Upload
aditya-k-sood
View
1.235
Download
0
Embed Size (px)
Citation preview
Malware Paradox
Persistent Cross Interface Attacks
Aditya K Sood, Richard J Enbody
Michigan State University
Soodadit [at] msu.edu | adi_ks [at] secniche.org 1
Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a responsible disclosure pattern in revealing vulnerabilities to vendors.
This is all for education purposes only.
A sincere thanks to my adviser Mr. Richard J Enbody for guiding me at every step.
Disclaimer
2
About Me
Founder , SECNICHE Security Labs. http://www.secniche.org PhD Candidate at Michigan State University.
Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG
Author for HITB EZine, Hakin9 ,ELSEVIER, ISSA, ISACA, USENIX Journals. Likes to do Bug Hunting and Malware dissection. Released Advisories to Forefront Companies. Active Speaker at Security Conferences including RSA etc.
Blog: http://zeroknock.blogspot.com
3
Agenda
Web 2.0 and Malware Malware through Network Devices with Web Interfaces Cross Interface Attack Details Release Vulnerability and Case Study Conclusion
4
World - Malware Lookup
© M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp) 8
Malware Trends
Financial abuse and mass identity theft
The mass destructor – Botnet infection and zombie hosts
Exploiting the link dependency – Pay Per click hijacking
Traffic manipulation – Open redirect vulnerabilities at large scale
Spywares , crypto virology , ransom ware etc
Distributed Denial of Service – The service death game , extortion
Industry change semantics – Malware activation change line
Infection through browsers and portable gadgets – the biggest step
Exploiting anti virus loopholes
10
Malware Contributing Issues
Publicly available malware source code
Unpatched vulnerabilities and loosely coupled patches
Demand of underground services and self exposure
Global surveillance mode and information stealing in the wild
Software discrepancies and inherited design flaws such as Browsers.
Exploitation at web level is easy. It opens a door to System Level Fallacies.
Inappropriate security solutions deployed and irrelevant security paradigm
Botnet Infection – The easy way to launch diversified attack
11
Websites are Infected with Malware so as Web Servers – Right !
Is it possible to Infect Peripheral Network Devices !
(Firewalls, DiskStation Managers, Storage Devices, Routers etc)
Breaking the Limits !
14
Yes ! Network Devices are Prone to Malware
Network devices having web interface for administration
Inappropriate Web Interface design
Misconception ! Web Interface is just used for administration !
Vulnerability in Web adminisatrion panels
Open FTP and Telnet Login Consoles
Exploiting the default nature of protocol such as FTP and Telnet
15
Fundamental thinking
Reflective Attacks does not make much sense in Network Devices
Persistent attacks are more intense
Modus Operandi plays a critical role
Exploiting the every element that is used for network device management
16
Application Bad Design
Source of major Vulnerabilities in real time world• Design issues are repetitive in nature. • Successful exploitation results in malware and code execution
17
Cross Interface Attack - Base
Is this a Cross Site Scripting Attack ?
What exactly is Cross Interface Attack ?
Cross Interface Attack • It uses backend login consoles to inject payload in vulnerable websites.• Exploits the default nature of FTP /Telnet Protocol• Vulnerability in log storage modules• Attacks are persistent in nature• Payloads are designed using same XSS injection
Entry point for exploitation is different from XSS. XSS Entry point is from web to webCIA Entry point is from backend login console to website
19
Cross Interface Attack – Threat
Remote Command Execution through CSRF: This type of vulnerability addresses the remote code execution behavior
Malware Infections – Executing payloads to conduct Drive by Download Attacks
Information Stealing
Tuning Network device into attack pot
20
Cross Interface Attack – (CIA)
Hardware devices using admin interfaces.
Admin interfaces : { Web, FTP, Telnet}
Do we require all admin interfaces ?• If web admin is allowed, so what about backend consoles!• Is URL restriction a good practice?• Is it advantageous to have backend consoles?• Does access control serves well?
CIA targets FTP/Telnet admin consoles.
Step by step developing an attack surface.
Hardware devices – firewalls, disk stations, management systems etc
21
Attack Launch Pad
Attack base and considerations• Presence of FTP/Telnet admin login console
• Hardware appliances have default error logging mechanism
• Log interfaces are served in HTML without filtering
• A bad design practice from security point of view
• Protocol such as FTP/Telnet default nature helps in information gathering
22
Attack Launch Pad
FTP Protocol Truth• Collective username and password authentication
• Followed to avoid enumeration of user accounts
• No check on login attempts. No check on characters.
• Usually, accessible widely.
• Do you think access control is required?
23
Attack Launch Pad
Attacking and testing Gathering information about allowed characters No aim to get authenticated
• FTP 530 Login Incorrect is what we require.Malicious payloads are used as username and password
• Injections / Scripts / Iframes / DOM Calls / Persistent Payloads• Inject what ever you want !• Good point for triggering CSRF attacks
Of-course , Authentication failure. Error gets logged. Payloads become persistent. It can be reflective. Bad design practice – Unencoded / Unfiltered HTML rendering
• Inappropriate web logging mechanism Viola ! Something happens.
24
Vulnerability Exploitation
Injecting payloads Supplying payloads as credentials Input points – {FTP_USER_NAME , FTP_PASS_WORD}
25
Attack – Step 2
Testing the FTP Login Console• To determine the number of characters that are allowed• Supplying excess of buffer in FTP_USER_NAME input• FTP_PASS_WORD reflects the allowed FTP_USER_NAME • Injection points – {FTP_USER_NAME , FTP_PASS_WORD}
28
CSRF Requests – Remote Command Exec
Injecting Payloads
GET /webman/modules/logman.cgi dc=1273595767787 &action=view&start=0&limit=50&logtype=connlog&sort=time&dir=DESC HTTP/1.1
GET /webman/modules/logman.cgi dc=1273595786011 &action=view&start=0&limit=50&
30
CVE 2010 -3684 Synology Disk Station Manager
Persistent Cross Interface Attacks
Released collaboratively with Checkpoint Vulnerability Discovery Team
Case Study
31
Effective Steps
The FTP login consoles or the user verification module should scrutinize the string parameter before verifying the user. A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
The applied design principle should be simplicity to avoid complexity that can obscure vulnerabilities. For example, FTP logs should be rendered in a more customized environment considering the access to a number of clients.
The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
39
Thanks
AVAR 2010 (http://www.aavar.org/avar2010 )SecNiche Security (http://www.secniche.org )
41