[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User



___________.__  .__  .__        __  .__         ________________   ________   
\_   _____/|  | |  | |__|______/  |_|__| ____   \__    ___/  _  \  \_____  \  
 |    __)_ |  | |  | |  \____ \   __\  |/ ___\    |    | /  /_\  \  /   |   \ 
 |        \|  |_|  |_|  |  |_> >  | |  \  \___    |    |/    |    \/    |    \
/_______  /|____/____/__|   __/|__| |__|\___  >   |____|\____|__  /\_______  /
        \/              |__|                \/                  \/         \/ 
___________                       ___                              
\__    ___/___ _____    _____    / _ \_/\  ___  ______  ______  ___
  |    |_/ __ \\__  \  /     \   \/ \___/  \  \/  /\  \/  /\  \/  /
  |    |\  ___/ / __ \|  Y Y  \             >    <  >    <  >    < 
  |____| \___  >____  /__|_|  /            /__/\_ \/__/\_ \/__/\_ \
             \/     \/      \/                   \/      \/      \/

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                SECURITY VULNERABILITY - SECUREDROP >= 0.3
        Possible Backdoor & Privileges Escalation by Unauth User
               2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Hello fellow Internet users,

On this great day, where all the tech companies and fresh startups make
fun of you by presenting you incredible new products and try to fool you
into believing in something that is not there.

We will not.

We tell nothing but the truth, we are, in a way, whistleblowers.

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

~~~Elliptic TAO Team~~~ is the "Nom de plume" of a cyber-warfare
intelligence-gathering unit within the SIGINT forces of a Sovreign State. It
has been active since 2009 to identify, review, monitor, infiltrate, gather
intelligence on computer systems being used by Foreign entities (-:

~~~Elliptic TAO Team~~~ has discovered several critical vulnerabilities
affecting the overly hyped software.
The first vulnerability we are releasing today seems to be a BACKDOOR
PURPOSEDLY (?) INSTALLED BY THE CORE DEV TEAM and present in EVERY INSTALLATION 
of the SecureDrop whistleblowing software which allows ARBITRARY ACCESS, DATA
DOWNLOAD, USER CREDENTIALS COMPROMISE, IMPERSONATION OF JOURNALISTS on the platform.

The backdoor was inserted by the Freedom of the Press Foundation to pose a 
threat on every company, organization, private party using the platform
and to allow a Foreign Force to persistently and programmatically monitor
communications, download content, impersonate administrators.

SecureDrop is an open-source software platform for secure communication between
journalists and sources (whistleblowers). It was originally designed and 
developed by Aaron Swartz and Kevin Poulsen under thename DeadDrop. 
After Aaron Swartz's death, the first instance of the platform
was launched under the name Strongbox by staff at The New Yorker on 15 May
2013. The Freedom of the Press Foundation took over development of DeadDrop
under the name SecureDrop, and has since assisted with its installation (and
backdooring) at several news organizations, including ProPublica, The
Intercept, The Guardian, and The Washington Post.

The Freedom of the Press Foundation (FPF) has subsequently willingly modified the
original secure source code to include a software backdoor that allow any user
in possess of the following information to exploit it and gain ADMINISTRATIVE
POWER on every installation deployed right now on the internet.
It is a travesty that the code of the deceased Aaron Swartz has been meddled with
in such a way.

The FPF has so far successfully infiltrated a variety of different media agencies
both in the country of the United States and abroad. They have managed to do so
by exploiting the trustworthiness of PsyOP Agent Snowden (POPAS) to convince
grassroots organisations and media entities alike that they should use SecureDrop.

POPAS has exposed to the world the supposed wrongdoings of the US government agency NSA,
but it is quite likely that this is a Psycological Operation lead by the United States
to instill fear and untrust in citizens leading them to ask for greater security.
This fear and untrust is used to stear the public towards software solutions that often
do little to improve their actual security and in this particular case, in fact
compromises it.

This just another clue that leads us to believe that the activities of POPAS and FPF
are in reality guided by handlers inside of the US government.

With this backdoor FPF and their possible co-conspirors can:

 * log in, create users, access confidential information
 * disable other administrators
 * change password of other journalists
 * log in as other journalists and see if they received something
 * see how many communications journalists are receiving and when
 * download their data
 * write answers to whistleblowers on behalf of their colleagues
 * delete material of journalists

The timing in which the backdoor was included into the software was also interesting.
It was committed to the source code just after a "security review" from a team of
researchers from the University of Washington.
This also coincided with summer vacations, hence probably not many people were looking
at the commits during that time.
If we were to suggest a better time to commit a backdoor to a piece of software we
would not have advised any differently.

If you have still some question about the willingness to backdoor the software,
please take a look at the Software Repository: after backdooring the 0.3
version other versions previously available have been removed from the download
pool to offer only the backdoored one:

<https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                 WEBSITES EXPLOITABLE BY THE BACKDOOR
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

These major sites have been confirmed to be exploitable:

* Forbes 				https://safesource.forbes.com
* The Guardian 			https://securedrop.theguardian.com
* The Intercept 		https://firstlook.org/theintercept/securedrop
* The New Yorker 		https://projects.newyorker.com/strongbox
* The Washington Post	https://ssl.washingtonpost.com/securedrop
* Wired's Kevin Poulsen poulsensqiv6ocq4.onion
* Greenpeace  			https://www.safesource.org.nz
* ProPublica 			https://securedrop.propublica.org
* BayLeaks 				https://bayleaks.com

Many more are potentially vulnerable such as ExposeFacts, NRKbeta, Project On
Gov't Oversight (POGO), Radio24syv, BalkanLeaks and any other installations
running 0.3.

