Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

Script Fragmentation AttacksOWASP November 2008Stephan Chenette, Security ResearcherWebsense Security Labs

Agenda What Web Developer 101 Web 1.0 versus Web 2.0 Malicious Web 1.0 Malicious Web 2.0 + Script Fragmentation Possible Solutions 2

What am I talking about todayThe success of any exploit depends on some basicassumptions:The vulnerable service or application is:1) Active2) AccessibleThe exploit is:1) Reliable2) Undetected 3

What am I talking about todayThis presentation will focus on: Evading detection of the exploitSpecifically: A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs) 4

Basic Web Developer 101 HTML Browser Document Object Model (DOM) JavaScript/JSON Remote Requests - XMLHTTPRequest (XHR) Cross-Domains Requests - XDomainRequest (XDR) Available in: – Internet Explorer, Firefox – Safari, Opera and Konqeror, etc. 5

Basic HTML document and DOM<html> <body> <div id=“target” /> HTML </body></html><html> <body> <div id=“target” /> DOM </body></html> 6

JavaScript can change DOM<script>var d = document.getElementById(“target”);var n = document.createElement(“script”);n.text = “alert(„test‟);”d.appendChild(n);</script> 7

New DOM<html> <body> <div id=“target”> <script> alert(‘test’); DOM </script> </div> </body></html> 8

Basic HTML document<html> <body> </body></html> 9

JavaScript can execute directlyvar text = “alert(„test‟);”eval(text); 10

DOM stays the same<html> <body> </body></html> 11

The power of scriptingvar text=“ale” + “rt(“ + “„te” + “st‟” + “);”eval(text); 12

JSON Basicsvar text = { "firstName" : "John", "lastName" : "Doe" };var JSONObj = eval(text);// Outputs Johndocument.writeln(JSONObj.firstName);// Outputs Doedocument.writeln(JSONObj.lastName); 13

XHR basicsvar client = new XMLHttpRequest();client.onreadystatechange = handler;client.open("GET", "test.cgi");client.send();var client = new XMLHttpRequest();client.open("POST", "/log");client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");client.send(message); 14

XDR requests (Cross-site requests)var xdr= new XDomainRequest();Xdr.onload= handler;xdr.open("GET",“http://test.com/test.cgi");xdr.send();var xdr= new XMLHTTPRequest();xdr.onload = handler;xdr.open("GET",“http://test.com/test.cgi");xdr.send(); 15

Web 1.0 client/server communication •GET / HTTP/1.1•Client Browser •Web Server 16

Web 2.0 WebsitesClient fetching content from multiple Servers+Servers receiving content from Client Benign JavaScript/HTTPXMLRequest technologies: – Gadgets – Widgets – Mashups Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest. 17

Web 2.0 Websites•Client Browser •Web Server 18

Web attacks and defense Attack trends have shifted over the years. Intruders are focusing more prominently on the Web Most companies/users don‟t block HTTP at the firewall ALL Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS. 19

HTTP client/server communication •GET / HTTP/1.1•Client Browser •Web Server 20

Current desktop/gateway protection Looking at initial content 21

Current evasion techniques Obfuscated JS code 22

REGEX for Deobfuscation routinefor (fubatifi = 0; fubatifi < 1445; fubatifi++)fepab += String.fromCharCode(mosetib[fubatifi] ^ fedene);fors{0,5}(w{0,10}s{0,5}=s{0,5}0;s{0,5}w{0,10}s{0,5}<s{0,5}d{0,10};s{0,5}w{0,10}++)s{0,5}w{0,10}s{0,5}+=s{0,5}String.fromCharCode(w{0,10}[w{0,10}]s{0,2}^s{0,2}w{0,10}); 23

Successful Evasion… Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic. A.K.A. Make malicious web 2.0 traffic look like good web 2.0 traffic. 24

Malicious Web 2.0/Script Fragmentation Script Active Content e.g. JavaScript, VBscript, etc. Fragmentation Little chunks of dataNote: The use of AJAX for malicious use was mentioned atToorcon 2007, but not in the detail I‟m about to go in… 25

