Skip to content

Top Best Ask Show New Jobs

We abused Slack's TURN servers to gain access to internal services (opens in new tab)

(rtcsec.com)

381 pointsreader_10006y ago78 comments

78 comments

50 comments · 9 top-level

russellbeattie6y ago· 16 in thread

So Slack's VoIP uses WebRTC, which connects via UDP/TCP to always send SRTP packets through a TURN proxy (which extends STUN via ICE) to work around usual NAT problems. These guys scanned the TURN and found an SSRF which allowed them to connect to Slack's VPC on AWS using IAM temporary credentials. Interesting.

For fun, read that last paragraph out loud to a non-techy near by and watch their eyes...

tandr6y ago

This is a nice summary actually. (btw, you can read it to techy-but-not-in-the-field and still get the same look. I am not sure if I should be sad or proud from the fact that I understood 90% of what you have said without google-fu...)

anthk6y ago

If you are into SIP this is pretty well known.

I understood every word of that and my eyes still glazed over. :)

Could be a line on CSI: Los Angeles.

pottertheotter6y ago

Do you mean this paragraph?

"Our recommendation here is to make use of the latest coturn which by default, no longer allows peering with 127.0.0.1 or ::1. In some older versions, you might also want to use the no-loopback-peers."

topher2006y ago

I believe GP means this paragraph:

> So Slack's VoIP uses WebRTC, which connects via UDP/TCP to always send SRTP packets through a TURN proxy (which extends STUN via ICE) to work around usual NAT problems. These guys scanned the TURN and found an SSRF which allowed them to connect to Slack's VPC on AWS using IAM temporary credentials. Interesting.

OP means they paragraph they just wrote.

Hey I thought he was referring to the last paragraph in the article too…

weavie6y ago

Read it to myself and my eyes glaze over, and I've spent the past couple of weeks trying to decipher all the acronyms involved in WebRTC!

userbinator6y ago

I've worked with SIP and H323 but not WebRTC so I knew about STUN/TURN/ICE, but you're right about the acronym-soup, even to those who have networking experience --- VoIP is its own little niche. (Along the same lines, I've been a bystander to a group of GSM developers' meetings and it's just as incomprehensible.)

lwb6y ago

Even a techy who isn't familiar with networking protocols would start to glaze over!

ct5206y ago

Not so much networking protocols but WebRTC maybe? I did a hello world type of implementation of WEBRTC awhile back and it made perfect sense to me.

m4636y ago

I recall Elon Musk's Acronyms Seriously Suck memo

kalium_xyz6y ago

Heh, reminds me of neuromancer

saagarjha6y ago

I read your paragraph and almost didn’t read the actual article :(

ddrt6y ago

Acronym city right here.

jrockway6y ago· 9 in thread

Things like this are why mTLS internally are so important. If a hole is found in your firewall, services still don't trust each other until they have a valid TLS certificate.

freedomben6y ago

Totally agree. I've been rolling every service out with mTLS. It was a huge PITA tho without a service mesh (which we can't use for different reasons), so I built a drop-in solution for use with any Kubernetes.

I'm still developing on it a bit but my solution is open source [1]. If anybody want to use this I'm happy to provide answers to questions, and quick bug fixes (as this directly benefits my work right now). If you're using kubernetes this is a pretty easy drop in for your pod. It's part of our default setup now.

[1] https://github.com/FreedomBen/metals

ForHackernews6y ago

I think Istio gives you mTLS for free if you add it to your kubernetes cluster.

Any kind of inter-service authentication, really. And for lots of reasons, not just SSRF. But regardless: coherent inter-service authentication is not a norm.

If you're exclusively interested in mitigating SSRF, a more targeted solution is to run your connections (HTTP or TCP) through a proxy that enforces network-level rules. That seems like it would have worked here. For HTTP SSRF, Stripe has a good tool, Smokescreen.

I worked for a large tech company that was hacked by Russians at least twice, and they had a not only unencrypted, but unauthenticated sql front end and api to their inventory management system that listed every server on the network and every piece of software and version installed on it, as all the user accounts on it and privileges as well as sysadmin contact info and everything you’d need for social engineering. I realized how bad it was when I was using it to find all the servers at the company that needed to be patched for heartbleed. Anybody on any server in our network could get to it, or just someone who plugged a laptop in at the office or got in to our vpn, and you’d have the keys to the kingdom. I told the head of security and he said it would break too many things to put it behind authentication.

