My fight … with RubiCon

So it’s official I’m a student at the Ruhr-Universität Bochum.

We got this fine piece of junk called RubiCon, no not the river, no not the music player either but a ecampus application in form of a smartcard with a smartcard reader and windows software to use it.

So today I took the liberty to take a look at the system.I searched for a way to use it with Linux and found this.It basicly explains how to install pcscd and the ccid lib on ubuntu and configure firefox to use the rubicon device.
I thought this was fine, but it wasn’t.Installing the device didn’t need a explanation of 2 pages.How to use it after it was set up was the question (and still is).
After a few minutes of testing and searching for a login page I tried to google it.For sure someone solved my problem.I found a forum thread where some guys were desperate trying to figure out how to run the windows application on windows not knowing that wine hasn’t got usb support (yet), two links from rub.de the faq where they tell you that mac and linux are not supported and the notwindows link where they basicly tell you that it’s enough for them to have a over 90% compatibility.I also found a link to an ubuntu forum but I didn’t clicked on it as a matter of principle.
So I guessed I had no choice but to install Windows.I searched my original Windows XP(tm) CD and installed it in a virtual mashine (vmware,virtualbox and qemu/kvm all have usb passthrough support).
So I installed the software and voila it was working I finally could print my certificate of study I longed for, but naturally this wasn’t enough I wanted to know what the program does (I read about the security concept but they virtually said that they check if the user enters the correct pin and then they do some ssl magic.)
So I took a look at the installation directory,saw thisca.pem
config.xml
fai_de.qm
fai_eng.qm
fai_it.qm
libltdl3.dll
libp11.dll
msvcp71.dll
msvcr70.dll
msvcr71.dll
opensc.dll
opensc-pkcs11.dll
pkcs15init.dll
qt-mt330.dll
RUBICon.exe
ssl.pem

So they used the opensc library for communication (just like me) had a config file,dlls,3 qm files (whatever this is),2 pem files and the executeable.
First the config 🙂

<!DOCTYPE config>
<config>
<common>
<terminalid>1</terminalid>
</common>
<browser>
<maxtabs>5</maxtabs>
<urls>
<loggedoff>cardidentified.html</loggedoff>
<loggedin/>
</urls>
</browser>
<card>
<readername>SCM Microsystems Inc. SCR33x USB Smart Card Reader 0</readername>
</card>
<server>
<portal>
<host/>
<port/>
<mode/>
</portal>
</server>
</config>

So somewhere there must be cardidentified.html maybe we find this later on,I maybe can only open 5 tabs and I see my smartcard reader, but I don’t see anything vital in it what could be of any help.
Next the pem files:
ca.pem is a file with 3 certificates and ssl.pem who would have thought?RSA key + cert.Woohoo ….
Moving on.
Now a short look at the executeable.I did this early in the morning and so it’s only logical that I did nothing big to it just a simple: strings RUBICon.exe|grep http
Let’s see what urls are hidden in this stupid thing and WTF?
Seems like someone had a http server running on port 8000 and someone thought of a girl named Kerstin…
http://localhost:8000/rgne/flip.html?froep=daddel&huebi=Kerstin&hallo=welt.
Looks like fun … or unclean code.What you want.
Also I found https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/3/
https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/1/
https://web-rubicon.vspl.ruhr-uni-bochum.de/rubicon/wait/

But this wasn’t of any help either.
So last step for today I thought: Actually capturing traffic while running it and hoping for the best.
It was all hellos and handshakes and ssl things I didn’t even want to take a look at.
(even though I took a look at it and found http://crl.thawte.com/ThawtePremiumServerCA.crl)
Anyway after opening the portal page of the app many times in IE,firefox I simply let netcat listen on some port and tried to access it through the RubiCon-Browser and WOOW
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: 10.0.2.2
Connection: Keep-Alive

It was what it looked like a modified IE. (for comparison the actual IE)
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: 10.0.2.2
Connection: Keep-Alive

So I could try as long as I want because there was a flag no browser has “UA-CPU: x86”.
And I anticipated the worst.Maybe it was meaningless finding the cookies, because they didn’t use cookies!
I started wireshark again and opened in the embedded browser the startpage this time I edited https to http!!!!!AND IT HAPPENED
GET /rubiks/rubicon_portal.startseite HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: de
X-RUBICon-Sessionid: A2FE33B94E5D747241FD376F49724DA0E43B2621E1608CDA1C838EAECF41599B
X-RUBICon-Userid: xxxxxxxxxxxx
X-RUBICon-Ticket: BF4CB1D477DE9A7BB2AD08682AA333D18E94D78EAD07B8979
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: ca.ruhr-uni-bochum.de
Connection: Keep-Alive...

So I knew they modified the browser and extended the protocol.
The Sessionid is given when authing the Userid is your Userid (found on your student card) and the Ticket is different for every html request and defined before the actual request happens.
So know I need some sleep … understandably.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s