• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cross Interface Attacks
 

Cross Interface Attacks

on

  • 1,822 views

Cross Interface Attacks by Piyush Mittal @ null Pune Meet, September 2011

Cross Interface Attacks by Piyush Mittal @ null Pune Meet, September 2011

Statistics

Views

Total Views
1,822
Views on SlideShare
1,443
Embed Views
379

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 379

http://null.co.in 379

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cross Interface Attacks Cross Interface Attacks Presentation Transcript

    • CROSS INTERFACE ATTACK
      Piyush Mittal
      Security Compass
    • Introduction
      When 1 interface is used to attack the other interface.
    • Different from XSS
      XSS - Entry point is from web to web
      CIA - Entry point is from backend login console to web interface
    • CIA Characteristics
      Exploits the default nature of FTP /Telnet Protocol
      Admin interfaces : { Web, FTP, Telnet}
      Logging module running as root
      DOM and HTML rendered as dynamic content
      Attacks are persistent in nature
      Hardware devices – firewalls, disk stations, management systems etc.
    • Truth About FTP
      The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification.
      No check on no of login attempts.
      No check on type of characters.
    • Old Buffer Trick
      root@redux$ ftp example.com
      Connected to example.com.
      220 Disk Station FTP server at DiskStation ready.
      User (example.com:(none)):
      AAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAA
      331 Password required for
      AAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAA.
      Password:
      530 Login incorrect.
      Login failed.
    • Design of the Application
      FTP
      LOGIN
      INTERFACE
      I
    • Design of the Application
      FTP
      LOGIN
      INTERFACE
      Inject
      Payload
      I
    • Design of the Application
      FTP
      Authentication
      Module
      FTP
      LOGIN
      INTERFACE
      Inject
      Payload
      I
    • Design of the Application
      FTP
      Authentication
      Module
      FTP
      LOGIN
      INTERFACE
      FTP Logging Module
      Inject
      Payload
      I
    • Design of the Application
      FTP
      Authentication
      Module
      FTP Logging module run as root or administrator
      FTP
      LOGIN
      INTERFACE
      FTP Logging Module
      Inject
      Payload
      I
    • Design of the Application
      FTP
      Authentication
      Module
      FTP Logging module run as root or administrator
      FTP
      LOGIN
      INTERFACE
      FTP Logging Module
      Inject
      Payload
      Web Interface
      I
    • Design of the Application
      FTP
      Authentication
      Module
      FTP Logging module run as root or administrator
      FTP
      LOGIN
      INTERFACE
      FTP Logging Module
      Unencoded/Unfiltered
      HTML rendering
      Inject
      Payload
      Web Interface
      I
    • THREATS
      Information Stealing
      Sample code
    • THREATS
      Cookie Stealing
    • THREATS
      Malware Infections - Executing payloads to conduct Drive by Download Attacks
      Sample code
    • THREATS
      Drive by Download Attack
    • THREATS
      CSRF
      Sample code
      Tuning Network device into attack pot
    • Advanced Code Injections
      Active X code execution
      varfso = new ActiveXObject(”Scripting.FileSystemObject”);
      XFile = fso.GetFile(”c:/business/secret.txt”);
      stream = XFile.OpenAsTextStream(1, 0);
      var content = stream.ReadAll();
    • Advanced Code Injections
      VBScript code execution
      <object classid=’clsid:72C24DD5-D70A-438B-8A42-
      98424B88AFB8’ id=’target’ >
      </object> <script language=’vbscript’>
      arg1=”c:/WINDOWS/system32/calc.exe”
      target.Exec arg1
      </script>
    • Advanced Code Injections
      Heap Spray code execution
      varshellcode = unescape(””);
      var heap block=unescape(”%u0a0a%u0a0a”);
      varnop sled= unescape(”%u09090%u09090%u09090”)
      do {
      heap_block += heap_block;
      } while (heap_block.length < xxxx)
      var memory = new Array();
      for (ret=0; ret <100; ret++)
      { memory[ret] += heap_block+nop_sled+shellcode; }
    • Advanced Code Injections
      AJAX code execution
    • DEFENSE
      A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
      The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.
      The logging process should not run as administrator or root user.
      The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content.
      The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
    • ???????
      When In doubt, its better to ask
    • References
      http://www.google.co.in/search?q=http%3A%2F%2Fmilw0rm.com%2Fexploits%2F6476&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=cross+interface+attack&pbx=1&oq=cross+interface+attack&aq=f&aqi=&aql=&gs_sm=e&gs_upl=37279l38938l11l40023l2l2l0l0l0l0l268l492l2-2l2l0&bav=on.2,or.r_gc.r_pw.&fp=a0ba24de15e40bac&biw=1366&bih=558
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2453
      http://www.securityfocus.com/archive/1/archive/1/513970/100/0/threaded
    • THANKS