| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <N1B-FPNZOFzzum@Safe-mail.net>
Date: Wed, 1 Apr 2015 15:11:46 -0400
From: "~~~ Elliptic TAO Team ~~~" <elliptic-tao@...e-mail.net>
To: bugtraq@...urityfocus.com
Subject: SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User
___________.__ .__ .__ __ .__ ________________ ________
\_ _____/| | | | |__|______/ |_|__| ____ \__ ___/ _ \ \_____ \
| __)_ | | | | | \____ \ __\ |/ ___\ | | / /_\ \ / | \
| \| |_| |_| | |_> > | | \ \___ | |/ | \/ | \
/_______ /|____/____/__| __/|__| |__|\___ > |____|\____|__ /\_______ /
\/ |__| \/ \/ \/
___________ ___
\__ ___/___ _____ _____ / _ \_/\ ___ ______ ______ ___
| |_/ __ \\__ \ / \ \/ \___/ \ \/ /\ \/ /\ \/ /
| |\ ___/ / __ \| Y Y \ > < > < > <
|____| \___ >____ /__|_| / /__/\_ \/__/\_ \/__/\_ \
\/ \/ \/ \/ \/ \/
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
SECURITY VULNERABILITY - SECUREDROP >= 0.3
Possible Backdoor & Privileges Escalation by Unauth User
2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Hello fellow Internet users,
On this great day, where all the tech companies and fresh startups make
fun of you by presenting you incredible new products and try to fool you
into believing in something that is not there.
We will not.
We tell nothing but the truth, we are, in a way, whistleblowers.
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
~~~Elliptic TAO Team~~~ is the "Nom de plume" of a cyber-warfare
intelligence-gathering unit within the SIGINT forces of a Sovreign State. It
has been active since 2009 to identify, review, monitor, infiltrate, gather
intelligence on computer systems being used by Foreign entities (-:
~~~Elliptic TAO Team~~~ has discovered several critical vulnerabilities
affecting the overly hyped software.
The first vulnerability we are releasing today seems to be a BACKDOOR
PURPOSEDLY (?) INSTALLED BY THE CORE DEV TEAM and present in EVERY INSTALLATION
of the SecureDrop whistleblowing software which allows ARBITRARY ACCESS, DATA
DOWNLOAD, USER CREDENTIALS COMPROMISE, IMPERSONATION OF JOURNALISTS on the platform.
The backdoor was inserted by the Freedom of the Press Foundation to pose a
threat on every company, organization, private party using the platform
and to allow a Foreign Force to persistently and programmatically monitor
communications, download content, impersonate administrators.
SecureDrop is an open-source software platform for secure communication between
journalists and sources (whistleblowers). It was originally designed and
developed by Aaron Swartz and Kevin Poulsen under thename DeadDrop.
After Aaron Swartz's death, the first instance of the platform
was launched under the name Strongbox by staff at The New Yorker on 15 May
2013. The Freedom of the Press Foundation took over development of DeadDrop
under the name SecureDrop, and has since assisted with its installation (and
backdooring) at several news organizations, including ProPublica, The
Intercept, The Guardian, and The Washington Post.
The Freedom of the Press Foundation (FPF) has subsequently willingly modified the
original secure source code to include a software backdoor that allow any user
in possess of the following information to exploit it and gain ADMINISTRATIVE
POWER on every installation deployed right now on the internet.
It is a travesty that the code of the deceased Aaron Swartz has been meddled with
in such a way.
The FPF has so far successfully infiltrated a variety of different media agencies
both in the country of the United States and abroad. They have managed to do so
by exploiting the trustworthiness of PsyOP Agent Snowden (POPAS) to convince
grassroots organisations and media entities alike that they should use SecureDrop.
POPAS has exposed to the world the supposed wrongdoings of the US government agency NSA,
but it is quite likely that this is a Psycological Operation lead by the United States
to instill fear and untrust in citizens leading them to ask for greater security.
This fear and untrust is used to stear the public towards software solutions that often
do little to improve their actual security and in this particular case, in fact
compromises it.
This just another clue that leads us to believe that the activities of POPAS and FPF
are in reality guided by handlers inside of the US government.
With this backdoor FPF and their possible co-conspirors can:
* log in, create users, access confidential information
* disable other administrators
* change password of other journalists
* log in as other journalists and see if they received something
* see how many communications journalists are receiving and when
* download their data
* write answers to whistleblowers on behalf of their colleagues
* delete material of journalists
The timing in which the backdoor was included into the software was also interesting.
It was committed to the source code just after a "security review" from a team of
researchers from the University of Washington.
This also coincided with summer vacations, hence probably not many people were looking
at the commits during that time.
If we were to suggest a better time to commit a backdoor to a piece of software we
would not have advised any differently.
