[HN Gopher] Intercepting Zoom's encrypted data with BPF
___________________________________________________________________
Intercepting Zoom's encrypted data with BPF
Author : aaron-santos
Score : 153 points
Date : 2020-09-10 16:46 UTC (6 hours ago)
(HTM) web link (confused.ai)
(TXT) w3m dump (confused.ai)
| arn7av wrote:
| I have done exactly the same thing for Desktop/Android apps using
| Frida (modified from https://github.com/google/ssl_logger). There
| are modules out there that dump SSLKEYLOG too (that can be used
| in Wireshark)
| jackinloadup wrote:
| This is very cool. I've always wanted to do something like this.
| I hope to use snuffy in the future. Thanks for the great walk
| through!
| yconfiscator wrote:
| Glad you liked it!
| justicezyx wrote:
| I am not sure how much of this technique can be used elsewhere
| for legitimate purposes.
|
| In this example, except for an administrator spying on other
| users on a shared machine, which is kind of already an admitted
| risk by users on a shared machine anyway.
| matheusmoreira wrote:
| Looking at the data our machines are sending over the network
| is perfectly legitimate activity. Companies should not be able
| to protect their software from us. We need to be able to see
| everything they are doing.
| rndgermandude wrote:
| It's useful to a security researcher or privacy advocate
| looking into what an application like zoom is actually sending
| around.
|
| It may be also helpful when reverse engineering "proprietary"
| protocols, e.g. to create compatible clients.
|
| It may be even easier to just "mitm" the traffic like this in
| applications you develop yourself to find out what going on
| deeply buried in some third party library. Easier than
| modifying the code or attaching a normal debugger.
|
| There are plenty of legitimate uses.
| yjftsjthsd-h wrote:
| Right, just like there's no legitimate use for gdb or ghidra,
| which only exist to crack software for piracy. /s
| curiousgal wrote:
| Funnily "ghidra" reads like Gdr@ in Arabic which means
| "treachery".
| mhh__ wrote:
| Do you mean eBPF in general or the packet inspection parts
| specifically?
| nostoc wrote:
| This is very much a research technique and not an operational
| kind of thing.
| outworlder wrote:
| > This is very much a research technique and not an
| operational kind of thing.
|
| It's very much an operational kind of thing if you are trying
| to troubleshoot a thorny issue with your app in production.
| gravitas wrote:
| > _I am not sure how much of this technique can be used
| elsewhere for legitimate purposes_
|
| ...as a Linux systems engineer, you are many times faced with
| debugging a black box problem wrapped in SSL on both ends which
| you need to peek into to understand what 's going wrong; there
| is nothing suspect about this technique in this environment,
| it's what you're paid to do (solve problems). It's basically
| like having the ability to elevate your NIC port to promiscuous
| mode to debug an issue (tcpdump, e.g.) - it's a tool with no
| opinion, the human operating it is the one to be worried about.
| phs wrote:
| Looks like nextgen ad blocking to me. If you can instrument TLS
| connections on the client, you can identify ad content and
| substitute blank video frames or just 404s.
| userbinator wrote:
| Proxomitron had that capability years ago - MITM proxy to
| filter pages and block ads, among other things. I still use
| it, it's very useful and continues to run fine on the newest
| Windows.
| yconfiscator wrote:
| Writing a toy ad blocker is actually on my todo list :)
|
| There's just so many things you can so. The original goal of
| the post was to tamper with zoom's attention tracking for
| example (which was a field in one of their protobuf
| payloads).
| sillysaurusx wrote:
| _But how do we find the offsets? What values do we give to
| ssl_read_offset and ssl_write_offset?
|
| [ REDACTED ]
|
| I had a nice little section on how to find the offsets here. When
| I first wrote it I was convinced that publishing two addresses
| couldn't possibly get me sued for reverse engineering. Some of
| the people who read the draft of this post changed my mind about
| it though, and it is 2020 after all so it is not a good time to
| be optimistic._
|
| So, how would you find these offsets? Anyone know?
