Sondag 30 Augustus 2020

PKCE: What Can(Not) Be Protected


This post is about PKCE [RFC7636], a protection mechanism for OAuth and OpenIDConnect designed for public clients to detect the authorization code interception attack.
At the beginning of our research, we wrongly believed that PKCE protects mobile and native apps from the so called „App Impersonation" attacks. Considering our ideas and after a short discussion with the authors of the PKCE specification, we found out that PKCE does not address this issue.
In other words, the protection of PKCE can be bypassed on public clients (mobile and native apps) by using a maliciously acting app.

OAuth Code Flow


In Figure 1, we briefly introduce how the OAuth flow works on mobile apps and show show the reason why we do need PKCE.
In our example the user has two apps installed on the mobile phone: an Honest App and an Evil App. We assume that the Evil App is able to register the same handler as the Honest App and thus intercept messages sent to the Honest App. If you are more interested in this issue, you can find more information here [1].

Figure 1: An example of the "authorization code interception" attack on mobile devices. 

Step 1: A user starts the Honest App and initiates the authentication via OpenID Connect or the authorization via OAuth. Consequentially, the Honest App generates an Auth Request containing the OpenID Connect/OAuth parameters: client_id, state, redirect_uri, scope, authorization_grant, nonce, …. 
Step 2: The Browser is called and the Auth Request is sent to the Authorization Server (usually Facebook, Google, …).
  • The Honest App could use a Web View browser. However, the current specification clearly advice to use the operating system's default browser and avoid the usage of Web Views [2]. In addition, Google does not allow the usage of Web View browser since August 2016 [3].
Step 3: We asume that the user is authenticated and he authorizes the access to the requested resources. As a result, the Auth Response containing the code is sent back to the browser.

Step 4: Now, the browser calls the Honest App registered handler. However, the Evil App is registered on this handler too and receives the code.

Step 5: The Evil App sends the stolen code to the Authorization Server and receives the corresponding access_token in step 6. Now, the Evil App can access the authorized ressources.
  • Optionally, in step 5 the App can authenticate on the Authorization Server via client_id, client_secret. Since, Apps are public clients they do not have any protection mechanisms regarding the storage of this information. Thus, an attacker can easy get this information and add it to the Evil App.

    Proof Key for Code Exchange - PKCE (RFC 7636)

    Now, let's see how PKCE does prevent the attack. The basic idea of PKCE is to bind the Auth Request in Step 1 to the code redemption in Step 5. In other words, only the app generated the Auth Request is able to redeem the generated code.


    Figure 2: PKCE - RFC 7636 

    Step 1: The Auth Request is generated as previosly described. Additionally, two parameters are added:
    • The Honest App generates a random string called code_verifier
    • The Honest App computes the code_challenge=SHA-256(code_verifier)
    • The Honest App specifies the challenge_method=SHA256

    Step 2: The Authorization Server receives the Auth Request and binds the code to the received code_challenge and challenge_method.
    • Later in Step 5, the Authorzation Server expects to receive the code_verifier. By comparing the SHA-256(code_verifier) value with the recieved code_challenge, the Authorization Server verifies that the sender of the Auth Request ist the same as the sender of the code.
    Step 3-4: The code leaks again to the Evil App.

    Step 5: Now, Evil App must send the code_verifier together with the code. Unfortunatelly, the App does not have it and is not able to compute it. Thus, it cannot redeem the code.

     PKCE Bypass via App Impersonation

    Again, PKCE binds the Auth Request to the coderedemption.
    The question rises, if an Evil App can build its own Auth Request with its own code_verifier, code_challenge and challenge_method.The short answer is – yes, it can.

    Figure 3: Bypassing PKCE via the App Impersonation attack
    Step 1: The Evil App generates an Auth Request. The Auth Request contains the client_id and redirect_uri of the Honest App. Thus, the User and the Authorization Server cannot recognize that the Evil App initiates this request. 

    Step 2-4: These steps do not deviate from the previous description in Figure 2.

    Step 5: In Step 5 the Evil App sends the code_verifier used for the computation of the code_challenge. Thus, the stolen code can be successfully redeemed and the Evil App receives the access_token and id_token.

    OAuth 2.0 for Native Apps

    The attack cannot be prevented by PKCE. However, the IETF working group is currently working on a Draft describing recommendations for using OAuth 2.0 for native apps.

    References

    Vladislav Mladenov
    Christian Mainka (@CheariX)

    Related articles


    $$$ Bug Bounty $$$

    What is Bug Bounty ?



    A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy.




    Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.


    Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1.  In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.


    While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.

