0
Hiding in Plain Sight – The Danger of
Known Vulnerabilities
Tal Be’ery, Web Security Research Team Leader

1

© 2013 Imper...
Agenda
§  Introduction
•  Zero-days Vs. Known vulnerabilities

§  The anatomy of a known vulnerability web attack:
Attac...
HII Reports
§  Hacker Intelligence Initiative (HII) is focused at
understanding how attackers are operating in practice
•...
Tal Be’ery,Web Research Team Leader
§  Web Security Research Team Leader
at Imperva
§  Holds MSc & BSc degree in CS/EE
f...
Introduction

5

© 2013 Imperva, Inc. All rights reserved.

Confidential
The Known Knowns
§  There are known knowns; these are things we know that
we know.
§  There are known unknowns; that is ...
Security’s Knowns and Unknowns Defined
§  Unknown Unkowns: Zero-Days
A zero-day attack is an attack that exploits a previ...
CVE: Managing Known Vulnerabilities
§  Known vulnerabilities are assigned with a CVE (Common
Vulnerabilities and Exposure...
“Hollywood Style”: Web Site Hacking
Single Site Attack

Hacking
1.  Identify Target
2.  Research Vulnerability
3.  Exploit...
Reality Check: Research Does Not Scale!
Multiple Site Attacks

Hacking
1. 
2. 
3. 

Identify Target
Research Vulnerability...
Reality Check: Known Exploits Scale!
Multiple Site Attacks

Hacking
1. 
2. 
3. 

Identify Infrastructure
Find Existing Exp...
Zero-Days Vs. Known Vulnerabilities
§  Zero-Days get all the glory
•  Technically interesting
•  Give rise to some intere...
Vulnerability Lifecycle in Reality

13

© 2013 Imperva, Inc. All rights reserved.

Confidential
Why is Known Vulnerability Exploitation so
Successful?
§  Applications are based mostly on 3rd party code
§  Web applica...
3rd Party Code Provides a Rich Attack
Surface
According to Veracode:
•  Up to 70% of internally developed code originates ...
Known Vulnerabilities Disclosure Increases
§  CVE IDs Enumeration syntax was changed to track more
than 10,000 vulnerabil...
Exploits Are Publicly Available
§  Exploit-DB: http://www.exploit-db.com/

17

© 2013 Imperva, Inc. All rights reserved.
...
OWASP Top 10 – 2013 Update

New, A9 - Using Known Vulnerable Components

18

© 2013 Imperva, Inc. All rights reserved.

Co...
The Anatomy of a Known Vulnerability
Web attack
Attacking a Specific Victim

19

© 2013 Imperva, Inc. All rights reserved....
Attacking a Specific Application: Theory
§  Step 1: Fingerprinting of the victim application to discover
third party comp...
The Art of Fingerprinting
Identify a fingerprint in victim application
A fingerprint can be
•  Image
•  URL
•  Content
•  ...
Fingerprinting Example 1: Content Based

The code will usually contain fingerprints of the infrastructure in
use.

22

© 2...
Fingerprinting Example 2: URL Based

An administrator interface may be front facing, allowing detection
and login attempts...
Test Case: corporatecaronline.com Hack

http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

24
...
Fingerprinting corporatecaronline.com
§  The application is using CFM files

§  What’s a CFM file?

25

© 2013 Imperva, ...
Known Vulnerability for ColdFusion
§  CVE-2013-0632

§  Reported on January 2013
§  A “perfect 10” risk score

26

© 20...
Public Exploit for CVE-2013-0632

http://downloads.securityfocus.com/vulnerabilities/exploits/57164.rb
27

© 2013 Imperva,...
ColdFusion Attacks in the Wild
§  Data collected on October 2013
§  More than 4,000 attacks
§  Attacking various resour...
The Anatomy of a Known Vulnerability
Web attack
Mass Hacking

29

© 2013 Imperva, Inc. All rights reserved.

