Tag: kerberos

The History of Orpheus’ Lyre: A tale as old as time, a vuln as old as Windows

The world of cyber security and classic Hellenistic Greece are colliding. We are speaking, of course, about the Orpheus’ Lyre security hole making rounds in security news. We’re sounding the Gjallarhorn in hopes that you’ll join us down in the info sec underworld as we discover what three-headed dogs, Thrace, and the granddaddy of the modern guitar have in common with your network.

Setting the Stage – the Classical Age

Orpheus – First mentioned by a sixth-century epic poet named Ibycus and later made famous by Thebian lyric poet Pindar, Orpheus is an epic hero popular in ancient Greek myth. Orpheus is known as a legendary musician with the ability to trick, persuade, and charm his way around obstacles thanks to his supernatural lyre playing. The lyre, which is how the ancient Romans played Wonderwall at insulae parties, is a predecessor of the guitar often mistaken for a harp.

The most famous story of Orpheus is that of rescuing his wife, Eurydice, from the underworld. When Eurydice is attacked by a satyr (mischievous goat-man played by Danny Devito in Disney’s “Hercules”), she falls into a pit of vipers, is bitten on the heel, and succumbs to their venom. Stricken with grief, Orpheus plays a song so mournful that the gods themselves are moved to tears. They offer him advice: descend into the underworld yourself and strike a deal to get Eurydice back. Orpheus descends into the underground, soon finding himself face-to-face with the ferocious Cerberus, guardian of the gates into the underworld. Orpheus tames Cerberus with some hot lyre riffs and snags an appointment with Hades, lord of the underworld, to successfully negotiate the return of Eurydice to the world of the living. Unfortunately, the tale takes a turn south from there with Orpheus falling for the classic religious no-no of “looking behind you” while fleeing. Because he peeks back over his shoulder during their exit from the underworld despite clear warning from Hades, Eurydice vanishes forever. Orpheus is later torn apart by a wandering band of vicious feral women upset by Orpheus snubbing their favored rock n roll god.

Cerberus – The hound of hell, three-headed guardian of the underworld, son of Tartarus-bound Typhon and Echidna. Cerberus has made cameos in “Harry Potter & the Philosopher’s Stone”, several Disney movies, and most every RPG game with a summoning system. This tri-skulled canine is among the most prominent icons for gatekeeping and security around. In the legends of Orpheus, Cerberus succumbs to the honey-sweet grooves of a lyre to allow the legendary musician to pass where countless others had failed.

Heimdallr – Heimdallr and his namesake are only peripheral references in our story, so let’s make this quick. Heimdallr is a Norse god that carries a giant horn, Gjallarhorn, and is said to be an ever-vigilant sentry watching for the inevitable approach of Ragnarok, which is like a Rammstein music video version of the apocalypse.

Setting the Stage – The Information Age

Orpheus’ Lyre – Orpheus’ Lyre is the name given to an exploit present in the Kerberos network security protocol. A patch for Orpheus’ Lyre was published with the Windows July 2017 security patches.

Kerberos – Kerberos is a security protocol that has been utilized by Windows for over 20 years. Kerberos is a “ticket” system in terms of security. Rather than exchanging unique authentications between the several servers that you may request access to, Kerberos acts as a central authority, distributing “server tickets” that come pre-written with encrypted data detailing what server you requested access to, how long your authentication is valid, and more. Think of Kerberos as the guy whose only job is tear your ticket stub off at the movie theater. You can go buy your movie tickets at the will-call desk, on Fandango, or from the sketchy guy out front who for some reason has 60 extra tickets to “The Emoji Movie.” But if you want into a screening room (server), you must stop at the kiosk in the lobby and have your ticket checked.

Heimdal – Heimdal is one of two common variants of Kerberos. The other variant, MIT Kerberos, was developed by the Massachusetts Institute of Technology and is leveraged by Windows for a majority of network security uses while Heimdal Kerberos is generally supported by smaller operating systems. While the July 2017 Windows security patch addressed exploits in MIT Kerberos, Heimdal Kerberos is still at risk. Look for patches for Heimdal to be released by Apple in the future.

How does it work?

Great, so some cyber attackers came up with clever pet names for their project. What’s this thing actually do?

Keep in mind the analogy above in regard to Kerberos being the primary ticket-checker of a Windows network security apparatus. Since these are packets of encrypted data, however, let’s add that these tickets are being transported in opaque envelopes. When a data packet approaches Kerberos, the security protocol opens the envelope, records the information inside, and routes the packet to its destination. However, there’s a bit of a catch. Some of that data, seemingly innocuous stuff like which server you’re traveling to, is also written on the outside of the envelope in plain text.
So what if someone could convince the ticket-checker, Kerberos, that the plain text data scribbled on the outside of the envelop is actually the secure data encrypted inside? Or, in the case of Orpheus’ Lyre, enough data to receive a positive authentication and gain open-ended access to a server. Now you have a packet slipping past the ticket-checker carrying an envelope with mysterious contents. And you know what happens when someone figures out how to sneak something around gateway security!

For reasons unknown to the modern world, when Kerberos was designed long ago, they felt the need to duplicate some data from inside the packet and paste it as plain text on the outside of the packet. The Orpheus’ Lyre exploit takes advantage of this short-sighted slip by convincing Kerberos that the plain text authentication data (which can be easily modified) is, in fact, the encrypted data inside, which cannot be modified. In short, Orpheus’ Lyre takes advantage of the fact that Kerberos will be forced to choose between two sets of similar data and the exploit influences Kerberos to choose the version that attackers are able to modify.

So the attacker buys a movie ticket for “The Emoji Movie” at 8:00 pm. He grabs an eraser and snubs out the modifiable data on the envelop and writes “Dunkirk” at 8:30. He approaches Kerberos, the ticket-checker, flashes him the modified data in a convincing manner, and strolls on into the lobby. Now that the attacker is granted access, they are free to mosey about the corridors, popping their head into whatever screening room they feel like.

Or, to carry the theme of Greek mythology, Orpheus descends into the underworld and charms Cerberus, the hell hound, with his magical lyre and is free to traipse around the land of the dead at his leisure.

How do we keep Orpheus and his Lyre out?

Luckily, Microsoft has done most of the leg work for you. The Windows July 2017 patch CVE-2017-8495 includes a fix for Orpheus’ Lyre, at least in regards to MIT Kerberos. If you do not use Windows, keep an eye peeled for a patch coming down the pipe from Apple. As long as you are a good cyber security warrior and keep your security patches updated, you should be fine!

update vulnerability exploit

Looking for a hell-hound of your own to guard your network?