When Bears Attack: How a Clean Mobile Interface Could Save Your Life
Cross interface attack
26
CROSS INTERFACE ATTACK Piyush Mittal Security Compass
-
Upload
piyushml20 -
Category
Education
-
view
547 -
download
0
description
A new attack vector for Web attack whereby backend login console like FTP etc. is used to attack web interface
Transcript of Cross interface attack
CROSS INTERFACE ATTACK
Piyush MittalSecurity Compass
Introduction
When 1 interface is used to attack the other interface.
Different from XSS
XSS - Entry point is from web to web
CIA - Entry point is from backend login console to web interface
CIA Characteristics
• Exploits the default nature of FTP /Telnet Protocol• Admin interfaces : { Web, FTP, Telnet}• Logging module running as root• DOM and HTML rendered as dynamic content• Attacks are persistent in nature• Hardware devices – firewalls, disk stations,
management systems etc.
Truth About FTP
• The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification.
• No check on no of login attempts.
• No check on type of characters.
Old Buffer Trick• root@redux$ ftp example.com• Connected to example.com.• 220 Disk Station FTP server at DiskStation ready.• User (example.com:(none)):• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAAA• 331 Password required for• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA• AAAAAAAAAAAAAAAAAAAAAAAAAA.• Password:• 530 Login incorrect.• Login failed.
Design of the Application
FTP LOGININTERFACE
I
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
FTP Logging module run as root or administrator
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Web Interface
FTP Logging module run as root or administrator
Design of the Application
FTP LOGININTERFACE
I
Inject Payload
FTPAuthenticationModule
FTP Logging Module
Web Interface
Unencoded/Unfiltered HTML rendering
FTP Logging module run as root or administrator
THREATS
• Information Stealing
Sample code
THREATS
Cookie Stealing
THREATS
• Malware Infections - Executing payloads to conduct Drive by Download Attacks
Sample code
THREATS
Drive by Download Attack
THREATS
• CSRF
Sample code
• Tuning Network device into attack pot
Advanced Code Injections
• Active X code execution
var fso = new ActiveXObject(”Scripting.FileSystemObject”);
XFile = fso.GetFile(”c:/business/secret.txt”);stream = XFile.OpenAsTextStream(1, 0);var content = stream.ReadAll();
Advanced Code Injections
• VBScript code execution
<object classid=’clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8’ id=’target’ ></object> <script language=’vbscript’>arg1=”c:/WINDOWS/system32/calc.exe”target.Exec arg1</script>
Advanced Code Injections
• Heap Spray code execution
var shellcode = unescape(””);var heap block=unescape(”%u0a0a%u0a0a”);var nop sled= unescape(”%u09090%u09090%u09090”)do {heap_block += heap_block;} while (heap_block.length < xxxx)var memory = new Array();for (ret=0; ret <100; ret++){ memory[ret] += heap_block+nop_sled+shellcode; }
Advanced Code Injections
• AJAX code execution
DEFENSE
• A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
• The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.
• The logging process should not run as administrator or root user.
• The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content.
• The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
???????
When In doubt, its better to ask
References• http://www.google.co.in/search?q=http%3A%2F%2Fmilw0rm.com
%2Fexploits%2F6476&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=cross+interface+attack&pbx=1&oq=cross+interface+attack&aq=f&aqi=&aql=&gs_sm=e&gs_upl=37279l38938l11l40023l2l2l0l0l0l0l268l492l2-2l2l0&bav=on.2,or.r_gc.r_pw.&fp=a0ba24de15e40bac&biw=1366&bih=558
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2453• http://www.securityfocus.com/archive/1/archive/1/513970/100/0/
threaded
THANKS