Confidential
Mass Hacking: Theory
§  Step 1: Find a public exploit in an infrastructure
•  Infrastructure is relevant to many applicat...
Mass Hacking - Finding a Vulnerability
Find a vulnerability in an infrastructure

Source: www.exploit-db.com

Public vulne...
Google Dork for the Masses
§  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config)
§  Results: 144,00...
Test Case: JBoss Based Hack
§  An open source application server

http://www.jboss.org/jbossas
33

© 2013 Imperva, Inc. A...
Known Vulnerability for JBoss
§  Presented during the OWASP Bay Area Chapter Meeting
in November 2011

http://www.matasan...
Exploit for the Known Vulnerability
§  Exploit was publicly published on September 2013

http://www.exploit-db.com/exploi...
Google Dorking for Vulnerable JBoss
§  In 2011: 7,370 results

§  In 2013: 23,100 results

36

© 2013 Imperva, Inc. All ...
Hackers Apply the Attack
§  Many websites report on being hit by the attack resulting
with “pwn.jsp” web shell deployed o...
Summary & Conclusion

38

© 2013 Imperva, Inc. All rights reserved.

Confidential
Vendor’s Patches Are Not Enough (1)
§  Security does not necessarily know all components
§  Security does not necessaril...
Vendor’s Patches Are Not Enough (2)
§  Patch installation requires testing before deploying
•  Patch may be problematic
•...
Recommendations
When a company builds its security model it usually does
not take into account elements that are not in co...
Technical Recommendations
§  Assume third-party code – coming from partners,
vendors, or mergers and acquisitions – conta...
Virtual Patching Check List
§  Virtually patch newly discovered CVEs

§  Requires a robust security update service
•  Ti...
www.imperva.com

44

© 2013 Imperva, Inc. All rights reserved.

Confidential
Upcoming SlideShare
Loading in...5
×

Hiding in Plain Sight: The Danger of Known Vulnerabilities

1,632

Published on

While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,632
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
73
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Hiding in Plain Sight: The Danger of Known Vulnerabilities"

