BSides LV 2022 - Wednesday - Common Ground

[Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] you [Music] [Music] [Music] [Music] so [Music] [Music] so [Music] so [Music] [Music] [Music] [Music] [Music] [Music] do [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] me [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] so [Music] [Music] [Music] do [Music] [Music] [Music] so [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] do [Music] [Music] so [Music] [Music] do [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] do [Music] [Music] [Music] foreign [Music] do [Music] [Music] [Music] do [Music] [Music] do so [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] do [Music] so [Music] so [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] so [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] so [Music] [Music] [Music] foreign [Music] [Music] [Music] [Music] do [Music] do [Music] [Music] do do [Music] so [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] foreign [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] [Music] [Music] do [Music] [Music] [Music] [Music] do [Music] do [Music] [Music] [Music] [Music] [Music] so [Music] [Music] do [Music] [Music] so [Music] [Music] [Music] [Music] you [Music] [Music] [Music] [Music] so [Music] [Music] so [Music] [Music] do [Music] [Music] [Music] so [Music] [Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] [Music] so [Music] [Music] [Music] [Music] [Music] uh [Music] [Music] [Music] [Music] [Music] all right everybody hey uh welcome if everybody could just kind of take their seats shuffle in relax we can close the door that would be awesome morning everybody welcome to day two east las vegas thank you for being with us today um as you can see we are here for an awesome talk trust me i'm a robot with menron stoller and copenhagen who will talk to you about some amazing stuff just a couple housekeeping matters number one please no recording no anything like that we're taking care of that for you besides photos you want to take photos with anybody you have to ask their permission so we've got that also please check your cell phones we all have cell phones and nobody wants to hear yours for the next hour or mine so just do a quick chat so without any further ado i'm going to let the people you're here to see take it away and thank you for being here again okay [Applause] all right so hello everybody um thank you very much for joining us here we are extremely excited to be here with you today with me here is nathaniel copenhagen and my name is nimrod stoller we are both security researchers from cyber arc labs which is located in israel this session today is about the research we conducted on the blue prism robotic process automation platform this research yielded eight cves in different severities ranging from medium to critical and today we will be publicly disclosing for the first time three of these attack vectors the full attack vectors which yielded three of those cves so today in this session we'll be talking about what rpa is how blue prism is going into the picture where all the secrets are but first we want to answer the question here on this first slide and the question is how do we know we can trust robots without secrets how do we know if we see a robot how do we know if the robot is trustworthy enough that we can trust it with our most guarded secrets so in uh in public we can say that robots are either faultlessly or either faultlessly loyal victorian butlers or psychopathological killers so we can take for example isaac asimov's positronic brain robots with their three laws of robotics you have the three law well a short very short version of the three laws here on this slide so these three laws of robotics are simply carefully engineered safeguards put in place by asimov in order to prevent robots from harming humans it was asimov's way of creating ethical robots robots that would not only protect human lives but also human interests so if we look into our two types the loyal battle type and the psychopathological type which one would be either custom of the robot can you help me here or your problem yeah yeah it probably will be the first time the loyal battle type and we might just consider um letting the letting geyser customers robots in on our secrets and what about hal 9000 was highly trusted robot would we trust hal without secrets so han 9000 is a sentient artificial intelligence computer that controls every aspect of the discovery one which is on a mission to explore jupiter and interact with the human onboard crew astral crew so in the space odyssey bad instructions given to her directly from the white house believe it or not caused hal to kill the entire human crew for the conservation of the mission so in this case uh which type of robot would hal be or would have fit so it would be the second type zahal is probably the psychopathological killer type and no secrets for hull anyone here recognizes these robots okay maybe maybe three or four great so these are the daleks or the formidable daleks from doctor who the british science fiction television program broadcasted since 1963 with over 800 episodes today and still broadcasting today so as soon as the dalek robots were created they exterminated as they like to say their scientist created and it was due to his specific command to them that they should become the strongest most powerful in the universe well according to the daleks logic in order to become the most powerful in the universe they must kill all those who are stronger and of course their creator is by definition stronger so again the dialects are probably the second title the psychopathological killer type and no secrets to the dialects so if we try to answer the question can we share our secrets with uh the robots we can answer it by looking at their programming after all every robot is a computer and computers use some kind of logical programming so if we can somehow get a good uh deep thorough understanding of their software we may be able to tell if we can trust robots if robots are trustworthy enough that we can share our most guarded secrets with in cyber security we call this process reverse engineering or software reverse engineering and this