14 DAY TRIAL // Under certain conditions, an attacker could obtain the LastPass master password of a victim by tricking them into running a malicious payload that could go undetected by some antivirus products.
During the DefCamp 2014 security conference in Bucharest, Romania, over the weekend, security enthusiast Alex Balan showed how a clever combination of security tools could offer an attacker a way into the computer of a victim, despite the watchful eye of a fully updated antivirus solution.
Clever planting of the malicious payload
He used Ettercap, Burp, the Backdoor Factory (BDF) and Metasploit to prepare the malicious file, drop it on the target system and extract the sensitive information.
After hijacking the connection of the victim machine, Balan noticed the update queries from Samsung Kies, an application used for synchronizing smartphones with the PC.
The interesting part was that the query was in plain text, which allowed manipulating the information through a man-in-the-middle attack, and there was no validation mechanism, thus permitting serving a file from any machine.
Using Burp, the researcher managed to replace server replies with a message of his own, informing the client that a new update was available from a local machine.
Preparing the malicious update carrying a Metasploit payload was done using BDF. The researcher injected the payload in a legitimate Kies update binary, in empty areas called “code caves.”
The hardest part of the experiment called "Owning the Girl Next Door" consisted in finding the right place to inject the rogue code so that it is not easily detected by an antivirus; some products were able to identify the tampered Kies update as a potential threat.
Most of the downloads happen over HTTP
The result was a maliciously crafted Kies update that would install without triggering the up-to-date antivirus on the target machine. The installation of the update proceeds normally and the user can benefit from the software version pushed by the attacker.
However, the payload is also executed and the third party gets access to the computer and the plain text sensitive data stored by the LastPass browser plug-in.
Important to note is the fact that the Metasploit module used only works if the “store my password” option is enabled.
LastPass relies on encryption to protect its data, and the same goes for the master password stored locally. However, the authors of the Metasploit module discovered that the process relied on weak encryption (AES 256 in CBC or ECB mode); next, they determined how it worked and created a script to reverse it.
The whole purpose of a password manager is for the user to remember one string of characters that would allow access to the usernames and passwords for other online services.
After discovering the issue, the authors of the module (Martin Vigo, Alberto Garcia Illera and Jon Hart) contacted LastPass privately and now the user is informed that storing the password locally is not a safe option upon enabling it.
Samsung Kies was selected for the purpose of the experiment because it was easiest to hack, but there are numerous other applications that can be used.
Balan said that more than 90% of downloads occur over an insecure connection, and in many cases there is no validation of the file and its origin; alternatively, sometimes the validation checks are also sent via plain text and can be spoofed by an attacker.
Someone determined to compromise a computer could analyze the traffic from the target and devise a trick for delivering a malicious payload.