  1. 1. Hiding in Plain Sight – The Danger of Known Vulnerabilities Tal Be’ery, Web Security Research Team Leader 1 © 2013 Imperva, Inc. All rights reserved. Confidential
  2. 2. Agenda §  Introduction •  Zero-days Vs. Known vulnerabilities §  The anatomy of a known vulnerability web attack: Attacking a specific victim •  Theory •  Test case analysis: A vulnerable ColdFusion application §  The anatomy of a known vulnerability web attack: Mass attacks •  Theory •  Test case analysis: Abusing JBOSS §  Summary & conclusion §  Q&A 2 © 2013 Imperva, Inc. All rights reserved. Confidential
  3. 3. HII Reports §  Hacker Intelligence Initiative (HII) is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research §  Data set composition •  ~60 real world applications •  Anonymous proxies §  More than 24 months of data §  Powerful analysis system •  Combines analytic tools with drill down capabilities 3 © 2013 Imperva, Inc. All rights reserved. Confidential
  4. 4. Tal Be’ery,Web Research Team Leader §  Web Security Research Team Leader at Imperva §  Holds MSc & BSc degree in CS/EE from TAU §  10+ years of experience in IS domain §  Facebook “white hat” §  Speaker at RSA, BlackHat, AusCERT §  Columnist for securityweek.com §  CISSP 4 © 2013 Imperva, Inc. All rights reserved.
  5. 5. Introduction 5 © 2013 Imperva, Inc. All rights reserved. Confidential
  6. 6. The Known Knowns §  There are known knowns; these are things we know that we know. §  There are known unknowns; that is to say, there are things that we now know we don't know. §  But there are also unknown unknowns – there are things we do not know we don't know. -- Donald Rumsfeld, U.S. Secretary of Defense, February 2002 6 © 2013 Imperva, Inc. All rights reserved. Confidential
  7. 7. Security’s Knowns and Unknowns Defined §  Unknown Unkowns: Zero-Days A zero-day attack is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability (Wikipedia http://en.wikipedia.org/wiki/Zero-day_attack) §  Known Knowns: Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities) 7 © 2013 Imperva, Inc. All rights reserved. Confidential
  8. 8. CVE: Managing Known Vulnerabilities §  Known vulnerabilities are assigned with a CVE (Common Vulnerabilities and Exposures) ID §  “CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools” (MITRE http://cve.mitre.org/about/index.html) 8 © 2013 Imperva, Inc. All rights reserved. Confidential
  9. 9. “Hollywood Style”: Web Site Hacking Single Site Attack Hacking 1.  Identify Target 2.  Research Vulnerability 3.  Exploit https://depot.gdnet.org/cms/gallery//25-iStock_000004333554Medium.jpg 9 © 2013 Imperva, Inc. All rights reserved. Confidential
  10. 10. Reality Check: Research Does Not Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  Identify Target Research Vulnerability Exploit Hacking 1.  2.  3.  10 © 2013 Imperva, Inc. All rights reserved. Identify Target Research Vulnerability Exploit Confidential
  11. 11. Reality Check: Known Exploits Scale! Multiple Site Attacks Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  Identify Infrastructure Find Existing Exploit Exploit Hacking 1.  2.  3.  11 © 2013 Imperva, Inc. All rights reserved. Identify Infrastructure Find Existing Exploit Exploit Confidential
  12. 12. Zero-Days Vs. Known Vulnerabilities §  Zero-Days get all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unkown unkowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very costeffective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif 12 © 2013 Imperva, Inc. All rights reserved. Confidential
  13. 13. Vulnerability Lifecycle in Reality 13 © 2013 Imperva, Inc. All rights reserved. Confidential
  14. 14. Why is Known Vulnerability Exploitation so Successful? §  Applications are based mostly on 3rd party code §  Web applications are no different •  HTTP Server, Application Server, Plugins, Libraries, etc. §  Code re-use equals vulnerability re-use §  Exploits’ code is available for known vulnerabilities 14 © 2013 Imperva, Inc. All rights reserved. Confidential
  15. 15. 3rd Party Code Provides a Rich Attack Surface According to Veracode: •  Up to 70% of internally developed code originates outside of the development team •  28% of assessed applications are identified as created by a 3rd party 15 © 2013 Imperva, Inc. All rights reserved. Confidential
  16. 16. Known Vulnerabilities Disclosure Increases §  CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014. 16 © 2013 Imperva, Inc. All rights reserved. Confidential
  17. 17. Exploits Are Publicly Available §  Exploit-DB: http://www.exploit-db.com/ 17 © 2013 Imperva, Inc. All rights reserved. Confidential
  18. 18. OWASP Top 10 – 2013 Update New, A9 - Using Known Vulnerable Components 18 © 2013 Imperva, Inc. All rights reserved. Confidential
  19. 19. The Anatomy of a Known Vulnerability Web attack Attacking a Specific Victim 19 © 2013 Imperva, Inc. All rights reserved. Confidential
  20. 20. Attacking a Specific Application: Theory §  Step 1: Fingerprinting of the victim application to discover third party components and infrastructure §  Step 2: For the discovered components, find known vulnerabilities and exploits that gives the hacker the desired access level §  Step 3: Apply the exploit to the victim’s application 20 © 2013 Imperva, Inc. All rights reserved. Confidential
  21. 21. The Art of Fingerprinting Identify a fingerprint in victim application A fingerprint can be •  Image •  URL •  Content •  Object Reference •  Response to a query •  Etc. 21 © 2013 Imperva, Inc. All rights reserved. Confidential
