[HN Gopher] Intercepting Zoom's encrypted data with BPF ___________________________________________________________________ Intercepting Zoom's encrypted data with BPF Author : aaron-santos Score : 153 points Date : 2020-09-10 16:46 UTC (6 hours ago) (HTM) web link (confused.ai) (TXT) w3m dump (confused.ai) | arn7av wrote: | I have done exactly the same thing for Desktop/Android apps using | Frida (modified from https://github.com/google/ssl_logger). There | are modules out there that dump SSLKEYLOG too (that can be used | in Wireshark) | jackinloadup wrote: | This is very cool. I've always wanted to do something like this. | I hope to use snuffy in the future. Thanks for the great walk | through! | yconfiscator wrote: | Glad you liked it! | justicezyx wrote: | I am not sure how much of this technique can be used elsewhere | for legitimate purposes. | | In this example, except for an administrator spying on other | users on a shared machine, which is kind of already an admitted | risk by users on a shared machine anyway. | matheusmoreira wrote: | Looking at the data our machines are sending over the network | is perfectly legitimate activity. Companies should not be able | to protect their software from us. We need to be able to see | everything they are doing. | rndgermandude wrote: | It's useful to a security researcher or privacy advocate | looking into what an application like zoom is actually sending | around. | | It may be also helpful when reverse engineering "proprietary" | protocols, e.g. to create compatible clients. | | It may be even easier to just "mitm" the traffic like this in | applications you develop yourself to find out what going on | deeply buried in some third party library. Easier than | modifying the code or attaching a normal debugger. | | There are plenty of legitimate uses. | yjftsjthsd-h wrote: | Right, just like there's no legitimate use for gdb or ghidra, | which only exist to crack software for piracy. /s | curiousgal wrote: | Funnily "ghidra" reads like Gdr@ in Arabic which means | "treachery". | mhh__ wrote: | Do you mean eBPF in general or the packet inspection parts | specifically? | nostoc wrote: | This is very much a research technique and not an operational | kind of thing. | outworlder wrote: | > This is very much a research technique and not an | operational kind of thing. | | It's very much an operational kind of thing if you are trying | to troubleshoot a thorny issue with your app in production. | gravitas wrote: | > _I am not sure how much of this technique can be used | elsewhere for legitimate purposes_ | | ...as a Linux systems engineer, you are many times faced with | debugging a black box problem wrapped in SSL on both ends which | you need to peek into to understand what 's going wrong; there | is nothing suspect about this technique in this environment, | it's what you're paid to do (solve problems). It's basically | like having the ability to elevate your NIC port to promiscuous | mode to debug an issue (tcpdump, e.g.) - it's a tool with no | opinion, the human operating it is the one to be worried about. | phs wrote: | Looks like nextgen ad blocking to me. If you can instrument TLS | connections on the client, you can identify ad content and | substitute blank video frames or just 404s. | userbinator wrote: | Proxomitron had that capability years ago - MITM proxy to | filter pages and block ads, among other things. I still use | it, it's very useful and continues to run fine on the newest | Windows. | yconfiscator wrote: | Writing a toy ad blocker is actually on my todo list :) | | There's just so many things you can so. The original goal of | the post was to tamper with zoom's attention tracking for | example (which was a field in one of their protobuf | payloads). | sillysaurusx wrote: | _But how do we find the offsets? What values do we give to | ssl_read_offset and ssl_write_offset? | | [ REDACTED ] | | I had a nice little section on how to find the offsets here. When | I first wrote it I was convinced that publishing two addresses | couldn't possibly get me sued for reverse engineering. Some of | the people who read the draft of this post changed my mind about | it though, and it is 2020 after all so it is not a good time to | be optimistic._ | | So, how would you find these offsets? Anyone know? | | It's probably the most interesting part of the post. | | There's a "hypothetical" paragraph afterwards, but if anyone | wants to actually do this with Zoom and post the results, you'd | probably earn lots of cred. | | In particular, the exact arguments to the objdump command would | help. | jdright wrote: | It is sad they felt the need to do this. This step is not hard, | but censuring it because of hypothetical legal issues speaks a | lot about the state of affairs on computing. | | I miss the good old times where knowledge were freely published | without fear. | [deleted] | matheusmoreira wrote: | > Some of the people who read the draft of this post changed my | mind about it though | | Details? Reverse engineering isn't even illegal. | yconfiscator wrote: | Since the Zoom TOS explicitly forbid reverse engineering, | sadly it isn't so easy. | user5994461 wrote: | TOS can't substitute to the law. Reverse engineering is | legal by law depending on the jurisdiction. | layoutIfNeeded wrote: | We know the exact version of openssl they're using, so we can | just build the same version ourselves, get the address of the | functions, and look for the same pattern of instructions in the | Zoom binary. Not sure if LTO could break this or not though. | kelnos wrote: | That seems pretty unreliable. The specific version of the | compiler used, as well as flags passed to the compiler, could | easily change the instructions used, no? | jeroenhd wrote: | I was surprised to see hooking code like this being written in | Rust. I've come to expect C sample code for purposes like these, | so it's nice to see that there are actually alternatives when it | comes to intercepting function calls and extracting data from a | process. | luizfelberti wrote: | The people from Cilium (the k8s service mesh) launched this | website[0] recently that lists a few tools from the landscape, | and I also had the same pleasant surprise to find these things | out this week | | I thought we were still tied to `bcc` and that python frontend | thingy, but I'm glad the ecosystem has evolved significantly | while I was not paying attention! It's kinda like finding a $20 | in your back pocket that you didn't know was there when you put | your pants on... | | [0] https://ebpf.io/ | mhh__ wrote: | When you get past the layers of old and dead documentation | around it, the eBPF subsystem is fairly easy to target as long | as you can call C, topologically at least. | dharmab wrote: | Other options include bpftrace[1] or C, Python or Lua via | BCC[2] | | 1: https://github.com/iovisor/bpftrace | | 2: https://github.com/iovisor/bcc | yconfiscator wrote: | I think what makes redbpf stands out is that the other | libraries allow you to write the _user-space_ code in Python | or Lua etc, but then the _kernel_ code must still be written | in C and gets compiled with clang. | | In redbpf we let you write the _kernel_ code in Rust as well, | and then we have our own LLVM based toolchain to compile that | to BPF bytecode. | | bpftrace is similar to redbpf in approach, in that it lets | you use a DSL instead of C. | BobbyJo wrote: | Lua is the most common language I had never heard about | before dealing with BPF. It gets embedded in a surprising | array of technologies. | phs wrote: | That's most of what lua's purpose is: to be a reasonably | pleasant and featureful language that is dead easy to embed | in larger systems that want some kind of scripting or | macros. | setheron wrote: | Something like this needs to be included in tcpdump or Wirshark. | (tcpdump would be fitting; since it was the genesis for cBPF) | | I remember patching Netty | https://github.com/netty/netty/pull/8653 just to get the master | key in order to decrypt sessions. | | Having the ability to decrypt TLS sessions like this is way | simpler. | | tl;dr; would love to see something like this for tshark / tcpdump | shawnz wrote: | Wireshark does support TLS decryption if you provide a "key log | file": https://wiki.wireshark.org/TLS#TLS_Decryption | | Perhaps OP's technique could be used to generate such a file. | | EDIT: I see you have already investigated such methods after | looking at your github link. ___________________________________________________________________ (page generated 2020-09-10 23:00 UTC)