Trust Me, I'm a Robot: Can we trust RPA with our most guarded secrets?

all right so hello everybody um thank you very much for joining us uh here we are extremely excited to be here with you today with me here is nathaniel copenhagen and my name is nimrod stoller and we are both security researchers from cyber art labs which is located in israel this session today is about the research we conducted on the blue prism robotic process automation platform this research yielded eight cves in different severities ranging from medium to critical and today we will be publicly disclosing for the first time three of these attack vectors the full attack vectors which yielded three of those cves so today in this session we'll be talking about what rpa is

how blue prism is going into the picture where all the secrets are but first we want to answer the question here on this first slide and the question is how do we know we can trust robots without secrets how do we know if we see a robot how do we know if the robot is trustworthy enough that we can trust it with our most guarded secrets so in in public we can say that robots are either faultlessly or either faultlessly loyal victorian butlers or psychopathological killers so we can take for example isaac asimov's positronic brain robots with their three laws of robotics you have the three law well a short very short version of the three laws here on

this slide so these three laws of robotics are simply carefully engineered safeguards put in place by asimov in order to prevent robots from harming humans it was asimov's way of creating ethical robots robots that would not only protect human lives but also human interests so if we look into our two types the loyal battle type and the psychopathological type which one would be isaac asimov's robot can you help me here or your problem yeah yeah it probably will be the first time the loyal battle type and we might just consider letting the letting guys the customers robots in on our secrets and what about hal 9000 was highly trusted robot would we trust hal without secrets

so han 9000 is a sentient artificial intelligence computer that controls every aspect of the discovery one which is on a mission to explore jupiter and interact with the human onboard crew astral crew so in the space odyssey bad instructions given to her directly from the white house believe it or not caused hal to kill the entire human crew for the conservation of the mission so in this case uh which type of robot would hal be or would have fit so it would be the second type sahal is probably the psycho pathological killer type and no secret for hull anyone here recognizes these robots okay maybe maybe three or four great so these are the daleks or the

formidable daleks from doctor who the british science fiction television program broadcasted since 1963 with over 800 episodes today and still broadcasting today so as soon as the dalek robots were created they exterminated as they like to say their scientist created and it was due to his specific command to them that they should become the strongest most powerful in the universe well according to the daleks logic in order to become the most powerful in the universe they must kill all those who are stronger and of course their creators by definition stronger so again the dialects are probably the second title the psychopathological killer type and no secrets to the dialects so if we try to answer the question

can we share our secrets with the robots we can answer it by looking at their programming after all every robot is a computer and computers use some kind of logical programming so if we can somehow get a good deep thorough understanding of their software we may be able to tell if we can trust robots if robots are trustworthy enough that we can share our most guarded secrets with in cyber security we call this process reverse engineering or software reverse engineering and this is what we did in our research and this is what we're going to show you here so we talked a little bit about robots but we said that our research was on robotic process automation

so what's robotic process automation well first things first unfortunately there are no real mechanical or electromechanical robots involved in robotic process automation rpa is not about physical robots it is a software technology that makes it easy to build deploy and manage software robots robots that emulate human actions while interacting with existing digital systems and software most of which are windows applications now these interactions usually uh have some kind of a keyboard injections key injections or mouse clicks and this is how the uh the robots actually emulate how humans interact with those existing um enterprise applications so many many industries are currently benefiting from rpa from banking and finance through healthcare and medical applications human resource management

manufacturing customer service all with one common denominator which is the extensive use of enterprise credentials if we want robots to log in access and control those existing enterprise applications we must place those credentials secret passwords in the hands of the robot so we we talked a little bit about what rpa is and now we had to choose in our research we had to choose a target so we looked a little bit about the market and we found that there are three large vendors in the market one of these was blue prism which eventually we picked and also blue prism was also named a leader in that market by both forester and gartner so it was an easy peak for us and we

