SSO Wars: The Token Menace

Presented at Black Hat USA 2019, Aug. 7, 2019, 10:30 a.m. (25 minutes)

It is the year 2019. Humanity has almost won its long-standing war against Single-Sign On (SSO) bugs. The last of them were discovered and eradicated some time ago and the world is now living in an era of prosperity while the Auth Federation enjoys peaceful CVE-free times. However, while things seem to be running smoothly, new bugs are brewing at the core of major implementation libraries. This is probably the last chance for the evil empire to launch a world scale attack against the Auth Federation.<br><br>In this talk, we will present two new techniques:<br><ol><li>A new breed of SAML implementation flaws that break XML signature validation and enable arbitrary modification of the SAML assertion, which enables attackers to authenticate as arbitrary users or grant themselves arbitrary authorization claims. Although any implementation may be affected by this flaw, we will show how it affects Microsoft Windows Identity Framework (WIF) applications, Windows Communication Foundation (WCF) web services, and flagship products such as SharePoint and Exchange Servers.</li><li>A bug in the .NET crypto library, which may allow attackers to gain Remote Code Execution (RCE) or Denial of Service (DoS) depending on the availability of code gadgets in the target server.</li></ol>A new tool to detect this type of vulnerability will also be discussed and released.

Presenters:

• Alvaro Muñoz - Principal Software Security Researcher, Micro Focus Fortify   as Alvaro Munoz
  Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with Micro Focus Fortify, Software Security Research (SSR) team. Before joining the research organization, he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, Defcon, RSA, AppSec EU & US, JavaOne, etc and holds several infosec certifications, including OSCP, GWAPT and CISSP and he is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.
• Oleksandr Mirosh - Software Security Researcher, Micro Focus Fortify
  Oleksandr Mirosh has over 11 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in MicroFocus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modelling, testing and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#sso-wars-the-token-menace-15092
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/SSO Wars The Token Menace.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/SSO Wars The Token Menace.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=TH5A3LPGRcA

Similar Presentations:

• BSidesLV 2019 / SSO Wars: The Token Menace
• Global AppSec - DC 2019 / SSO Wars: The Token Menace
• DEF CON 27 (2019) / SSO Wars: The Token Menace