Monthly Archives: March 2015

Exploiting Superfish with Subterfuge

superfish

Let’s talk about the Internet. What do you use it for? banking, social networking, private email, registering your car, maybe even your taxes? When you’re using the web to accomplish these somewhat standard tasks you are almost invariably predicating the security of your interactions on HTTPS. Here’s funny thing about HTTPS though, it requires TRUST.

Typically, that trust is vested in a verified third-party like Comodo Inc. Now while this third party may or may not be trustworthy, at least you can be confident that all of your eggs are NOT in the same basket right? RIGHT!?

Unfortunately, if you are the recent owner of a Lenovo computer not only are all of your eggs in the frying pan, but anyone can reach over and dump them into the fire at will! How did this happen?

Using the Superfish Root CA

The integrity of HTTPS communications is seated in the certification authority trust model. In order to inject “targeted ads” into your browsing experience Lenovo had to break the foundation of that security model. Superfish, their solution to this quandary, functions by adding a root certificate authority to your computer. It then spies on your encrypted Internet traffic… not cool!

Screen Shot 2015-03-01 at 6.16.14 PM

What’s worse as an attacker you can retrieve Superfish’s certificate! That means that I can spy TOO! Robert Graham did an outstanding writeup on the steps he took to retrieve the certificate: http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html

I further removed the certificate passphrase and added it into Subterfuge in order to demonstrate just how trivial it is to exploit this vulnerability. Click the start button… wait for bank creds… really Lenovo? This kind of perversion of their customer’s trust isn’t simply bad business, it’s unethical.

Subterfuge 1.0.1

In order to facilitate attacks on Superfish we just released an exceptionally raw update to Subterfuge. In this update the toolkit moves away from SSLStrip-based proxying of web traffic to MITMProxy-based handling. So… what exactly does that mean?

1. Subterfuge can now MITM SSL sessions using arbitrary certificates

2. SSLStriping can be selectively enabled or disabled as desired

Installation

This package is an update to existing Subterfuge installations as opposed to a stand alone version.

To download the Subterfuge version 1.0 installer click here. (This version of Subterfuge does NOT include Superfish attack support).

To download the version 1.0.1 update package click here.

Version 1.0.1 now requires MITMProxy. To install MITMProxy on Kali Linux (or other debian based linux variants) run:

sudo -s
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
apt-get install build-essential python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev
pip install mitmproxy

Upgrading Subterfuge

This requires that Subterfuge version 1.0 be installed on the system already for instructions on accomplishing this see: http://kinozoa.com/blog/installing-subterfuge-on-kali-linux/

Uncompress the latest version of Subterfuge into your existing installation directory as shown below:

tar -xvf subterfuge_1.0.1.tar.gz /usr/share/

Configuring Subterfuge to SSL Intercept

Settings Page

  1. Set Proxy Mode: MITMProxy
  2. Apply

Screen Shot 2015-03-01 at 5.16.28 PM

Executing the Attack

At this point attacking with Subterfuge commences as usual. Please note that this is a bleeding edge release of the framework and has not been tested to ANY degree. That means it is likely to be buggy, or not produce expected results consistently. Please use the comments below to describe any issues you are having, and we’ll do our best to get them fixed up and packaged into a more official release… (2.0 fingers crossed).

References

MITMProxy: https://mitmproxy.org/doc/index.html

Slate: http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html