just went online and download their trial software from their website which was just the full software the full-fledged software with a trial license so looking into the blue prism platform we could see that it was based on the microsoft.net framework and written mainly in c sharp and here we have the architecture so the architecture of the blue prism platform is based on four components first and foremost in our prime target is the application server the blue prism application server this is where all the magic occurs and where the logic behind the blue prism platform is stored and implemented the application server is heavily relying on an mssql database server this is where all the users the

configurations the business processes business processes are the code that eventually runs on the robots and of course all enterprise credentials are all stored in the database server now the application server may be actively accessed by two components so we have the interactive clients and the blue prism runtime resources so interactive clients are the users machines the machines that are used by human users in order to set up control configure the entire platform you may look at it as the graphic user interface or maybe the terminal the terminals that are used to access the application server and the application server itself is off limits to all users the second the second here is the runtime resources well these are the

robots these machines receive their commands or code directly from the application server they would run that code again in order to log in access and control those external existing enterprise applications and of course at one point or another we should have clear text credentials in those robots in that in those runtime resources and those credentials will be again transferred from the application server so we are always interested in secrets and credentials so how are these handled in the blue in the blue prism platform so blue prism is using asymmetric encryption in order to encrypt and decrypt critical data on their platform that means that there is only a single key one key well one master key

that is used both to encrypt and decrypt that information so this key will be stored on the application servers file system inside an object that we'll see in a minute that is called encryption scheme so in the encryption schemes we may have the name of the encryption scheme the algorithm used and of course the key or the master key used so this will be on the application server the password and credentials on the other hand and all other critical information will be encrypted and stored on the database server this makes sense because if somebody gets their hands on the database they will only have encrypted information that they cannot use and such an attacker would have to find a

way to get those encryption scheme keys from the application server and that's not easy so afternoon road talk about the component in blue prism uh platform we need to talk a little bit about how those components communicate each other the blue prism architecture is implemented using microsoft windows communication foundation wcf it is part of a microsoft.net framework and it makes the development of an endpoint easier and less time consuming let's see how it's done in our case so as in what said we have the interactive clients and the runtime resources which are wcf clients we also have the application server which called wcf service between them we have a service contract that contains operation contract the operation

contracts define the parameters and the return type of the operation in our case the service contract is a c-sharp interface and it and its implementation is a class on the application server itself that implement all the methods the operations so when when the wcf client calls the operation wc framework takes the parameters and transform it into a transmittable format and send it over the network to the wcf servers then the wcf framework on the wcf service the application server transforming back to the parameters like a dataobject.net object and calls operation and after it runs the result transform again to a transmittable format and sent to the client so as involved said we managed to download

the blueprism platform and we looked inside in our case the wcf service contract is an iserver interface and those all the operations there are many more and the implementation of it is a cls server it's a class that implements the iserver so when the when the client calls an operation it basically use it as a normal object instance of the iserver itself and it calls it like a regular object and use its methods and the wcf framework handle everything so before we continue and dive in into our attacks we need to talk a little bit about dotnet executables donald executables aren't like any other executable they don't contain ins they don't tell a native binary code they contain

intermediate language called msil microsoft intermediate language and when it is executed there is a just in time compiler in the dotnet framework that translated into binary code just executed by the by the cpu and now we can talk about oh sorry and and this is uh one of the features of the msil it can be transformed back into source code very easily using a reflection tool called dns files or any other tools and it can be debugged like step by step okay great thank you nintendo so finally we've reached our first attack and here we will try to define our attack surface and from there see if we can try and steal those encryption master

keys that we discussed before so first thing first we started looking into the dot net uh application using dnspy which shows us this the actual source code that blue blue prism developers see and we soon found out that the application server which is our prime target was pretty well protected however it seems to us that the application server to some extent is willing to communicate with any wcf client on the domain so that means that even unauthenticated wcf clients are able to call each and every one of the server the wcf server the application servers methods and this now became strategically our attack surface so our goal was now to somehow disguise ourselves as a wcf

