Shib IDP v3 integration with Cylance

Andrew Morgan morgan at orst.edu
Tue Mar 20 11:17:46 EDT 2018 

Here is what I've been doing to test the recent attack announced by Duo.

My strategy has been to disable Javascript on our IDP site so that I can 
stop my browser on the SAML response form POST page.  I "view source" to 
get the base64-encoded SAML response.  I decode it, modify a (hopefully) 
important variable by inserting "<!-- comment -->" in the middle of the 
value, and encode it. Then I use Web Developer tools to edit the HTML of 
the page and paste in the new SAML response.  Click the button to submit.

It's very tedious to do, but luckily it's only an issue for SPs that don't 
support encryption.  Still, that was 15-20 different SPs for us.

The really hard part is figuring out what data to modify.  The simplest 
case would be to truncate a bare username into another valid username (for 
example, smithj1 to smithj).  However, you could also attack other 
attributes in the SAML response, such as entitlements or 
authorization-related attributes.  Even though, how can you be sure there 
isn't some particular vector you didn't test?

This really needs testing by the SP operator to be sure because they can 
see the internal results of the truncation.

Good luck!

 	Andy

On Tue, 20 Mar 2018, Losen, Stephen C. (scl) wrote:

> Hi folks,
>
> Are there tools or test scripts for the various known XML parsing vulnerabilities?  Scott, how do you test an SP to see if it is vulnerable?  If you give the vendor a "repeat-by" procedure then they may be more responsive.
>
> I recently saw the report of the simplesamlphp XML vulnerabilities which are completely different than the xmltooling library issues. Simplesamlphp (erroneously) does not distinguish private key signature algorithms from symmetric key.  So an attacker can take the public key of a victim IDP (which is public knowledge) and sign an arbitrary assertion using the public key and HMAC (symmetric key algorithm).  Then the simplesamlphp SP verifies the key by checking the IDP metadata and verifies the signature with HMAC, which is successful.
>
> Any tools or test scripts for this problem or others out there?
>
> Stephen C. Losen
> ITS - Systems and Storage
> University of Virginia
> scl at virginia.edu    434-924-0640
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
> Sent: Monday, March 19, 2018 7:54 PM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Shib IDP v3 integration with Cylance
>
> On 3/19/18, 6:37 PM, "users on behalf of Phil Pishioneri" <users-bounces at shibboleth.net on behalf of pgp at pSu.edu> wrote:
>> We told our local Cylance admin about the advisory and asked to pass it along to Cylance.
>
> Without naming names (yet), I'll just say that if you intend to be safe, you have no choice at this stage but to test or find somebody else to. Vendors are currently in denial mode or don't understand how any of this works well enough to even recognize they're playing the role that can be vulnerable (or are in some cases outright claiming the IdP is the vulnerable half). You will not get any adequate response unless you force the issue right now, it's too early.
>
> -- Scott
>
>
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list