Malware Paradox
Persistent Cross Interface Attacks
          Aditya K Sood, Richard J Enbody
               Michigan State...
Disclaimer


Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a
responsible disc...
About Me


    Founder , SECNICHE Security Labs.
           http://www.secniche.org
           PhD Candidate at Michiga...
Agenda


    Web 2.0 and Malware
    Malware through Network Devices with Web Interfaces
    Cross Interface Attack Det...
Web 2.0 – The Real World




                           5
Malware Mess & Web Attacks




                             6
Generic – Web Malware Cycle !




                           © FireEye   7
World - Malware Lookup




© M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp)   8
Malware Paradox – System & Web




© UCSB                           9
Malware Trends


Financial abuse and mass identity theft

 The mass destructor – Botnet infection and zombie hosts

 Ex...
Malware Contributing Issues

Publicly available malware source code

 Unpatched vulnerabilities and loosely coupled patc...
Security Solutions – Is this All ?




                                     12
The Truth – Web Malware Die Hard




                                   13
Breaking the Limits !




        Websites are Infected with Malware so as Web Servers – Right !

   Is it possible to Inf...
Yes ! Network Devices are Prone to Malware


 Network devices having web interface for administration

 Inappropriate We...
Fundamental thinking


 Reflective Attacks does not make much sense in Network Devices

 Persistent attacks are more int...
Application Bad Design


 Source of major Vulnerabilities in real time world
   • Design issues are repetitive in nature....
Understanding – Cross Interface Attack




                                         18
Cross Interface Attack - Base


 Is this a Cross Site Scripting Attack ?

 What exactly is Cross Interface Attack ?

 C...
Cross Interface Attack – Threat


 Remote Command Execution through CSRF: This type of vulnerability addresses
 the remot...
Cross Interface Attack – (CIA)


 Hardware devices using admin interfaces.

 Admin interfaces : { Web, FTP, Telnet}

 D...
Attack Launch Pad


 Attack base and considerations
       • Presence of FTP/Telnet admin login console

       • Hardwar...
Attack Launch Pad


 FTP Protocol Truth
       • Collective username and password authentication

       • Followed to av...
Attack Launch Pad


 Attacking and testing
        Gathering information about allowed characters
        No aim to get...
Vulnerability Exploitation


Injecting payloads
            Supplying payloads as credentials
            Input points –...
Other Possible Injections




                            26
Attack – Step 1


 Finding and Detecting the vulnerable target




                                                27
Attack – Step 2


 Testing the FTP Login Console
       •   To determine the number of characters that are allowed
      ...
Attack – Step 3


 Injecting Payloads




                       29
CSRF Requests – Remote Command Exec


 Injecting Payloads




GET /webman/modules/logman.cgi dc=1273595767787 &action=vie...
Case Study




                CVE 2010 -3684 Synology Disk Station Manager

                       Persistent Cross Inter...
MITRE & NIST – CVE Entry




                           32
Synology Disk Station – Web Interface




                                        33
Synology Disk Station FTP Payload Injections




                                               34
Malicious Link is Stored in Logs




                                   35
Cookie Stealing – FTP Log Module




                                   36
Malicious Iframe is Rendered




                               37
Malicious XLS File Downloading




                                 38
Effective Steps


 The FTP login consoles or the user verification module should scrutinize the
string parameter before v...
Questions and Queries ?




                          40
Thanks




         AVAR 2010 (http://www.aavar.org/avar2010 )
         SecNiche Security (http://www.secniche.org )




 ...
Upcoming SlideShare
Loading in …5
×

13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) conference

1,496 views

Published on

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
1,496
On SlideShare
0
From Embeds
0
Number of Embeds
278
Actions
Shares
0
Downloads
6
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) conference