    Related word


    1. Pentest Tools
    2. Hacker Tools For Pc
    3. Free Pentest Tools For Windows
    4. Pentest Tools Find Subdomains
    5. Pentest Tools Kali Linux
    6. Hack Tools For Ubuntu
    7. Hacker Tools Hardware
    8. Hacker Tool Kit
    9. Black Hat Hacker Tools
    10. Pentest Tools Bluekeep
    11. Hacker Security Tools
    12. Hacking Tools Windows
    13. Hack Tools For Mac
    14. Hacker Tools Apk Download
    15. Pentest Tools List
    16. How To Hack
    17. Pentest Tools Alternative
    18. Hack Tools Mac
    19. Best Pentesting Tools 2018
    20. Hacker Tools Apk Download
    21. Pentest Tools For Windows
    22. Termux Hacking Tools 2019
    23. Hack Website Online Tool
    24. Hacking Tools Online
    25. Computer Hacker
    26. Hacker Tools 2020
    27. Hacker Tools Software
    28. Pentest Tools For Android
    29. Hacker Tools Free
    30. Hacking Tools For Windows
    31. Hacker Tools For Ios
    32. Hacking Tools Windows
    33. Hacker Tools Mac
    34. Hacker Tools List
    35. Hacker Tool Kit
    36. Pentest Automation Tools
    37. Blackhat Hacker Tools
    38. Pentest Tools Download
    39. Pentest Tools Free
    40. Kik Hack Tools
    41. Hak5 Tools
    42. Usb Pentest Tools
    43. Black Hat Hacker Tools
    44. Hacker Tools 2020
    45. Beginner Hacker Tools
    46. Hacker Tools Software
    47. Pentest Tools Url Fuzzer
    48. Hack Tools 2019
    49. Hacker Tools
    50. Top Pentest Tools
    51. Hacking Tools Online
    52. Tools 4 Hack
    53. Hacking Tools For Kali Linux
    54. Best Pentesting Tools 2018
    55. Termux Hacking Tools 2019
    56. Hacking Tools Name
    57. Hacking Tools Github
    58. Pentest Tools For Ubuntu
    59. Hacker Hardware Tools
    60. Hacking Tools Hardware
    61. Hack Tools
    62. Blackhat Hacker Tools
    63. Kik Hack Tools
    64. Black Hat Hacker Tools
    65. Hacker Tools
    66. Kik Hack Tools
    67. Hacking Tools 2020
    68. Pentest Tools For Android
    69. Growth Hacker Tools
    70. Hack Tools Online
    71. Game Hacking
    72. Hacking Tools For Windows
    73. Best Hacking Tools 2019
    74. Pentest Tools Website Vulnerability
    75. Hacker Tools Free Download
    76. Hack Tools Pc
    77. Hack Tools
    78. Pentest Tools Open Source
    79. Hack Tools 2019
    80. Hacking Tools Hardware
    81. Pentest Tools Linux
    82. Hacking Tools Kit
    83. Pentest Tools Free
    84. Hacking Tools Software
    85. Hacker Tools Software
    86. Best Hacking Tools 2019
    87. Hacker Tools Apk
    88. Hacker Tools Online
    89. Android Hack Tools Github
    90. Hacker Tools Apk Download
    91. Hacks And Tools
    92. Computer Hacker
    93. Hacker Techniques Tools And Incident Handling
    94. Pentest Tools Windows
    95. Hack Tools For Games
    96. Hacker Tool Kit
    97. Hacker Tools List
    98. Growth Hacker Tools
    99. Hacking Tools Github
    100. Physical Pentest Tools
    101. Pentest Tools Port Scanner
    102. Hacker Tools Github
    103. Pentest Tools For Android
    104. Hack App
    105. Hack Tools For Windows
    106. Hack Tools Github
    107. Hacker Hardware Tools
    108. Hacker Tools For Windows
    109. Hack Tools Pc
    110. Hacker Tools Free
    111. Nsa Hack Tools Download
    112. Hacking Tools For Pc
    113. Pentest Tools Website Vulnerability
    114. Nsa Hack Tools Download
    115. Hacker Tools Free
    116. Best Hacking Tools 2020
    117. Pentest Tools Port Scanner
    118. Hack Tool Apk No Root
    119. Pentest Tools Tcp Port Scanner
    120. Hacks And Tools
    121. Pentest Tools Windows
    122. Pentest Tools For Windows
    123. Pentest Tools Kali Linux
    124. Github Hacking Tools
    125. Hack Tool Apk
    126. Hacking Tools Download
    127. Tools For Hacker
    128. Hack Tools For Pc
    129. Hacking Tools Windows
    130. Pentest Tools Website Vulnerability
    131. Kik Hack Tools
    132. Tools For Hacker
    133. Hacker Tools 2019
    134. Ethical Hacker Tools
    135. Game Hacking
    136. Hacking Tools Pc
    137. Blackhat Hacker Tools
    138. Pentest Tools List
    139. Usb Pentest Tools
    140. Pentest Tools Linux
    141. Hacker Tools Github
    142. Pentest Tools Bluekeep
    143. Free Pentest Tools For Windows
    144. Bluetooth Hacking Tools Kali
    145. Ethical Hacker Tools
    146. Hacking Tools
    147. Hack And Tools
    148. Hacker
    149. Hacking Tools For Beginners
    150. Pentest Tools Online
    151. What Are Hacking Tools
    152. Hacker Tools
    153. Hacker Tools List
    154. Hack Tools Online
    155. Hacker Search Tools
    156. Hack Tool Apk No Root
    157. Hacking Tools For Games
    158. Hacker Tools Linux
    159. Hacker Hardware Tools
    160. What Are Hacking Tools

    Linux Stack Protection By Default

    Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.




    In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
    The memset overflows the four bytes stack variable and modifies the canary value.



    The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.

    If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"


    ❯❯❯ ./test 
    *** stack smashing detected ***: terminated
    fish: './test' terminated by signal SIGABRT (Abort)

    ❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
    [sudo] password for xxxx: 
    Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 
    core.test.1000.c611b : decoded 249856 bytes 

     ❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q 


    We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.




    We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.



    Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
    And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.




    More information