1. Malware Paradox
Persistent Cross Interface Attacks
Aditya K Sood, Richard J Enbody
Michigan State University
1
Soodadit [at] msu.edu | adi_ks [at] secniche.org

2. Disclaimer
Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a
responsible disclosure pattern in revealing vulnerabilities to vendors.
This is all for education purposes only.
A sincere thanks to my adviser Mr. Richard J Enbody for guiding me at every step.
2

3. About Me
 Founder , SECNICHE Security Labs.
 http://www.secniche.org
 PhD Candidate at Michigan State University.
 Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG
 Author for HITB EZine, Hakin9 ,ELSEVIER, ISSA, ISACA, USENIX Journals.
 Likes to do Bug Hunting and Malware dissection.
 Released Advisories to Forefront Companies.
 Active Speaker at Security Conferences including RSA etc.
 Blog: http://zeroknock.blogspot.com
3

4. Agenda
 Web 2.0 and Malware
 Malware through Network Devices with Web Interfaces
 Cross Interface Attack Details
 Release Vulnerability and Case Study
 Conclusion
4

5. Web 2.0 – The Real World
5

6. Malware Mess & Web Attacks
6

7. Generic – Web Malware Cycle !
© FireEye 7

8. World - Malware Lookup
© M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp) 8

9. Malware Paradox – System & Web
© UCSB 9

10. Malware Trends
Financial abuse and mass identity theft
 The mass destructor – Botnet infection and zombie hosts
 Exploiting the link dependency – Pay Per click hijacking
 Traffic manipulation – Open redirect vulnerabilities at large scale
 Spywares , crypto virology , ransom ware etc
 Distributed Denial of Service – The service death game , extortion
 Industry change semantics – Malware activation change line
 Infection through browsers and portable gadgets – the biggest step
 Exploiting anti virus loopholes
10

11. Malware Contributing Issues
Publicly available malware source code
 Unpatched vulnerabilities and loosely coupled patches
 Demand of underground services and self exposure
 Global surveillance mode and information stealing in the wild
 Software discrepancies and inherited design flaws such as Browsers.
 Exploitation at web level is easy. It opens a door to System Level Fallacies.
 Inappropriate security solutions deployed and irrelevant security paradigm
 Botnet Infection – The easy way to launch diversified attack
11

12. Security Solutions – Is this All ?
12

13. The Truth – Web Malware Die Hard
13

14. Breaking the Limits !
Websites are Infected with Malware so as Web Servers – Right !
Is it possible to Infect Peripheral Network Devices !
(Firewalls, DiskStation Managers, Storage Devices, Routers etc)
14

15. Yes ! Network Devices are Prone to Malware
 Network devices having web interface for administration
 Inappropriate Web Interface design
 Misconception ! Web Interface is just used for administration !
 Vulnerability in Web adminisatrion panels
 Open FTP and Telnet Login Consoles
 Exploiting the default nature of protocol such as FTP and Telnet
15

16. Fundamental thinking
 Reflective Attacks does not make much sense in Network Devices
 Persistent attacks are more intense
 Modus Operandi plays a critical role
 Exploiting the every element that is used for network device management
16

17. Application Bad Design
 Source of major Vulnerabilities in real time world
• Design issues are repetitive in nature.
• Successful exploitation results in malware and code execution
17

18. Understanding – Cross Interface Attack
18

19. Cross Interface Attack - Base
 Is this a Cross Site Scripting Attack ?
 What exactly is Cross Interface Attack ?
 Cross Interface Attack
• It uses backend login consoles to inject payload in vulnerable websites.
• Exploits the default nature of FTP /Telnet Protocol
• Vulnerability in log storage modules
• Attacks are persistent in nature
• Payloads are designed using same XSS injection
 Entry point for exploitation is different from XSS.
XSS  Entry point is from web to web
CIA  Entry point is from backend login console to website
19