I wish there was an easy way to do mutual TLS auth with pre-shared keys that can be stored and copy/pasted just like normal passwords or API keys without having to maintain a CA and handle certificate issuing & renewal (sure, technically forever-lived certificates aren't as secure, but even those would already be a major upgrade compared to the status quo).

I personally use cert-manager to run the CA, then create a cert for each app and have k8s inject it. It is more manual than a service mesh, but many applications support this strategy out of the box. (I will say that creating a certificate resource is a lot easier than the old days of some directory of shell scripts acting as your CA, though. And the same code manages my letsencrypt certs.)

For example, I have Grafana backed by Postgres, and they both understand this authentication scheme out of the box. Postgres is happy to be provided with a cert to present to connecting applications, and is happy to check the cert that applications present against the CA cert.

The main problem with my setup is that I use a ClusterIssuer CA, so really anyone in the cluster can get a valid certificate. This is not amazingly secure and things like Istio do a bit more provenance checking of the application before issuing a cert, which I like. But this is simple, and does protect against the attack this article covers -- as long as you don't go out of your way to present the application's cert when proxying a connection. (Which is probably an easy mistake to make, so be careful.)

freedomben6y ago

Shameless plug (I really did not intend to promote this yet but it can help so figured I'd mention it in case you are interested), but if you are using Kubernetes you could get pretty darn close with MeTaLS[1]. Generate self-signed certs that last for 10 or more years and copy/paste them into environment variables for your service, and you've got it. Of course I don't recommend that as it's not as secure as doing things "the right" way but it's definitely better than no mTLS at all (as you pointed out).

MeTaLS won't provide you with client-related stuff, but most clients and client libs make it easy to set a certificate/key with a request.

[1]: https://github.com/FreedomBen/metals

namibj6y ago

Huh? TLS has PSK ciphers. They're popular in low-power IoT devices, because even ecc crypto is rather expensive, compared to e.g. AES.

I'm not sure if any of the PSK modes manage to work with perfect forward secrecy though. Otherwise, leaking the PSK would also allow decrypting any previously-sniffed traffic.

paxys6y ago

Funny enough Slack itself recently open-sourced https://github.com/slackhq/nebula which does exactly that.

wrkronmiller6y ago· 8 in thread

As a complete novice in this area, I don't understand the advantage of using a proxy-like service such as TURN.

What is the advantage over simply routing the media streams through application servers (i.e. user A connects to server which links to user B) which can then perform application-specific authentication, enforce restrictions on payloads, etc... Performance?

gfodor6y ago

If you have a centralized server, you have a SFU. SFUs typically expose a range of UDP (and/or TCP) ports for communication. Peer connections are allocated on a port basis. So if a user is connected to your SFU, they take up a port, and need to be able to egress over a large UDP/TCP port range to connect, since the port is assigned randomly.

However, many firewalls block port ranges, or even UDP entirely. What you really want is a way to let people speak WebRTC over a common port (443 TCP is almost never blocked.) TURN facilitates this. Sometimes it's built into SFUs, sometimes not, and requires coturn in front of it. In Slack's case (and the project I work on as well) they are running Janus, which does not have TURN built in, and hence, run coturn to facilitate TURN.

Slacks's approach is particularly interesting because they always push people through TURN, instead of allowing direct connectivity to their SFU. Hard to say why exactly, but probably it's a mix of locking down SFU onto the private network for some reasons, being able to push TURN to edge but keep SFU on private LAN, etc. Typically you don't do this I don't think, you run TURN and SFU both with public IPs, and the client connects to one or the other depending on what ICE candidates win (which is a function of their firewall rules: your browser tries to pick the 'best' candidate it can get to, ideally one over UDP without a TURN hop.)

There is no reason an SFU couldn't run everything over one port though! Then you can just use the 3-tuple to route stuff to the proper connection.

Someone is doing this right now for Pion, really excited to see it. I am especially excited to see what it means for deploys, right now asking people to expose port ranges adds so much overhead vs 1 UDP and 1 TCP for media.

e12e6y ago

SFU?

annoyingnoob6y ago

Pushing everything through a proxy does not seem ideal. Seems kind of like the easy road to adding VoIP to everywhere that slack already works.

aclavelle6y ago

My knowledge is about 2 years old on this but I can try to explain: TURN/STUN are to facilitate users communicating behind NAT and firewalls. TURN routes all traffic through a central server and pushes it to clients which it has an established connection with, thus getting around NAT/Firewall. STUN is a bit more lightweight in that it really just helps users to negotiate a normal P2P connection and then they send messages directly to eachother.

wrkronmiller6y ago

Thanks! That's in-line with what I thought was going on. It sounds like TURN is very close to being an open proxy.