client on the network on the domain and try whatever method whatever server methods we could in order to somehow make the application server misbehave so let's first look at an example of such a method so as i said every unauthenticated client wcf client on the domain can call create credentials if it knows the correct parameters it should provide now this is the server side so what the server is going to do if if the wcf client calls create credential it will first execute check permissions here in red check permissions would check if the w the calling wcf client is indeed authenticated with blue prism and if it is it will load the secure method in yellow secure method preamble

and compare the permissions of the client with whatever is written in the secure method so if i'm a wcf client and i'm authenticated then if only if i have the permission security managed credentials then check permissions would allow the continuation of the methods in any other case check permissions would return an exception and the execution will be stopped another example of the cls server class server method is this unsecured method so we can we can find a number of cases where the server the application server should allow unauthenticated wcf clients to actually run code on the server an example is of course the login method so as you can see the logging method does not have

a check permissions call and the preamble is unsecured method so this is another example so we had to go over all of those um dozens and dozens and dozens of methods server-side methods and trying to find the one that would make the application server misbehave well after maybe three or four passes we found this okay let's zoom in so as you can see this is this method is get encryption schemes that's interesting because this is what we wanted we can also see that it is in the wrong place it is physically inside cls server but we can see that it belongs to iserver so that's an anomaly that's weird now what get encryption scheme does is

it gets the database connection and it calls the local get encryption schemes with the connection and true so we wanted to know what that true means so if we dig into get encryption schemes here we will see that the true is include key and this true value will be transferred on and eventually get encryption schemes would not only return all the encryption schemes of the blue prism platform but also include those master keys that we discussed earlier in in that collection that is returned this one so the only question we have left is can an unauthenticated client actually call this server-side function or method so let's see a demo so here we at the attacker we are using one and

we are not a user in blue prism so there's no way we can authenticate ourselves the we are using one so this is the code that we downloaded the cl the client code that we downloaded from blue prism and we run it as it is we just added a line there you'll see that in a minute now you can see that we are pre-logging so we are pre-authenticated login is only after us we added this line the server get encryption schemes and try to call it so again we we may get an exception but of course no we received two encryption schemes again we are an unauthenticated wcf client let's look into the first encryption

scheme here so this is the default encryption scheme the one that is used to encrypt and decrypt all credentials on the system and we're going to test the key here if it actually decrypts credentials from the database so we're going to copy the key that we received that's the key we're just going to copy it and we've written a small application that attempts to decrypt using the key it's an aes key and the credential we copied from the database and wow this is a secret so our attack was successful and we got the correct mastery so that's great so we have the master keys in our hand but coming to think of it it's like having half of a treasure map

and we probably won't be able to find the treasure without the other half the other half being the encrypted the encrypted credentials so we started thinking about how we can chain other attacks with this attack that steals the master keys and then we thought well where are those encrypted credentials stored they're stored in the mssql database so why not run an sql injection on it so sql injections seo injections are one of the most known oldest and dangerous attack known um sql injection is an attack where a malicious code inserted into a string and then passed to a database for execution there are no way to prevent sql injection is to use very strict input validation

and also use parameterized queries the blue prism platform used those rules religiously and we went through the code several times all of it and we didn't find any point where we can actually inject sql so this is why we went to the stored procedures stored procedures are set of sql statement that are stored in in the database and then can be reused and shared between application it also allows the developers use pre-written queries that already approve there is another security aspect here it allows accessing part of a table without direct access to the table itself this is a partial list of the blue prism stored procedures we went through all of them and we didn't find even there any point

we can actually inject code but then we found the system sold procedure in the in red this folder contains default stored procedures that come with the mssql installation by default so we went in there and we found this thought procedure spsql exec it received a string through the parameter p1 and then executed the only question now can we run can we call this stored procedure through the blueprism application so we went through the code again and we found this method get chart data it's a secured method so we need to be a user in the blue prism in the blue prism platform but we don't need any special permissions we can be any user in the

