
Intercepting Zoom's encrypted data with BPF - aaron-santos
https://confused.ai/posts/intercepting-zoom-tls-encryption-bpf-uprobes
======
sillysaurusx
_But how do we find the offsets? What values do we give to ssl_read_offset and
ssl_write_offset?

[ REDACTED ]

I had a nice little section on how to find the offsets here. When I first
wrote it I was convinced that publishing two addresses couldn't possibly get
me sued for reverse engineering. Some of the people who read the draft of this
post changed my mind about it though, and it is 2020 after all so it is not a
good time to be optimistic._

So, how would you find these offsets? Anyone know?

It's probably the most interesting part of the post.

There's a "hypothetical" paragraph afterwards, but if anyone wants to actually
do this with Zoom and post the results, you'd probably earn lots of cred.

In particular, the exact arguments to the objdump command would help.

~~~
jdright
It is sad they felt the need to do this. This step is not hard, but censuring
it because of hypothetical legal issues speaks a lot about the state of
affairs on computing.

I miss the good old times where knowledge were freely published without fear.

~~~
saagarjha
Do note that this is generally not something that would be a legal issue.

------
jeroenhd
I was surprised to see hooking code like this being written in Rust. I've come
to expect C sample code for purposes like these, so it's nice to see that
there are actually alternatives when it comes to intercepting function calls
and extracting data from a process.

~~~
dharmab
Other options include bpftrace[1] or C, Python or Lua via BCC[2]

1: [https://github.com/iovisor/bpftrace](https://github.com/iovisor/bpftrace)

2: [https://github.com/iovisor/bcc](https://github.com/iovisor/bcc)

~~~
BobbyJo
Lua is the most common language I had never heard about before dealing with
BPF. It gets embedded in a surprising array of technologies.

~~~
phs
That's most of what lua's purpose is: to be a reasonably pleasant and
featureful language that is dead easy to embed in larger systems that want
some kind of scripting or macros.

------
arn7av
I have done exactly the same thing for Desktop/Android apps using Frida
(modified from
[https://github.com/google/ssl_logger](https://github.com/google/ssl_logger)).
There are modules out there that dump SSLKEYLOG too (that can be used in
Wireshark)

~~~
benmmurphy
With IOS I’ve used the keylog strategy and it is very effective. IOS uses
boringssl and the library calls a function to log the secret but this function
never does anything normally. However, you can either trampoline this function
to log the secret or modify the ssl context to add your own logger function.
This is all public knowledge and you can find Frida scripts that will dump the
TLS secrets.

~~~
heyoni
And this can be used to defeat certificate pinning?

~~~
heyoni
I just realized you would just be sniffing the data unencrypted rather than
setting up any proxy or root cert, so this question doesn't make sense.

------
jackinloadup
This is very cool. I've always wanted to do something like this. I hope to use
snuffy in the future. Thanks for the great walk through!

~~~
yconfiscator
Glad you liked it!

------
procombo
Awesome post Alessandro! Well written and in tutorial format. Much respect! I
know what I'll be playing around with this weekend.

I will be looking forward to more blog posts of yours in the future.

~~~
yconfiscator
Thank you! Mind I only tested on latest ubuntu and fedora so feel free to DM
me on twitter if you run into issues.

------
setheron
Something like this needs to be included in tcpdump or Wirshark. (tcpdump
would be fitting; since it was the genesis for cBPF)

I remember patching Netty
[https://github.com/netty/netty/pull/8653](https://github.com/netty/netty/pull/8653)
just to get the master key in order to decrypt sessions.

Having the ability to decrypt TLS sessions like this is way simpler.

tl;dr; would love to see something like this for tshark / tcpdump

~~~
shawnz
Wireshark does support TLS decryption if you provide a "key log file":
[https://wiki.wireshark.org/TLS#TLS_Decryption](https://wiki.wireshark.org/TLS#TLS_Decryption)

Perhaps OP's technique could be used to generate such a file.

EDIT: I see you have already investigated such methods after looking at your
github link.

------
justicezyx
I am not sure how much of this technique can be used elsewhere for legitimate
purposes.

In this example, except for an administrator spying on other users on a shared
machine, which is kind of already an admitted risk by users on a shared
machine anyway.

~~~
phs
Looks like nextgen ad blocking to me. If you can instrument TLS connections on
the client, you can identify ad content and substitute blank video frames or
just 404s.

~~~
yconfiscator
Writing a toy ad blocker is actually on my todo list :)

There's just so many things you can so. The original goal of the post was to
tamper with zoom's attention tracking for example (which was a field in one of
their protobuf payloads).