is what we did in our research and this is what we're going to show you here so we talked a little bit about robots but we said that our research was on robotic process automation so what's robotic process automation well first things first unfortunately there are no real mechanical or electromechanical robots involved in robotic process automation rpa is not about physical robots it is a software technology that makes it easy to build deploy and manage software robots robots that emulate human actions while interacting with existing digital systems and software most of which are windows applications now these interactions usually have some kind of a keyboard injections key injections or mouse clicks and this is how the uh the robots actually emulate how humans interact with those existing enterprise applications so many many industries are currently benefiting from rpa from banking and finance through healthcare and medical applications human resource management manufacturing customer service all with one common denominator which is the extensive use of enterprise credentials if we want robots to log in access and control those existing enterprise applications we must place those credentials secret passwords in the hands of the robot so we uh we talked a little bit about what rpa is and now we had to choose in our research we had to choose a target so we looked a little bit about the market and we found that there are three large vendors in the market one of these was blue prism which eventually we picked and also blue prism was also named a leader in that market by both forester and gartner so it was an easy peak for us and we just went online and download their trial software from their website which was just a full software the full-fledged software with a trial license so looking into the blue prism platform we could see that it was based on the microsoft.net framework and written mainly in c sharp and here we have the architecture so the architecture of the blue prism platform is based on four components first and foremost in our prime target is the application server the blue prism application server this is where all the magic occurs and where the logic behind the blue prism platform is stored and implemented the application server is heavily relying on an mssql database server this is where all the users the the configurations the business processes business processes are the code that eventually runs on the robots and of course all enterprise credentials are all stored in the database server now the application server may be actively accessed by two components so we have the interactive clients and the blue prism runtime resources so interactive clients are the users machines the machines that are used by human users in order to set up control configure the entire platform you may look at it as the graphic user interface or maybe the terminal the terminals that are used to access the application server and the application server itself is off limits to all users the second the second here is the runtime resources well these are the robots these machines receive their commands or code directly from the application server they would run that code again in order to log in access and control those external existing enterprise applications and of course at one point or another we should have clear text credentials in those robots in that in those runtime resources and those credentials will be again transferred from the application server so we are always interested in secrets and credentials so how are these handled in the blue in the blue prism platform so the blue prism is using a symmetric encryption in order to encrypt and decrypt critical data on their platform that means that there is only a single key one key well one master key that is used both to encrypt and decrypt their information so this key will be stored on the application servers file system inside an object that we'll see in a minute that is called encryption scheme so in the encryption schemes we may have the name of the encryption scheme the algorithm used and of course the key or the master key used so this will be on the application server the password and credentials on the other hand and all other critical information will be encrypted and stored on the database server this makes sense because if somebody gets their hands on the database they will only have encrypted information that they cannot use and such an attacker would have to find a way to [Music] get those encryption scheme keys from the application server and that's not easy so uh after nimrod talk about the component in blue prism uh platform we need to talk a little bit about how those components communicate each other the blueprism architecture is implemented using microsoft windows communication foundation wcf it is part of a microsoft.net framework and it makes the development of an endpoint easier and less time consuming let's see how it's done in our case so as in what said we have the interactive clients and the runtime resources which are wcf clients we also have the application server which called wcf service between them we have a service contract that contains operation contract the operation contracts define the parameters and the return type of the operation in our case the service contract is a c-sharp interface and it and its implementation is a class on the application server itself that implements all the methods the operations so when when the wcf client calls the operation the wcf framework take the parameters and transform it into a transmittable format and send it over the network to the wcf servers then the wcf framework on the wcf servers the application server transforming back to the parameters like a dataobject.net object and calls operation and after it's run the result transform again to a transmittable format and send to the client so as involved said we managed to download the blue prism platform and we looked inside in our case the wcf service contract is an iserver interface and those all the operations there are many more and the implementation of it is a cls server it's a class that implements the iserver so when the when the client calls an operation it basically use it as a normal object