他們是怎麼堆出來的。

上次公開 Stack Overflow 的系統架構是 2013 年年底了 (參考當時寫的「Stack Overflow 的現況...」這篇),這份更新距離上次兩年多了,也有很多可以交叉比較的事情。

比較有趣的是效能的提昇的說明,本來以為會是說因為我們改善程式碼的效率或是其他類似的理由,結果居然直接說是因為買新機器了 XDDD:

You may be wondering about the drastic ASP.Net reduction in processing time compared to 2013 (which was 757 hours) despite 61 million more requests a day. That’s due to both a hardware upgrade in early 2015 as well as a lot of performance tuning inside the applications themselves.

另外覺得比較有趣的是 CiscoASR-1001ASR-1001-x,不知道是什麼理由選擇這個系列,改天找 Cisco 的朋友問問看好了...

另外他們的 Websockets 也拿來做有趣的事情:

We use websockets to push real-time updates to users such as notifications in the top bar, vote counts, new nav counts, new answers and comments, and a few other bits.

另外他們也發現有些瀏覽器連線已經連 18 個月了 (喂喂),也許應該去看一下人是不是還活著:

Fun fact: some of those browsers have been open for over 18 months. We’re not sure why. Someone should go check if those developers are still alive.

我猜是 production server 上開瀏覽器查資料後沒關掉,就一直連著...

Cisco 釋出偵測是否有被植入後門的程式

前幾天在「在 Cisco Router 上被植入的後門」這邊提到了 Cisco 的 router 被植入後門,剛剛在 Zite 上看到 Cisco 放出檢查程式:「Cisco released a tool to scan for SYNful_Knock implants」。

程式是用 Python 寫的,可以在「Talos Intel - Synful Knock Scanner」這邊取得,但這個網站沒有用 HTTPS 保護,網站上提供的 Hash 簽名也沒有 PGP 簽名的資訊,從無信任起...

找了一下 Cisco 官方的資訊,在「SYNful Knock Scanner」這邊也有提供 Hash,請用這邊的值確認吧,這是目前能做到最好的確認了。

在 Cisco Router 上被植入的後門

FireEye 發表了一篇在 Cisco Router 上發現被植入的後門:「SYNful Knock - A Cisco router implant - Part I」。

發現這些被植入的 router 被散佈在四個地區:

Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.

包括了這幾個型號:

  • Cisco 1841 router
  • Cisco 2811 router
  • Cisco 3825 router

後門的特性是使用特殊的封包啟動:

SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.

最主要的重點是把記憶體保護機制關閉 (都變成 RW):

The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.

文後也有提到 Cisco 的文章,如何 dump image 分析:「Offline Analysis of IOS Image Integrity」。

Cisco 開發新的 Video Codec:Thor

Cisco 開發新的 Video Codec 與 HEVC (H.265) 競爭,專案名稱叫做 Thor:「World, Meet Thor – a Project to Hammer Out a Royalty Free Video Codec」。

沒什麼意外,專利問題是主要的原因:

Unfortunately, the patent licensing situation for H.265 has recently taken a turn for the worse. Two distinct patent licensing pools have formed so far, and many license holders are not represented in either. There is just one license pool for H.264. The total costs to license H.265 from these two pools is up to sixteen times more expensive than H.264, per unit. H.264 had an upper bound on yearly licensing costs, whereas H.265 has no such upper limit.

不過一開頭寫到 VP9 是 proprietary 的描述讓人很不解:

There are two of note – Google’s proprietary VP9 codec, and the industry standard H.265 (HEVC) codec, which is the successor to H.264 (AVC).

往下拉 comment 看果然就有人提出來:

How exactly is VP9 more "proprietary" than Thor? Both are open sourced under BSD license, both are royalty free, both are intended to be unencumbered by patents. Are you defining "proprietary" as "not controlled by Cisco"?

不知道在搞什麼鬼...

BGPmon 推出 BGP Stream 警告異常的 BGP 流量劫持

也是兩個禮拜前的新聞,在「OpenDNS BGP Stream Twitter Feed」這邊提到了 BGPmon 將會推出 BGP Stream 服務,將偵測到的 BGP 異常變化發到 Twitter 上。

其中 BGPmon 在幾個月前被 OpenDNS 併購 (2015 年 3 月),而 Cisco 則在上上個月底併購了 OpenDNS (2015 年 6 月)。而在過幾天的 DefCon 23 上將會透露更多細節。

前陣子 Hacking Team 洩漏的資料中就用到了 BGP hijack 來取回控制權:

That nugget that emerged from the 400 Gb of stolen Hacking Team data posted online where Italian law enforcement used Hacking Team’s Remote Control System monitoring software to regain control over a number IP addresses it was watching that were already infected with Hacking Team software by hijacking BGP routes in order to redirect traffic and regain control over a target’s machines.

除了示警外,另外一方面 BGP 上的簽名技術也愈來愈重要了,只是不知道最終會怎麼做...