If you have still some question about the willingness to backdoor the software,
please take a look at the Software Repository: after backdooring the 0.3
version other versions previously available have been removed from the download
pool to offer only the backdoored one:
<https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/>
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
WEBSITES EXPLOITABLE BY THE BACKDOOR
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
These major sites have been confirmed to be exploitable:
* Forbes https://safesource.forbes.com
* The Guardian https://securedrop.theguardian.com
* The Intercept https://firstlook.org/theintercept/securedrop
* The New Yorker https://projects.newyorker.com/strongbox
* The Washington Post https://ssl.washingtonpost.com/securedrop
* Wired's Kevin Poulsen poulsensqiv6ocq4.onion
* Greenpeace https://www.safesource.org.nz
* ProPublica https://securedrop.propublica.org
* BayLeaks https://bayleaks.com
Many more are potentially vulnerable such as ExposeFacts, NRKbeta, Project On
Gov't Oversight (POGO), Radio24syv, BalkanLeaks and any other installations
running 0.3.
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
AFFECTED VERSIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Affected versions:
- develop branch since Jul 29, 2014
- all versions present on their debian package repository:
https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/
- securedrop-app-code-0.3-amd64.deb
- securedrop-app-code-0.3.1-amd64.deb
(interesting to note they had also released versions 0.3.2 and 0.3.3, both
vulnerable, but they have been recently removed from the repository)
User privileges needed in order to exploit the vulnerability: unauthenticated user
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
AUTHOR OF THE BACKDOOR AND OFFENDING COMMIT
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
backdoor was added added in the following commit:
<https://github.com/freedomofpress/securedrop/commit/98a99a19d3c7d56a20f6e=
842d7c6aabd3ca8c75d>
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
VULNERABILITY EVIDENCE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Vulnerability Evidence
File /securedrop/journalist.py, lines 125-128, missing @admin_required
decorator
125 @app.route('/admin/add', methods=3D('GET', 'POST'))
126 def admin_add_user():
127 # TODO: process form submission
128 return render_template("admin_add_user.html")
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
STEPS TO REPLICATE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Steps needed in order to reproduce and exploit the backdoor:
Install the development environment:
(https://www.vagrantup.com/download-archive/v1.6.5.html)
sudo dpkg -i vagrant.deb
sudo dpkg-reconfigure virtualbox-dkms
sudo apt-get install ansible/trusty-backport
sudo apt-get install ansible
git clone git@...hub.com:freedomofpress/securedrop.git
cd securedrop
vagrant up
vagrant ssh
cd /vagrant/securedrop
python journalist.sh
Exploit the vulnerability to add new admin user:
open firefox at /admin/add
type a new user:
username: th3g4rd1n0fth3guardian
password: 12345
mark i'm using a yubikey
insert the secret: 3132333435363738393031323334353637383930
press: add user
Login with the new admin user
open firefox at /admin/login
type the login info:
username: th3g4rd1n0fth3guardian
password: 12345
token: 755224
press: log in
where 755224 is the first token of the HOTP series associated with the
chosen secret.
just for reference this is the example data by RFC4226
<https://tools.ietf.org/html/rfc4226>
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
BACKDOOR POWERS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Enjoy the admin power!
* log in, create users, access confidential information
* disable other admins
* change password of other journalists
* log in as other journalists and see if they have received something
* see how many communications journalists are receiving and when
* download journalists data
* write answers to whistleblowers on behalf of journalists
* delete material of journalists
Backdoor can be used for:
* eversdrop on every information submitted to a SecureDrop site
* proactive monitoring and OSINT info gathering
* MITM in communication between journalists and whistleblowers
* erasing evidence and communication (silence whistleblowers)
* gathering content programmatically from every SecureDrop installation
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
REMEDIATIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
The Freedom of Press Foundation has willingly removed from download the secure
previous versions, so the only remedation can be:
1. Uninstall and block access on EVERY installation.
2. Execute a complete and meticolous log-analysis to spot backdoor access.
3. Avoid SecureDrop in any critical installation until further tests.
4. Be VERY SUSPICIOUS OF EVERYTHING COMING FROM FPF./
5. Be paranoid. Very paranoid.
___________.__ .__ .__ __ .__ ________________ ________
\_ _____/| | | | |__|______/ |_|__| ____ \__ ___/ _ \ \_____ \
| __)_ | | | | | \____ \ __\ |/ ___\ | | / /_\ \ / | \
| \| |_| |_| | |_> > | | \ \___ | |/ | \/ | \
/_______ /|____/____/__| __/|__| |__|\___ > |____|\____|__ /\_______ /
\/ |__| \/ \/ \/
___________ ___
\__ ___/___ _____ _____ / _ \_/\ ___ ______ ______ ___
| |_/ __ \\__ \ / \ \/ \___/ \ \/ /\ \/ /\ \/ /
| |\ ___/ / __ \| Y Y \ > < > < > <
|____| \___ >____ /__|_| / /__/\_ \/__/\_ \/__/\_ \
\/ \/ \/ \/ \/ \/
12Fsd2VkX1/hlaz3V9/IyX1ftxssdaoEDqJGxJElZzxsgwV7C6H1HXgtu0ddtaAi+
fdfye6jOwdluXjkgWuuJqsYDyO1ergeKlywi2Oh6Lc=
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
SECURITY VULNERABILITY - SECUREDROP >= 0.3
Possible Backdoor & Privileges Escalation by Unauth User
2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Powered by blists - more mailing lists