instance of the iserver itself and it calls it like a regular object and use its methods and the wca framework handle everything so before we continue and dive in into our attacks we need to talk a little bit about dotnet executables donut executables aren't like any other executable they don't contain ins they don't contain um native binary code they contain intermediate language called msil microsoft's intermediate language and when it is executed there is a just in time compiler in the dotnet framework that translate it into binary code just executed by the by the cpu and now we can talk about oh sorry and this is one of the features of the msil it can be transformed back into source code very easily using a reflection tool called dns files or any other tools and it can be debugged like step by step okay great thank you nathaniel so um finally we've reached our first attack and here uh we will try to define our attack surface and from there see if we can try and steal those encryption master keys that we discussed before so first thing first we started looking into the dot net application using the inspire which shows us this the actual source code that blue blue prism developers see and we soon found out that the application server which is our prime target was pretty well protected however it seems to us that the application server to some extent is willing to communicate with any wcf client on the domain so that means that even unauthenticated wcf clients are able to call each and every one of the server the wcf server the application servers methods and this now became strategically our attack surface so our goal was now to somehow disguise ourselves as a wcf client on the network on the domain and try whatever method whatever server methods we could in order to somehow make the application server misbehave so let's first look at an example of such a method so as i said every unauthenticated client wcf client on the domain can call create credentials if it knows the correct parameters which you provide now this is the server side so what the server is going to do if if the wcf client calls create credential it will first execute check permissions here in red check permissions would check if the w the calling wcf client is indeed authenticated with blue prism and if it is it will load the secure method in yellow secure method preamble and compare the permissions of the client with whatever is written in the secure method so if i'm a wcf client and i'm authenticated then if only if i have the permission security managed credentials then check permissions would allow the continuation of the methods in any other case check permissions would return an exception and the execution will be stopped another example of the cls server class server method is this unsecured method so we can we can find a number of cases where the server the application server should allow unauthenticated wcf clients to actually run code on the server an example is of course the login method so as you can see the logging method does not have a check permissions call and the preamble is unsecured method so this is another example so we had to go over all of those dozens and dozens and dozens of methods server-side methods and trying to find the one that would make the application server misbehave well after maybe three or four passes we found this okay let's zoom in so as you can see this is this method is get encryption schemes that's interesting because this is what we wanted we can also see that it is in the wrong place it is physically inside cls server but we can see that it belongs to iserver so that's an anomaly that's weird now what get encryption scheme does is it gets the database connection and it calls the local get encryption skills with the connection and true so we wanted to know what that true means so if we dig in into get encryption schemes here we will see that the true is include key and this true value will be transferred on and eventually get encryption schemes would not only return all the encryption schemes of the blue prism platform but also include those master keys that we discussed earlier in in that collection that is returned this one so the only question we have left is can an unauthenticated client actually call this server-side function or method so let's see a demo so here we at the attacker we are using one and we are not a user in blue prism so there's no way we can authenticate ourselves the we are using one so this is the code that we downloaded this the cl the client code that we downloaded from blue prism and we run it as it is we just added a line there you will see that in a minute now you can see that we are pre-login so we are pre-authenticated login is only after us we added this line the server get encryption schemes and try to call it so again we we may get an exception but of course no we received two encryption schemes again we are an authenticated wcf client let's look into the first encryption scheme here so this is the default encryption scheme the one that is used to encrypt and decrypt all credentials on the system and we're going to test the key here if it actually decrypts credentials from the database so we're going to copy the key that we received that's the key we're just going to copy it and we've written a small application that attempts to decrypt using the key it's an aes key and the credential we copied from the database and wow this is a secret so our attack was successful and we got the correct master key so that's great so we have the master keys in our hand but coming to think of it it's like having half of a treasure map and we probably won't be able to find the treasure without the other half the other half being the encrypted m and the encrypted credentials so we started thinking about an uh how we can chain other attacks with this attack that steals the master keys and then we thought well where are those encrypted credentials stored they're stored in the mssql database so why not run an sql injection on it sql injections sel injections are one of the most known oldest and dangerous attack known sql injection is an attack where malicious code inserted into a string and then a path to a database for execution uh there are no way