21 comments

[ 2.8 ms ] story [ 70.0 ms ] thread
Nice work!

I'm curious: did you consider hacking the Oculus binary to accept an SSL cert you made yourself, and MITM-ing it to see the traffic?

I'm sure they have it pinned and don't use the OS certs, but you could just overwrite the root cert that must exist in that binary somewhere with your own, right?

> but you could just overwrite the root cert that must exist in that binary somewhere with your own, right?

Unless they use certificate pinning, which is basically just verifying the CA's are not tampered with. Theoretically that could be attacked as well, but it prevents the "just replace the CA" case.

the attack here is to just invert the compares for all the checks, which means it'll accept any certificate thats not the original, then you can MitM all the traffic with only minor changes to the binary.
Finding the right branches to flip in the text seems a lot more time consuming than just replacing the cert data, which is probably in one place. Unless it's incredibly obfuscated or something...
(comment deleted)
In hindsight this is probably a lot easier.
If they don't pin it's trivial. But I strongly suspect they do.
> I'm curious: did you consider hacking the Oculus binary to accept an SSL cert you made yourself, and MITM-ing it to see the traffic?

Is that what he refers to when he says "I didn’t want to add extra root certificates and proxies to inspect all TLS traffic going on the machine", or are we talking about different things?

Maybe? I don't understand why "proxies" and "certificates" are plural, you would need exactly one of each.
Is there a similar tool that a non-security expert could use on the Mac?
Not sure about the non-security expert bit but I've done stuff[0] similar to this for iOS using Frida[1] which supports macOS too. For apps that use unpinned certificates and the builtin networking libraries(NSURLSession et.al.) you can directly use mimtproxy[2] or Charles[3]

0: https://hugotunius.se/2020/08/07/stealing-tls-sessions-keys-...

1: https://frida.re/

2: https://mitmproxy.org/

3: https://www.charlesproxy.com/

If the application isn't pinning certificates, you should be able to add your own root certificate to your machine and intercept all encrypted traffic. Same method used by corporations to monitor their own networks. I successfully used this method on a mobile game years ago.

Applications with pinned certificates don't use the system certificates at all which fixes the MITM vulnerability I described. You'd need to reverse engineer them in order to change the certificate to one under your control, difficulty can vary depending on how obfuscated the code is.

If your application can also use clear text TCP sockets, then stunnel becomes an option.
If OpenSSL was under LGPL you could relink the Oculus software with a version of OpenSSL that supports exporting the keys.
You can still do that, but maybe not publish your method.
What resources could I use to learn how to do this sort of work on my own initiative?