20. Cross Interface Attack – Threat
 Remote Command Execution through CSRF: This type of vulnerability addresses
the remote code execution behavior
 Malware Infections – Executing payloads to conduct Drive by Download Attacks
 Information Stealing
 Tuning Network device into attack pot
20

21. Cross Interface Attack – (CIA)
 Hardware devices using admin interfaces.
 Admin interfaces : { Web, FTP, Telnet}
 Do we require all admin interfaces ?
• If web admin is allowed, so what about backend consoles!
• Is URL restriction a good practice?
• Is it advantageous to have backend consoles?
• Does access control serves well?
 CIA targets FTP/Telnet admin consoles.
 Step by step developing an attack surface.
 Hardware devices – firewalls, disk stations, management systems etc
21

22. Attack Launch Pad
 Attack base and considerations
• Presence of FTP/Telnet admin login console
• Hardware appliances have default error logging mechanism
• Log interfaces are served in HTML without filtering
• A bad design practice from security point of view
• Protocol such as FTP/Telnet default nature helps in information
gathering
22

23. Attack Launch Pad
 FTP Protocol Truth
• Collective username and password authentication
• Followed to avoid enumeration of user accounts
• No check on login attempts. No check on characters.
• Usually, accessible widely.
• Do you think access control is required?
23

24. Attack Launch Pad
 Attacking and testing
 Gathering information about allowed characters
 No aim to get authenticated
• FTP 530 Login Incorrect is what we require.
 Malicious payloads are used as username and password
• Injections / Scripts / Iframes / DOM Calls / Persistent Payloads
• Inject what ever you want !
• Good point for triggering CSRF attacks
 Of-course , Authentication failure. Error gets logged.
 Payloads become persistent. It can be reflective.
 Bad design practice – Unencoded / Unfiltered HTML rendering
• Inappropriate web logging mechanism
 Viola ! Something happens.
24

25. Vulnerability Exploitation
Injecting payloads
 Supplying payloads as credentials
 Input points – {FTP_USER_NAME , FTP_PASS_WORD}
25

26. Other Possible Injections
26

27. Attack – Step 1
 Finding and Detecting the vulnerable target
27

28. Attack – Step 2
 Testing the FTP Login Console
• To determine the number of characters that are allowed
• Supplying excess of buffer in FTP_USER_NAME input
• FTP_PASS_WORD reflects the allowed FTP_USER_NAME
• Injection points – {FTP_USER_NAME , FTP_PASS_WORD}
28

29. Attack – Step 3
 Injecting Payloads
29

30. CSRF Requests – Remote Command Exec
 Injecting Payloads
GET /webman/modules/logman.cgi dc=1273595767787 &action=view&start=0&limit=50&logtype=connlog
&sort=time&dir=DESC HTTP/1.1
GET /webman/modules/logman.cgi dc=1273595786011 &action=view&start=0&limit=50&
30

31. Case Study
CVE 2010 -3684 Synology Disk Station Manager
Persistent Cross Interface Attacks
Released collaboratively with Checkpoint Vulnerability Discovery Team
31

32. MITRE & NIST – CVE Entry
32

33. Synology Disk Station – Web Interface
33

34. Synology Disk Station FTP Payload Injections
34

35. Malicious Link is Stored in Logs
35

36. Cookie Stealing – FTP Log Module
36

37. Malicious Iframe is Rendered
37

38. Malicious XLS File Downloading
38

39. Effective Steps
 The FTP login consoles or the user verification module should scrutinize the
string parameter before verifying the user. A whitelist approach should be
followed at the protocol level to reduce the impact of exploitation.
 The applied design principle should be simplicity to avoid complexity that can
obscure vulnerabilities. For example, FTP logs should be rendered in a more
customized environment considering the access to a number of clients.
 The content should be sniffed to avoid the usage of malicious input thereby
defining the Content-Type appropriately.
39

40. Questions and Queries ?
40

41. Thanks
AVAR 2010 (http://www.aavar.org/avar2010 )
SecNiche Security (http://www.secniche.org )
41