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                           AFFECTED VERSIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Affected versions:
 - develop branch since Jul 29, 2014
 - all versions present on their debian package repository:
   https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/
   - securedrop-app-code-0.3-amd64.deb
   - securedrop-app-code-0.3.1-amd64.deb

(interesting to note they had also released versions 0.3.2 and 0.3.3, both
vulnerable, but they have been recently removed from the repository)

User privileges needed in order to exploit the vulnerability: unauthenticated user

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
            AUTHOR OF THE BACKDOOR AND OFFENDING COMMIT
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

backdoor was added added in the following commit:

<https://github.com/freedomofpress/securedrop/commit/98a99a19d3c7d56a20f6e=
842d7c6aabd3ca8c75d>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                      VULNERABILITY EVIDENCE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Vulnerability Evidence

File /securedrop/journalist.py, lines 125-128, missing @admin_required
decorator
125 @app.route('/admin/add', methods=3D('GET', 'POST'))
126 def admin_add_user():
127     # TODO: process form submission
128     return render_template("admin_add_user.html")

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                       STEPS TO REPLICATE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Steps needed in order to reproduce and exploit the backdoor:

Install the development environment: 
(https://www.vagrantup.com/download-archive/v1.6.5.html)
 
 sudo dpkg -i vagrant.deb
 sudo dpkg-reconfigure virtualbox-dkms
 sudo apt-get install ansible/trusty-backport
 sudo apt-get install ansible
 git clone git@xxxxxxxxxx:freedomofpress/securedrop.git
 cd securedrop
 vagrant up
 vagrant ssh
 cd /vagrant/securedrop
 python journalist.sh

Exploit the vulnerability to add new admin user:

 open firefox at /admin/add
 type a new user:
     username: th3g4rd1n0fth3guardian
     password: 12345
     mark i'm using a yubikey
     insert the secret: 3132333435363738393031323334353637383930
 press: add user

 Login with the new admin user
     open firefox at /admin/login
     type the login info:
         username: th3g4rd1n0fth3guardian
         password: 12345
         token: 755224
     press: log in

 where 755224 is the first token of the HOTP series associated with the
chosen secret.
 just for reference this is the example data by RFC4226
 <https://tools.ietf.org/html/rfc4226>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                            BACKDOOR POWERS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Enjoy the admin power!
 * log in, create users, access confidential information
 * disable other admins
 * change password of other journalists
 * log in as other journalists and see if they have received something
 * see how many communications journalists are receiving and when
 * download journalists data
 * write answers to whistleblowers on behalf of journalists
 * delete material of journalists
 
Backdoor can be used for:
 * eversdrop on every information submitted to a SecureDrop site
 * proactive monitoring and OSINT info gathering
 * MITM in communication between journalists and whistleblowers
 * erasing evidence and communication (silence whistleblowers)
 * gathering content programmatically from every SecureDrop installation

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                          REMEDIATIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

The Freedom of Press Foundation has willingly removed from download the secure
previous versions, so the only remedation can be:

1. Uninstall and block access on EVERY installation.
2. Execute a complete and meticolous log-analysis to spot backdoor access.
3. Avoid SecureDrop in any critical installation until further tests.
4. Be VERY SUSPICIOUS OF EVERYTHING COMING FROM FPF./
5. Be paranoid. Very paranoid.

___________.__  .__  .__        __  .__         ________________   ________   
\_   _____/|  | |  | |__|______/  |_|__| ____   \__    ___/  _  \  \_____  \  
 |    __)_ |  | |  | |  \____ \   __\  |/ ___\    |    | /  /_\  \  /   |   \ 
 |        \|  |_|  |_|  |  |_> >  | |  \  \___    |    |/    |    \/    |    \
/_______  /|____/____/__|   __/|__| |__|\___  >   |____|\____|__  /\_______  /
        \/              |__|                \/                  \/         \/ 
___________                       ___                              
\__    ___/___ _____    _____    / _ \_/\  ___  ______  ______  ___
  |    |_/ __ \\__  \  /     \   \/ \___/  \  \/  /\  \/  /\  \/  /
  |    |\  ___/ / __ \|  Y Y  \             >    <  >    <  >    < 
  |____| \___  >____  /__|_|  /            /__/\_ \/__/\_ \/__/\_ \
             \/     \/      \/                   \/      \/      \/

12Fsd2VkX1/hlaz3V9/IyX1ftxssdaoEDqJGxJElZzxsgwV7C6H1HXgtu0ddtaAi+
fdfye6jOwdluXjkgWuuJqsYDyO1ergeKlywi2Oh6Lc=

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                SECURITY VULNERABILITY - SECUREDROP >= 0.3
        Possible Backdoor & Privileges Escalation by Unauth User
               2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#