system inside it receive data source name which is a which is the stored procedure name and the dictionary param then it connects to the database and calls the local the local method this getchart data and inside it calls the stored procedure using the params dictionary let's see how we can use it so we are in the blue prism interactive plant and as you will see in a few seconds we are a user in the system but without any roles or permission so we can be any user in the platform on our attacking server we have http server that will send powershell code and we have reverse shell net cutting listening mode this is ms sql server

as you can see the ip address ends with 148 and yeah so this is our patched client we run it and we call the get chart data method and we call the spsql exec and use the p1 parameter with our payload our payload will request in http the powershell right here it will request the partial script the power cut it's an implementation of netcat in powershell and then it will execute it and connect to our reverse shell and here we have basically a reverse shell with anti-authority system on the sql server itself [Applause] thank you thank you so some conclusion for this attack first of all as you can see sql injections are very impactful

in our case we have access to all encrypted credentials and with the attack that nimrod just showed us we can basically decrypt them so great we have credentials we also have code execution on the robot the runtime resources because their code the process codes are stored in the database and also we have elevated remote code execution on the mssql server now we are going to our third attack our last attack this in this attack our target is to access the heart of the blue prism platform the application server itself and we're going to use insecure deserialization for those of you who never heard about insecure desertization we can take for example equifax that at 2017

they announced that over 143 million personal data of their customers have has been compromised this was due to an insecure java desertization that allowed to run code on their servers let's see how it's done in our case so as we said before we have our clients our interactive plans and random resources and we have the application server the client the wtf client is calling an operation in that wcf framework transform it into a transmittable format in our case a soft xml this transformation called serialization then it send over the network network and on the application server itself the wcf framework there transforming back into data object this is deserialization in our case we have those clients but we have a

compromised client and when the client calls the operation the wcf framework transform it serialize it into soft xml but then the attacker injects his own payload to this xml then it's sent over the network and the wcf framework deserialize the malicious payload to and pass it to the application server but this deserialization happens before we even run the application server code itself so we don't need any permissions to do this now when we are talking about civilization we need to talk about serialization engines serializers in wcf there are two majors one data contract serializer and net data contract sterilizer the net data contract serializer include object type information in its op xml and this is why it's more permissive

so we went through the code and we found several methods that use net data contract serializer this will be our attack surface next we need to find a point where we can actually inject our payload and it will be sterilized without any errors so we scanned those methods that used net data contract serializers and we found that some of them use the type session runner schedule this type is very interesting because inside it it has an attribute m-abort lock that is an object type which means it's act like a wild card and can be any object we want so when a client called those one of those methods using runner a session runner schedule it looked like this basically on the

wire on the this is how the soft xml look like it's it's very big so those are fragments we have the header and we have the body of the soft xml and inside we have the data for the operations and inside we have the session runner schedule and the emma board lock and here we want to inject our payload [Music] let's see how it's done okay okay so this is our demo for the serialization attack now again we are completely unauthenticated in this case as the danelle explained everything happens a lot a lot of time before the blue prism application server even gets control this is our application server at user six and we're going to show that we are

we cannot be authenticated we are not a user again user one is not a user on the blue prism platform this is the scheduler create schedule method that we're about to use and as nintendo explained we will be injecting uh our malicious payload inside this class here the session one schedule and we're going to use the object emma bortlock so this is the code that we're injecting and again we're unauthenticated we're just creating the session runner schedule and calling scheduler create schedule and after it will be serialized by the wcf client okay this is the again we've seen this this is the attacker command and control both sides so once the wcf client serializes that

information this small application of ours is going to intercept that sopxml byte data and replace emma bortlock with our malicious payload this is the sopxml data we have the header and the header whatever and here the application server at 145 requested the power cat script and we have a reverse shell on user 6 and over the application server and since the application server is running elevated we are also admin we are running in the context of an admin inside the application server and again we are completely unauthenticated wcf client on the domain