|
| It's probably the most interesting part of the post.
|
| There's a "hypothetical" paragraph afterwards, but if anyone
| wants to actually do this with Zoom and post the results, you'd
| probably earn lots of cred.
|
| In particular, the exact arguments to the objdump command would
| help.
| jdright wrote:
| It is sad they felt the need to do this. This step is not hard,
| but censuring it because of hypothetical legal issues speaks a
| lot about the state of affairs on computing.
|
| I miss the good old times where knowledge were freely published
| without fear.
| [deleted]
| matheusmoreira wrote:
| > Some of the people who read the draft of this post changed my
| mind about it though
|
| Details? Reverse engineering isn't even illegal.
| yconfiscator wrote:
| Since the Zoom TOS explicitly forbid reverse engineering,
| sadly it isn't so easy.
| user5994461 wrote:
| TOS can't substitute to the law. Reverse engineering is
| legal by law depending on the jurisdiction.
| layoutIfNeeded wrote:
| We know the exact version of openssl they're using, so we can
| just build the same version ourselves, get the address of the
| functions, and look for the same pattern of instructions in the
| Zoom binary. Not sure if LTO could break this or not though.
| kelnos wrote:
| That seems pretty unreliable. The specific version of the
| compiler used, as well as flags passed to the compiler, could
| easily change the instructions used, no?
| jeroenhd wrote:
| I was surprised to see hooking code like this being written in
| Rust. I've come to expect C sample code for purposes like these,
| so it's nice to see that there are actually alternatives when it
| comes to intercepting function calls and extracting data from a
| process.
| luizfelberti wrote:
| The people from Cilium (the k8s service mesh) launched this
| website[0] recently that lists a few tools from the landscape,
| and I also had the same pleasant surprise to find these things
| out this week
|
| I thought we were still tied to `bcc` and that python frontend
| thingy, but I'm glad the ecosystem has evolved significantly
| while I was not paying attention! It's kinda like finding a $20
| in your back pocket that you didn't know was there when you put
| your pants on...
|
| [0] https://ebpf.io/
| mhh__ wrote:
| When you get past the layers of old and dead documentation
| around it, the eBPF subsystem is fairly easy to target as long
| as you can call C, topologically at least.
| dharmab wrote:
| Other options include bpftrace[1] or C, Python or Lua via
| BCC[2]
|
| 1: https://github.com/iovisor/bpftrace
|
| 2: https://github.com/iovisor/bcc
| yconfiscator wrote:
| I think what makes redbpf stands out is that the other
| libraries allow you to write the _user-space_ code in Python
| or Lua etc, but then the _kernel_ code must still be written
| in C and gets compiled with clang.
|
| In redbpf we let you write the _kernel_ code in Rust as well,
| and then we have our own LLVM based toolchain to compile that
| to BPF bytecode.
|
| bpftrace is similar to redbpf in approach, in that it lets
| you use a DSL instead of C.
| BobbyJo wrote:
| Lua is the most common language I had never heard about
| before dealing with BPF. It gets embedded in a surprising
| array of technologies.
| phs wrote:
| That's most of what lua's purpose is: to be a reasonably
| pleasant and featureful language that is dead easy to embed
| in larger systems that want some kind of scripting or
| macros.
| setheron wrote:
| Something like this needs to be included in tcpdump or Wirshark.
| (tcpdump would be fitting; since it was the genesis for cBPF)
|
| I remember patching Netty
| https://github.com/netty/netty/pull/8653 just to get the master
| key in order to decrypt sessions.
|
| Having the ability to decrypt TLS sessions like this is way
| simpler.
|
| tl;dr; would love to see something like this for tshark / tcpdump
| shawnz wrote:
| Wireshark does support TLS decryption if you provide a "key log
| file": https://wiki.wireshark.org/TLS#TLS_Decryption
|
| Perhaps OP's technique could be used to generate such a file.
|
| EDIT: I see you have already investigated such methods after
| looking at your github link.
___________________________________________________________________
(page generated 2020-09-10 23:00 UTC)