To“hypnosis”to bypass authentication: an influence of the Kerberos Protocol for up to 20 years of vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201787968
Type myhack58
Reporter 佚名
Modified 2017-07-18T00:00:00


! Kerberos this is a noun derived from the Greek mythology“the three heads of the dog--Hades the Keeper of the dog,”in the system is an authentication Protocol that uses tickets to allow nodes in an insecure network environment to communicate securely, it is possible to prevent eavesdropping, to prevent replay attacks, protect data integrity. Hackers can exploit vulnerabilities to upgrade their network permissions, you can also access network resources, such as steal your password. The three researchers discovered this vulnerability, they named it“Orpheus's harp”because it's a similar principle to the Greek poet Orpheus with a harp hypnosis goalkeeping dog in the process. The researchers also found that this vulnerability affects Kerberos version dates back to 1996, due to the age of Kerberos with other implementations. This time the vulnerability affects 3 implementation of 2-Heimdal Kerberos and Microsoft Kerberos. The MIT Kerberos implementation is not affected. “Orpheus harp”to bypass the Kerberos authentication The vulnerability affects Kerberos v5, the use of Kerberos Protocol in the ticket. ticket is a network node between the transmission of the message, used to authenticate services and users. Sent to the network, not ticket all the part will be encrypted, usually Kerberos will check the message in the encrypted part so as to perform authentication. While the researchers found a way to force Kerberos Protocol uses plain text and without encryption portion of the authentication. “_krb5_extract_ticket()in the KDC-REP service name must come from’enc_part’in the encrypted information, rather than the’ticket’is not stored in the encryption information. Using the unencrypted information would allow a hacker on the server spoofing or other attacks.” Heimdal's developers said. If a hacker has captured the corporate network or the ability to perform MiTM attack, he can intercept and modify the plain text ticket portion, thereby bypassing the Kerberos authentication, and thus access to the company's internal resources. Vulnerability has not yet been the use of cases, and hackers need to get ahead within the network portion of the resource, nevertheless, this vulnerability is still very dangerous, because an attacker can take to expand the internal network of the privilege. Windows, Debian, FreeBSD, Samba have been fixed The researcher contacted using the Kerberos Protocol each project. Microsoft on last Tuesday's patch push has been to fix their Kerberos Vulnerability(CVE-2017-8495)。 Debian, FreeBSD and Samba the three projects using Heimdal Kerberos, also has released a patch, numbered CVE-2017-11103。 While Red Hat uses MIT Kerberos, so RHEL users are not affected. It is interesting that different vendors of this vulnerability rating is also different, the researchers, Samba and Heimdal are the vulnerability rating of“severe(Critical)”, Microsoft and Linux vendors are rated as“important(important)”or“in-risk(medium)” is. Discover the vulnerability of the researcher are AuriStor founder Jeffrey Altman, and from Two Sigma Investments company Viktor Dukhovni, and Nicolas Williams. Altman explained that to remove the unencrypted field force authentication request using the encryption section, this loophole is invalid. In order to let the user have more time to update the repair, the research team did not release in-depth technical details. After a few days of Orpheus’ Lyre the website will publish more details. “Note that the vulnerability is a client vulnerability, the client needs to be repaired,”the researchers said,“on the server side patch is useless.”