  22. 22. Fingerprinting Example 1: Content Based The code will usually contain fingerprints of the infrastructure in use. 22 © 2013 Imperva, Inc. All rights reserved. Confidential
  23. 23. Fingerprinting Example 2: URL Based An administrator interface may be front facing, allowing detection and login attempts. 23 © 2013 Imperva, Inc. All rights reserved. Confidential
  24. 24. Test Case: corporatecaronline.com Hack http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/ 24 © 2013 Imperva, Inc. All rights reserved. Confidential
  25. 25. Fingerprinting corporatecaronline.com §  The application is using CFM files §  What’s a CFM file? 25 © 2013 Imperva, Inc. All rights reserved. Confidential
  26. 26. Known Vulnerability for ColdFusion §  CVE-2013-0632 §  Reported on January 2013 §  A “perfect 10” risk score 26 © 2013 Imperva, Inc. All rights reserved. Confidential
  27. 27. Public Exploit for CVE-2013-0632 http://downloads.securityfocus.com/vulnerabilities/exploits/57164.rb 27 © 2013 Imperva, Inc. All rights reserved. Confidential
  28. 28. ColdFusion Attacks in the Wild §  Data collected on October 2013 §  More than 4,000 attacks §  Attacking various resources within the CFIDE directory 28 © 2013 Imperva, Inc. All rights reserved. Confidential
  29. 29. The Anatomy of a Known Vulnerability Web attack Mass Hacking 29 © 2013 Imperva, Inc. All rights reserved. Confidential
  30. 30. Mass Hacking: Theory §  Step 1: Find a public exploit in an infrastructure •  Infrastructure is relevant to many application •  Exploit is “powerful”: usually full server takeover §  Step 2: Create a search query to identify vulnerable applications in the web •  Often named “Google Dorks” §  Step 3: Apply the exploit to all of the vulnerable applications 30 © 2013 Imperva, Inc. All rights reserved. Confidential
  31. 31. Mass Hacking - Finding a Vulnerability Find a vulnerability in an infrastructure Source: www.exploit-db.com Public vulnerability databases contain thousands of web related exploits 31 © 2013 Imperva, Inc. All rights reserved. Confidential
  32. 32. Google Dork for the Masses §  Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) §  Results: 144,000 32 © 2013 Imperva, Inc. All rights reserved. Confidential
  33. 33. Test Case: JBoss Based Hack §  An open source application server http://www.jboss.org/jbossas 33 © 2013 Imperva, Inc. All rights reserved. Confidential
  34. 34. Known Vulnerability for JBoss §  Presented during the OWASP Bay Area Chapter Meeting in November 2011 http://www.matasano.com/research/OWASP3011_Luca.pdf 34 © 2013 Imperva, Inc. All rights reserved. Confidential
  35. 35. Exploit for the Known Vulnerability §  Exploit was publicly published on September 2013 http://www.exploit-db.com/exploits/28713/ 35 © 2013 Imperva, Inc. All rights reserved. Confidential
  36. 36. Google Dorking for Vulnerable JBoss §  In 2011: 7,370 results §  In 2013: 23,100 results 36 © 2013 Imperva, Inc. All rights reserved. Confidential
  37. 37. Hackers Apply the Attack §  Many websites report on being hit by the attack resulting with “pwn.jsp” web shell deployed on the server §  Allows the attacker to execute arbitrary OS commands 37 © 2013 Imperva, Inc. All rights reserved. Confidential
  38. 38. Summary & Conclusion 38 © 2013 Imperva, Inc. All rights reserved. Confidential
  39. 39. Vendor’s Patches Are Not Enough (1) §  Security does not necessarily know all components §  Security does not necessarily know all vulnerabilities for components •  Not everything is reported as CVE §  Vendor patches may not be available •  System reached End of Support (EoS) •  Open source product with no SLA 39 © 2013 Imperva, Inc. All rights reserved. Confidential
  40. 40. Vendor’s Patches Are Not Enough (2) §  Patch installation requires testing before deploying •  Patch may be problematic •  Patch may break custom functionality 40 © 2013 Imperva, Inc. All rights reserved. Confidential
  41. 41. Recommendations When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Require third party applications to accept your security policies and put proper controls in place §  Monitor the enforcement of these policies 41 © 2013 Imperva, Inc. All rights reserved. Confidential
  42. 42. Technical Recommendations §  Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities §  Pen test before deployment to identify these issues §  Deploy the application behind a WAF to •  Virtually patch pen test findings •  Mitigate new risks (unknown on the pen test time) •  Mitigate issues the pen tester missed •  Use cloud WAF for remotely hosted applications §  Apply vendor patches, when possible §  Virtually patch newly discovered CVEs 42 © 2013 Imperva, Inc. All rights reserved. Confidential
  43. 43. Virtual Patching Check List §  Virtually patch newly discovered CVEs §  Requires a robust security update service •  Timely: Attackers are very quick to on board newly discovered exploit into their hacking code •  Coverage: Cover all relevant vulnerabilities in the relevant domain •  Accurate: Tested for false positives •  Secured by default : §  Automatically loaded into the protecting system §  No need to reboot 43 © 2013 Imperva, Inc. All rights reserved. Confidential
  44. 44. www.imperva.com 44 © 2013 Imperva, Inc. All rights reserved. Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×