so final conclusions and mitigations about four months ago cyber clubs did a full disclosure of 15 attack vectors that's it that we discovered and communicated to blue prism since then we have been in continuous contact with the blue prism security and technical teams and in in collaboration to fix the reported attacks and release software patches to customers as we've seen rpa is indeed very sensitive human operators have mfa multi-factor authentication they can change their own password when they are instructed to and they are less predictable than softer robots robots on the other hand are one-dimensional as far as their identities are concerned with no real possibility for multi-factor authentication this makes them more susceptible a lot

more susceptible to attacks such as the ones we've shown here another point here that we would like to mention here and nathaniel talked about it a little bit is that rpa application rpx application server practically runs code on the robots by taking over the database or the application server an attacker gains complete control over the robots and all credentials used by the robots credentials are downloaded downloaded in clear text to the robots so if robots are the puppets the application server is the puppeteer so due to all we said above enterprises should take recommended vendor practices as a must and be sure to deeply and thoroughly understand the security implications if recommended practices are not

followed because of the sensitivity we should always use defense defenses in depth this may be the difference between a successful attack and a failed one so for example we should use network monitors wherever possible we should use and port endpoint protections such as vdrs xdrs and of course protect credentials by placing them as much as possible in external credentials works questions

uh do you think moving to certificates would be at least one step forward so then we can cryptographically authenticate both the client and the server versus passive credentials around it can you repeat the question when moving to uh certificate-based authentication so we cryptographically authenticate both clients and servers do you think that would move something forward versus passing credentials around i think i think these are two different issues blue prism is already authentic and using uh certificate based authentication with tls on both uh client and server but it didn't stop us here because the application server was willing to accept our uh us as a wcf client anyway the the only issue here was with the

encryption schemes used to encrypt critical data on the application so i think i think these are two different things it may be

uh can you pull up that server code block where it runs the d serialized payload again you'll have that pretty briefly sorry come again where pull up the the block of server code that was running the d serialized payload the block of the this one no the server the server-side code that runs the uh the serialized payload the server side you mean this is this the this interface yes the actual listener the receiver the method so the listener receiving it is in the wcf framework it's not part of the code of the application server itself it's before this with net dlls this is where the serialization happened and the deserialization let me try to to make it a little bit

clearer here the thing is the the blue prism application server is expecting to receive parameters it's expecting to receive string name or the session runner schedule right as a parameter now the entity that is in charge of providing this parameter is the d serializer so this serialization happens before even the blue prism code starts running okay thank you okay great is there a specific requirement where the blue prism application server and the database server was running as system because that seems to be an issue as well it may be the the database server was indeed running as a system but uh [Music] it may be an issue but in any case the fact that we managed to get sql

injection and remote code execution on the sql mssql server means at least that we have access to all the credentials because with the sql injection we can do other things rather than remote code execution we just thought vocal execution was the nicest thing you can do but the idea is that if we have a sql injection we can extract all the encrypted credentials and then decrypt them using the master keys that we store in attack one so that was the idea we've got about 10 minutes left are there any other questions have you guys looked at other rpa tools blue prism obviously it's one of the big ones but have you looked at any of the other ones

or um no no we had uh we had a mandate for uh for one but we maybe in the future i'm not sure

hello nimrod um i've probably thrown myself under a bus here but uh there is representation from blueprism here so if any guys want to have a chat with us afterwards uh we're here and we're more than happy to have a chat with you uh and just a quick note of nathaniel and nimrod it's been a pleasure um you know there was some some stuff that came out of it but we've worked together and it's been great same here thank you very much great

hi here um i was just interested in the in the uh i was just interested in the payload uh that was used uh to uh get through the serializer yeah yeah that's a good question so the payload uh is uh basically a a payload in data of net data contract serializer you can use it for uh with like a a yso serial.net but you need to customize it a little bit because it's not a complete soft xml uh like the white so serial for example give you you need to play with it to build it but it's a basic payload it's not like a any complicated one

thank you very much jeff thank you very much thank you