Tom Tervoort (Secura)

Tom Tervoort is a Principal Security Specialist for Secura, a security company based in the Netherlands. Tom regularly performs network pentests, web/mobile application assessments, as well as code, configuration and design reviews for large Dutch companies and institutions. Tom’s primary areas of interest include cryptographic protocols and cryptography engineering, advanced web attacks and Windows AD pentesting. Besides doing security assessments, Tom also develops and gives cryptography and secure programming courses to software developers. In December 2020, Tom won a Pwnie award for Best Cryptographic Attack, due to work on the Zerologon vulnerability. Tom also spoke about Zerologon at Black Hat USA 2021 and about Kerberos at Black Hat Europe 2022.


Sessions

02-11
11:00
60min
Breaking IBM WebSphere authentication: exploiting crypto bugs to impersonate anyone
Tom Tervoort (Secura)

Nowadays, web applications often rely on cryptographically protected tokens to facilitate single sign-on or maintain sessions across distributed servers. Such tokens contain expiration dates and the identity of the current user, and are stored in the user’s browser. It is essential that these users are not able to change the contents of these tokens, as that could allow, for instance, impersonation of other user, elevation of privileges or authentication bypasses. A crypto bug in a token implementation can lead to multiple forms of authentication vulnerabilities.

During my analysis of several token implementations, I found that the way that the application server IBM WebSphere Liberty had implementation flaws in its implementation of the Lightweight Third Party Authentication (LTPA) protocol, a cryptographic token scheme used by multiple IBM products. By combining this implementation bug with cryptographic weaknesses in the protocol itself, an attacker could to change their token into one belonging to any other user. While this attack involves a tricky adaptive chosen-ciphertext attack, it can be easily automated with a script that usually only takes a few seconds to execute. I also found a second (less severe) impersonation attack involving the injection of a delimiter character.

This talk will explain the LTPA protocol and its cryptographic flaws. I will show how these can be exploited by taking advantage of a parser implementation and an implementation bug, leading to a practical impersonation attack against applications using the WebSphere Liberty and Open Liberty web servers.

Talks
Leonardo Da Vinci