Superfish - Advert injection in SSL @ DC4420

Transcript

1. Lenovo, Superfish, Komodia & PrivDog Or “How not to intercept

   SSL traffic on the fly” Marc Rogers & Filippo Valsorda

2. Superfish Company created in 2006. Founded by Adi Pinhas (Ex

   Intel, Ex IDF) Several products before Superfish Window Shopper, Awesome Screenshot extension All adware with image recognition capability Identify products and display related adverts. LOTS of complains online Installed by Lenovo on new consumer windows machines since Aug 2014

3. How it works Superfish needs to look inside HTTP to

   collect data and inject adverts. • SSL is a problem. • MITM is the solution. SSL is terminated on the app and airgapped. Browser negotiates SSL with the App, The App negotiates SSL with the origin. installs an unrestricted root CA in the system store signs fake certificates with the origin’s name to fool user & browser. performs limited certificate checks If origin certificate fails, uses verify_fail for fake cert to trigger warning Forgets to check “Alternate Names” - DOH.
4. None

5. but wait, theres more Superfish offers origin some “interesting” ciphers.

   TLS_RSA_DSS_EXPORT_WITH_DES40_CBC_SHA ??? TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ?? TLS_RSA_EXPORT_WITH_RC4_40_MD5 ?? Yes these are 40 bit export only keys.

6. Why the long face? Private key is bundled in the

   App Extraction is trivial and takes a few minutes. Certificate is RSA-1024 with SHA1 But that isn’t even the worst bit….. private key password is company name! • Trivial to use this to generate certs for interception ◦ works for code signing too • This unrestricted private root also breaks pinning Finally, if affected you have no way of knowing if your connection is secure • Based on the ciphers being negotiated it probably isn’t.

7. But it isn’t just Superfish.. Introducing Komodia • Based on

   the private key password “komodia” we looked at Komodia ◦ Komodia is a manufacturer of SSL interception products • Most of their apps appear to use the same SDK as superfish. • Some have Ring0 and some have Ring3 rootkits! • 14 different apps so far ◦ Parental Control Apps ◦ DLP apps ◦ Anti-malware and security apps (LOL) • Each product a different, unique, extractable fake root CA • Unsurprisingly all behave just like superfish ◦ All vulnerable to the Alternative Names spoof ◦ All private keys use the same key - Komodia

8. Komodia • Has disappeared • Site is down due to

   “DDoS” ◦ Allegedly. • Claim the design flaws were introduced by 3rd parties like superfish and all risks are theoretical anyway. • Apparently 14 different companies all introduced the same flaw independently.
9. None

10. Why the long face? Private key is bundled in the

    App Extraction is trivial and takes a few minutes. Certificate is RSA-1024 with SHA1 But that isn’t even the worst bit….. private key password is company name! • Trivial to use this to generate certs for interception ◦ works for code signing too • This unrestricted private root also breaks pinning Finally, if affected you have no way of knowing if your connection is secure • Based on the ciphers being negotiated it probably isn’t.

11. PrivDog “Who Can You Trust? Trust PrivDog®” Replaces ads with

    “ads from a trusted source” Promoted by the Comodo Group

12. PrivDog v3 Same story. SSL MitM. Installs root CA. Uses

    NetFilter SDK, but… without remote certificates validation. At all.

13. PrivDog v3 Like, it will just trust any certificate. ANY.

14. PrivDog v3 Version 3.0, released Dec 2014, first affected Not

    (yet) shipped with any other software

15. Detection - the Badfish test Try to load a <img>

    or <script> from a domain that is… • Superfish: signed with its root • Komodia: with the domain name in the SAN • PrivDog: ( )

16. Detection - the Badfish test

17. Detection - the Badfish test

18. Detection - on your machine • Load filippo.io/Badfish • Audit

    the CA root store (Also FireFox’s!) • (Superfish) Run Windows Defender

19. Credits • Mike Shaver - “hey, that’s funny” • Chris

    Palmer - “woah, that’s bad” • Karl Koscher - “hey, here’s a certificate” • Rob Graham - “hey, here’s a key” • @TheWack0lian - “here are more keys”

20. Thanks Marc Rogers - @marcwrogers Filippo Valsorda - @FiloSottile CloudFlare

    Security Team