  1. 1. Malware Paradox Persistent Cross Interface Attacks Aditya K Sood, Richard J Enbody Michigan State University 1 Soodadit [at] msu.edu | adi_ks [at] secniche.org
  2. 2. Disclaimer Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a responsible disclosure pattern in revealing vulnerabilities to vendors. This is all for education purposes only. A sincere thanks to my adviser Mr. Richard J Enbody for guiding me at every step. 2
  3. 3. About Me  Founder , SECNICHE Security Labs.  http://www.secniche.org  PhD Candidate at Michigan State University.  Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG  Author for HITB EZine, Hakin9 ,ELSEVIER, ISSA, ISACA, USENIX Journals.  Likes to do Bug Hunting and Malware dissection.  Released Advisories to Forefront Companies.  Active Speaker at Security Conferences including RSA etc.  Blog: http://zeroknock.blogspot.com 3
  4. 4. Agenda  Web 2.0 and Malware  Malware through Network Devices with Web Interfaces  Cross Interface Attack Details  Release Vulnerability and Case Study  Conclusion 4
  5. 5. Web 2.0 – The Real World 5
  6. 6. Malware Mess & Web Attacks 6
  7. 7. Generic – Web Malware Cycle ! © FireEye 7
  8. 8. World - Malware Lookup © M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp) 8
  9. 9. Malware Paradox – System & Web © UCSB 9
  10. 10. Malware Trends Financial abuse and mass identity theft  The mass destructor – Botnet infection and zombie hosts  Exploiting the link dependency – Pay Per click hijacking  Traffic manipulation – Open redirect vulnerabilities at large scale  Spywares , crypto virology , ransom ware etc  Distributed Denial of Service – The service death game , extortion  Industry change semantics – Malware activation change line  Infection through browsers and portable gadgets – the biggest step  Exploiting anti virus loopholes 10
  11. 11. Malware Contributing Issues Publicly available malware source code  Unpatched vulnerabilities and loosely coupled patches  Demand of underground services and self exposure  Global surveillance mode and information stealing in the wild  Software discrepancies and inherited design flaws such as Browsers.  Exploitation at web level is easy. It opens a door to System Level Fallacies.  Inappropriate security solutions deployed and irrelevant security paradigm  Botnet Infection – The easy way to launch diversified attack 11
  12. 12. Security Solutions – Is this All ? 12
  13. 13. The Truth – Web Malware Die Hard 13
  14. 14. Breaking the Limits ! Websites are Infected with Malware so as Web Servers – Right ! Is it possible to Infect Peripheral Network Devices ! (Firewalls, DiskStation Managers, Storage Devices, Routers etc) 14
  15. 15. Yes ! Network Devices are Prone to Malware  Network devices having web interface for administration  Inappropriate Web Interface design  Misconception ! Web Interface is just used for administration !  Vulnerability in Web adminisatrion panels  Open FTP and Telnet Login Consoles  Exploiting the default nature of protocol such as FTP and Telnet 15
  16. 16. Fundamental thinking  Reflective Attacks does not make much sense in Network Devices  Persistent attacks are more intense  Modus Operandi plays a critical role  Exploiting the every element that is used for network device management 16
  17. 17. Application Bad Design  Source of major Vulnerabilities in real time world • Design issues are repetitive in nature. • Successful exploitation results in malware and code execution 17
  18. 18. Understanding – Cross Interface Attack 18
  19. 19. Cross Interface Attack - Base  Is this a Cross Site Scripting Attack ?  What exactly is Cross Interface Attack ?  Cross Interface Attack • It uses backend login consoles to inject payload in vulnerable websites. • Exploits the default nature of FTP /Telnet Protocol • Vulnerability in log storage modules • Attacks are persistent in nature • Payloads are designed using same XSS injection  Entry point for exploitation is different from XSS. XSS  Entry point is from web to web CIA  Entry point is from backend login console to website 19
  20. 20. Cross Interface Attack – Threat  Remote Command Execution through CSRF: This type of vulnerability addresses the remote code execution behavior  Malware Infections – Executing payloads to conduct Drive by Download Attacks  Information Stealing  Tuning Network device into attack pot 20
  21. 21. Cross Interface Attack – (CIA)  Hardware devices using admin interfaces.  Admin interfaces : { Web, FTP, Telnet}  Do we require all admin interfaces ? • If web admin is allowed, so what about backend consoles! • Is URL restriction a good practice? • Is it advantageous to have backend consoles? • Does access control serves well?  CIA targets FTP/Telnet admin consoles.  Step by step developing an attack surface.  Hardware devices – firewalls, disk stations, management systems etc 21
  22. 22. Attack Launch Pad  Attack base and considerations • Presence of FTP/Telnet admin login console • Hardware appliances have default error logging mechanism • Log interfaces are served in HTML without filtering • A bad design practice from security point of view • Protocol such as FTP/Telnet default nature helps in information gathering 22
  23. 23. Attack Launch Pad  FTP Protocol Truth • Collective username and password authentication • Followed to avoid enumeration of user accounts • No check on login attempts. No check on characters. • Usually, accessible widely. • Do you think access control is required? 23
  24. 24. Attack Launch Pad  Attacking and testing  Gathering information about allowed characters  No aim to get authenticated • FTP 530 Login Incorrect is what we require.  Malicious payloads are used as username and password • Injections / Scripts / Iframes / DOM Calls / Persistent Payloads • Inject what ever you want ! • Good point for triggering CSRF attacks  Of-course , Authentication failure. Error gets logged.  Payloads become persistent. It can be reflective.  Bad design practice – Unencoded / Unfiltered HTML rendering • Inappropriate web logging mechanism  Viola ! Something happens. 24
  25. 25. Vulnerability Exploitation Injecting payloads  Supplying payloads as credentials  Input points – {FTP_USER_NAME , FTP_PASS_WORD} 25
  26. 26. Other Possible Injections 26
  27. 27. Attack – Step 1  Finding and Detecting the vulnerable target 27
  28. 28. Attack – Step 2  Testing the FTP Login Console • To determine the number of characters that are allowed • Supplying excess of buffer in FTP_USER_NAME input • FTP_PASS_WORD reflects the allowed FTP_USER_NAME • Injection points – {FTP_USER_NAME , FTP_PASS_WORD} 28
  29. 29. Attack – Step 3  Injecting Payloads 29
  30. 30. CSRF Requests – Remote Command Exec  Injecting Payloads GET /webman/modules/logman.cgi dc=1273595767787 &action=view&start=0&limit=50&logtype=connlog &sort=time&dir=DESC HTTP/1.1 GET /webman/modules/logman.cgi dc=1273595786011 &action=view&start=0&limit=50& 30
  31. 31. Case Study CVE 2010 -3684 Synology Disk Station Manager Persistent Cross Interface Attacks Released collaboratively with Checkpoint Vulnerability Discovery Team 31
  32. 32. MITRE & NIST – CVE Entry 32
  33. 33. Synology Disk Station – Web Interface 33
  34. 34. Synology Disk Station FTP Payload Injections 34
  35. 35. Malicious Link is Stored in Logs 35
  36. 36. Cookie Stealing – FTP Log Module 36
  37. 37. Malicious Iframe is Rendered 37
  38. 38. Malicious XLS File Downloading 38
  39. 39. Effective Steps  The FTP login consoles or the user verification module should scrutinize the string parameter before verifying the user. A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.  The applied design principle should be simplicity to avoid complexity that can obscure vulnerabilities. For example, FTP logs should be rendered in a more customized environment considering the access to a number of clients.  The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately. 39
  40. 40. Questions and Queries ? 40
  41. 41. Thanks AVAR 2010 (http://www.aavar.org/avar2010 ) SecNiche Security (http://www.secniche.org ) 41

×