Dynamic retrieval of data <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script> •GET /index.php?q=2+2 “4”•Client Browser •Web Server 26

Steps for script fragmentation attack 1. Store malicious content on server 2. SERVER: Serve client webpage with script fragmentation decoder routine. 3. CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server 4. SERVER: respond with requested chunk of malicious content 5. CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data 6. CLIENT: Execute resulting code once all data is received 27

Steps in action Step 1) Store malicious content on server •Web Server 28

Steps in action Step 1) Store malicious content on server •Web Server 29

Steps in action  Step 2) SERVER: Serve client webpage with script fragmentation decoder routine. •<DECODER>•Client Browser •Web Server 30

Script Fragmentation decoder routine 31

Steps in action  Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server •GET /index.cgi?o=0&rl=3•Client Browser •Web Server 32

Steps in action  Step 3) SERVER: respond with requested chunk of malicious content •“var”•Client Browser •Web Server 33

Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=3&rl=3 •“ he”•Client Browser •Web Server•var text = “var he”; 34

Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=6&rl=3 •“apS”•Client Browser •Web Server•var text = “var heapS”; 35

Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=9&rl=3 •“pra”•Client Browser •Web Server•var text = “var heapSpra”; 36

Steps in action  Step 4) CLIENT: store chunk and continually request more chunks until there is no more data. •GET /index.cgi?o=12&rl=3 •“yTo ”•Client Browser •Web Server•var text = “var heapSprayTo”; 37

Steps in action  Step 5) CLIENT: execute resulting code once all data is received. •Client Browser•// Method 1 •// Method 2•eval(text); •var div = GetElementById(„target‟); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); 38

The possibilitiesBeyond the basic script fragmentation attacks: Randomize sequence of offsets xor/encrypt data Spread data across multiple web servers (botnet) (XDR) In memory keep string encrypted until the last minute 39

Options for data transferXMLHttpRequest is the object to make dynamic remoteHTTP request, but there are multiple data formats that maybe used for data transfer: RAW XML JSON etc.… 40

RAW data format •GET /index.cgi?o=0&rl=3&u=guid•Client Browser “var” •Web Server 41

XML data format •GET /index.cgi?o=0&rl=3•Client Browser “<Data eof=“0” text=“var” />” •Web Server 42

JSON data format •GET /index.cgi?o=0&rl=3 “{•Client Browser •Web Server eof : “0”,// S = server resp. text : “var”var data = eval(S); }”var text = data.text; 43

Flawlessly works on all major browsers Proof of concept (POC) exploited within 10-20s 44

AV won’t detect Script Fragmentations Initial page will hold decoder routine in script tag and then blank body. The file on disk will never change DOM in memory will never change NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS! 45

HTML file on disk File on disk is the same before and after C:Documents and Settings<USER>Local SettingsTemporary Internet Files 46

Victory! Script Fragmentation is a very successful evasion attack that current desktop and gateway AV do not detect. 47

Ending remarks Reality: This attack is still a few years away We haven‟t seen this in the wild Possible Reasons: Dealing with scripting and obfuscation are still the biggest problems 48

Possible solutions Detecting the decoder routine Detecting network anomalies Using a “feedback loop” and executing in remote location. Dis-allow execution of content that comes from XMLHTTPRequest, hard to implement and would break functionality – so no go. Post-detection Hooking Browser internals Install security add-ons – NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo, CustomizeGoogle, etc. 49

Thank you. Any questions?Stephan Chenette, Websense Security Labsschenette@websense.com Check out our website and blogs http://securitylabs.websense.com/content/blogs.aspx http://securitylabs.websense.com/ 50

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008

by Stephan Chenette on Aug 06, 2012

Accessibility

Upload Details

Usage Rights

1 Embed 1

Statistics

Script Fragmentation - Stephan Chenette - OWASP/RSA 2008 Presentation Transcript