Rather than falling back from p2p to STUN to TURN, why not replace TURN with something more application/protocol-specific?

Perhaps a webrtc-only proxy that performs authentication and can perform authorization along the lines of: user A is (only) allowed to connect to user B using protocol WebRTC.

detaro6y ago

Edit: nvm, confused STUN and TURN

wrkronmiller6y ago

It sounds like the TURN server is effectively acting like an (open) proxy. Wouldn't that mean the operator still has to have the infrastructure to handle the connections + traffic?

I'm assuming, perhaps incorrectly, that most of these RTC connections are happening over NAT and therefore usually go over TURN rather than by connecting directly. Even if that's not the case, why not try direct p2p connection first then fall back to routing through an application-specific proxy, which can have tighter controls on who connects to who and what payloads they send?

gfodor6y ago· 3 in thread

Huh, I happen to be knee-deep in this stuff right now. This article noted that Slack seemed to be running an old TURN server (pre-coturn):

https://webrtchacks.com/slack-webrtc-slacking/

Given that the latest coturn has this vulnerability mitigated by default, perhaps all this boils down to is "Slack runs outdated software, we exploited it."?

jackewiehose6y ago

It's not really a bug in old coturn, just a feature in the protocol. According to the article newer versions just disable routing to 127.0.0.1 by default but there are still other network addresses you might have to consider (see article for a recommended list of "denied-peer-ips").

jerf6y ago

You may already know this, but it's worth getting the word out. Do not just deny routing to 127.0.0.1. 127.0.0.1 is merely the conventional "localhost" address; however, ALL 127.x.x.x is "localhost". You can check this now on your local command line with "ping 127.1.2.3".

(This just seems to be one of those bugs that every proxy goes through at some point, just like pretty much any attempt to write a web server that serves files off disk will have at least one directory traversal bug.)

gfodor6y ago

Yup, sorry if my phrasing implied it's a bug. It's just better defaults, and there's evidence to support the idea slack was just running the software with the old defaults.

realchucknorris6y ago· 2 in thread

am i wrong or security researchers aren't paid well. i mean not sure how much this bug is wort but def. $3500 looks like a small number.

anotheraccountf6y ago

Yeah, I had the same thought. For something as big as this? Should be at least 2 more zeros imo.

imtringued6y ago

I don't understand what's so big about this. It's akin to telling someone that they forgot to use passwords on their mongodb database. Does that really deserve $350k compensation?

kylek6y ago· 2 in thread

tldr-

November 2017: added TURN abuse to our stunner toolset

December 2017: discovered and reported TURN vulnerability in private customer of Enable Security

February 2018: briefly tested Slack and discovered the vulnerability

April 2018: submitted our report to Slack, helped them reproduce and address the issue through various rounds of testing

May 2018: Slack pushed patch to live servers which was retested by Enable Security

January 2020: asked to publish report

February 2020: disclosure delayed by HackerOne/Slack

March 2020: report published

lonelappde6y ago

Don't use indentation for formatting linebreaks. It beaks HN layout.

Just add extra linebreaks

dang6y ago

I've fixed the formatting now.

ChrisArchitect6y ago· 1 in thread

kind of important almost title-edit-worthy to note this is an exploit and research that went on late-2017 until about mid-2018 no? Not that this is some current thing

jackewiehose6y ago

Published March 2020. It's not about some Slack issue that is irrelevant now. It's about misconfigured TURN-servers and at least for me it's a current thing ;-)

BoorishBears6y ago

Timeline—

November 2017: added TURN abuse to our stunner toolset

December 2017: discovered and reported TURN vulnerability in private customer of Enable Security

February 2018: briefly tested Slack and discovered the vulnerability

April 2018: submitted our report to Slack, helped them reproduce and address the issue through various rounds of testing

May 2018: Slack pushed patch to live servers which was retested by Enable Security

January 2020: asked to publish report

February 2020: disclosure delayed by HackerOne/Slack

March 2020: report published

Instead of sending traffic anywhere, why don't they have the destination address first send a (slack-authenticated) request to the TURN server saying "I'm happy to receive traffic from [SOURCE]" and then a temporary window is opened for [SOURCE] to open a connection to that specific destination.

j / k navigate · click thread line to collapse