Abusing Certificate Transparency

Or how to hack Web Applications before Installation

Hanno Böck
https://hboeck.de/

HTTPS

lock

Certificate Authorities

Comodo
Symantec
Lets Encrypt

Can we trust Certificate Authorities?

No

CAs are bad, we need to get rid of them
Popular Infosec opinion

Reality

Nobody has a feasible plan how to replace CAs

Improving the CA system

Baseline Requirements

HTTP Public Key Pinning (HPKP)

Certificate Authority Authorization (CAA)

Certificate Transparency

Certificate Transparency

Public logs

CT Details

Merkle Hash Trees, Signed Certificate Timestamps (SCT), Signed Tree Head (STH), Precertificates, Monitors, Gossip, ...

Certificate logging

Next year (April) logging will be required for all certificates

Today

Symantec Let's Encrypt
Cloudflare Google

The CA watchdog

Everyone can check logs for suspicious activity
bad cert
bad cert
bad cert
https://crt.sh

Certificate Transparency is also a data source

Feed of new host names

Let's talk about something else

Web applications

Wordpress Joomla Nextcloud

Installers

Wordpress Installation

No authentication!

Old: Google dorking web installers

New idea

There is a time window between uploading files and completing the installer
Remember: We have a feed of newly created host names

Attack

Monitor CT logs, extract host names

Check hosts for common installers

If installer found: Install the application

Upload a plugin with code execution backdoor

Revert installation

Database credentials

Use external database host

Demo

Challenges

Logged certificates aren't immediately public (around 30 minutes)

Optimizations

Instead of checking sites once one could check them multiple times

Numbers

5000 Wordpress installations within three months.

500 x Joomla, 120 x Nextcloud, 70 x Owncloud.

Protection

Installers need authentication

Challenge

Application programmers want easy installations

Security tokens

Webapp creates token file, user has to read token

Vendors

Drupal, Typo3, Owncloud

... no reaction

Vendors

Wordpress, Nextcloud, Serendipity participated in cross-vendor discussion, but no action
Mediawiki Installation

It still allows to create an SQLite database

Can this be exploited?
Joomla Fix

Whitelisting localhost

This was my idea, but I don't like it

What can users do?

Be fast?

Certificate redaction?

.htaccess

Defending as a user is hard

We need fixes from vendors

Do attackers already use this?

x.x.x.x - - [09/Jul/2017:12:03:03 +0200] "GET / HTTP/1.0" 403 1664 "-" "Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)"

Takeaway

Unauthenticated installers are a security risk

Takeaway

No more secret hostnames

Takeaway

Certificate Transparency is a valuable data source for attackers and defenders

Thanks for listening!

Questions?
https://hboeck.de/
https://github.com/hannob/ctgrab