Cross Interface Attacks
Upcoming SlideShare
Loading in...5
×
 

Cross Interface Attacks

on

  • 1,865 views

Cross Interface Attacks by Piyush Mittal @ null Pune Meet, September 2011

Cross Interface Attacks by Piyush Mittal @ null Pune Meet, September 2011

Statistics

Views

Total Views
1,865
Views on SlideShare
1,486
Embed Views
379

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 379

http://null.co.in 379

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cross Interface Attacks Cross Interface Attacks Presentation Transcript

  • CROSS INTERFACE ATTACK
    Piyush Mittal
    Security Compass
  • Introduction
    When 1 interface is used to attack the other interface.
  • Different from XSS
    XSS - Entry point is from web to web
    CIA - Entry point is from backend login console to web interface
  • CIA Characteristics
    Exploits the default nature of FTP /Telnet Protocol
    Admin interfaces : { Web, FTP, Telnet}
    Logging module running as root
    DOM and HTML rendered as dynamic content
    Attacks are persistent in nature
    Hardware devices – firewalls, disk stations, management systems etc.
  • Truth About FTP
    The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification.
    No check on no of login attempts.
    No check on type of characters.
  • Old Buffer Trick
    root@redux$ ftp example.com
    Connected to example.com.
    220 Disk Station FTP server at DiskStation ready.
    User (example.com:(none)):
    AAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAA
    331 Password required for
    AAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAA.
    Password:
    530 Login incorrect.
    Login failed.
  • Design of the Application
    FTP
    LOGIN
    INTERFACE
    I
  • Design of the Application
    FTP
    LOGIN
    INTERFACE
    Inject
    Payload
    I
  • Design of the Application
    FTP
    Authentication
    Module
    FTP
    LOGIN
    INTERFACE
    Inject
    Payload
    I
  • Design of the Application
    FTP
    Authentication
    Module
    FTP
    LOGIN
    INTERFACE
    FTP Logging Module
    Inject
    Payload
    I
  • Design of the Application
    FTP
    Authentication
    Module
    FTP Logging module run as root or administrator
    FTP
    LOGIN
    INTERFACE
    FTP Logging Module
    Inject
    Payload
    I
  • Design of the Application
    FTP
    Authentication
    Module
    FTP Logging module run as root or administrator
    FTP
    LOGIN
    INTERFACE
    FTP Logging Module
    Inject
    Payload
    Web Interface
    I
  • Design of the Application
    FTP
    Authentication
    Module
    FTP Logging module run as root or administrator
    FTP
    LOGIN
    INTERFACE
    FTP Logging Module
    Unencoded/Unfiltered
    HTML rendering
    Inject
    Payload
    Web Interface
    I
  • THREATS
    Information Stealing
    Sample code
  • THREATS
    Cookie Stealing
  • THREATS
    Malware Infections - Executing payloads to conduct Drive by Download Attacks
    Sample code
  • THREATS
    Drive by Download Attack
  • THREATS
    CSRF
    Sample code
    Tuning Network device into attack pot
  • Advanced Code Injections
    Active X code execution
    varfso = new ActiveXObject(”Scripting.FileSystemObject”);
    XFile = fso.GetFile(”c:/business/secret.txt”);
    stream = XFile.OpenAsTextStream(1, 0);
    var content = stream.ReadAll();
  • Advanced Code Injections
    VBScript code execution
    <object classid=’clsid:72C24DD5-D70A-438B-8A42-
    98424B88AFB8’ id=’target’ >
    </object> <script language=’vbscript’>
    arg1=”c:/WINDOWS/system32/calc.exe”
    target.Exec arg1
    </script>
  • Advanced Code Injections
    Heap Spray code execution
    varshellcode = unescape(””);
    var heap block=unescape(”%u0a0a%u0a0a”);
    varnop sled= unescape(”%u09090%u09090%u09090”)
    do {
    heap_block += heap_block;
    } while (heap_block.length < xxxx)
    var memory = new Array();
    for (ret=0; ret <100; ret++)
    { memory[ret] += heap_block+nop_sled+shellcode; }
  • Advanced Code Injections
    AJAX code execution
  • DEFENSE
    A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
    The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.
    The logging process should not run as administrator or root user.
    The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content.
    The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
  • ???????
    When In doubt, its better to ask
  • References
    http://www.google.co.in/search?q=http%3A%2F%2Fmilw0rm.com%2Fexploits%2F6476&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=cross+interface+attack&pbx=1&oq=cross+interface+attack&aq=f&aqi=&aql=&gs_sm=e&gs_upl=37279l38938l11l40023l2l2l0l0l0l0l268l492l2-2l2l0&bav=on.2,or.r_gc.r_pw.&fp=a0ba24de15e40bac&biw=1366&bih=558
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2453
    http://www.securityfocus.com/archive/1/archive/1/513970/100/0/threaded
  • THANKS