This document discusses cross interface attacks that can infect network devices. It describes how malware can exploit vulnerabilities in the web interfaces, FTP/Telnet login consoles, and log storage modules of network devices. By injecting malicious payloads through the backend login consoles, persistent infections can occur as the payloads are rendered in the device's HTML error logs without filtering. A case study is presented of a vulnerability in Synology Disk Station Manager devices that allowed CSRF attacks and cookie stealing by injecting payloads through the FTP login console.

1. Malware Paradox
Persistent Cross Interface Attacks
Aditya K Sood, Richard J Enbody
Michigan State University
1
Soodadit [at] msu.edu | adi_ks [at] secniche.org

2. Disclaimer
Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a
responsible disclosure pattern in revealing vulnerabilities to vendors.
This is all for education purposes only.
A sincere thanks to my adviser Mr. Richard J Enbody for guiding me at every step.
2

3. About Me
 Founder , SECNICHE Security Labs.
 http://www.secniche.org
 PhD Candidate at Michigan State University.
 Worked previously for COSEINC as Senior Security Researcher and Security
Consultant for KPMG
 Author for HITB EZine, Hakin9 ,ELSEVIER, ISSA, ISACA, USENIX Journals.
 Likes to do Bug Hunting and Malware dissection.
 Released Advisories to Forefront Companies.
 Active Speaker at Security Conferences including RSA etc.
 Blog: http://zeroknock.blogspot.com
3

4. Agenda
 Web 2.0 and Malware
 Malware through Network Devices with Web Interfaces
 Cross Interface Attack Details
 Release Vulnerability and Case Study
 Conclusion
4

5. Web 2.0 – The Real World
5

6. Malware Mess & Web Attacks
6

7. Generic – Web Malware Cycle !
© FireEye 7

8. World - Malware Lookup
© M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp) 8

9. Malware Paradox – System & Web
© UCSB 9

10. Malware Trends
Financial abuse and mass identity theft
 The mass destructor – Botnet infection and zombie hosts
 Exploiting the link dependency – Pay Per click hijacking
 Traffic manipulation – Open redirect vulnerabilities at large scale
 Spywares , crypto virology , ransom ware etc
 Distributed Denial of Service – The service death game , extortion
 Industry change semantics – Malware activation change line
 Infection through browsers and portable gadgets – the biggest step
 Exploiting anti virus loopholes
10

11. Malware Contributing Issues
Publicly available malware source code
 Unpatched vulnerabilities and loosely coupled patches
 Demand of underground services and self exposure
 Global surveillance mode and information stealing in the wild
 Software discrepancies and inherited design flaws such as Browsers.
 Exploitation at web level is easy. It opens a door to System Level Fallacies.
 Inappropriate security solutions deployed and irrelevant security paradigm
 Botnet Infection – The easy way to launch diversified attack
11

12. Security Solutions – Is this All ?
12

13. The Truth – Web Malware Die Hard
13

14. Breaking the Limits !
Websites are Infected with Malware so as Web Servers – Right !
Is it possible to Infect Peripheral Network Devices !
(Firewalls, DiskStation Managers, Storage Devices, Routers etc)
14

15. Yes ! Network Devices are Prone to Malware
 Network devices having web interface for administration
 Inappropriate Web Interface design
 Misconception ! Web Interface is just used for administration !
 Vulnerability in Web adminisatrion panels
 Open FTP and Telnet Login Consoles
 Exploiting the default nature of protocol such as FTP and Telnet
15

16. Fundamental thinking
 Reflective Attacks does not make much sense in Network Devices
 Persistent attacks are more intense
 Modus Operandi plays a critical role
 Exploiting the every element that is used for network device management
16

17. Application Bad Design
 Source of major Vulnerabilities in real time world
• Design issues are repetitive in nature.
• Successful exploitation results in malware and code execution
17

18. Understanding – Cross Interface Attack
18

19. Cross Interface Attack - Base
 Is this a Cross Site Scripting Attack ?
 What exactly is Cross Interface Attack ?
 Cross Interface Attack
• It uses backend login consoles to inject payload in vulnerable websites.
• Exploits the default nature of FTP /Telnet Protocol
• Vulnerability in log storage modules
• Attacks are persistent in nature
• Payloads are designed using same XSS injection
 Entry point for exploitation is different from XSS.
XSS  Entry point is from web to web
CIA  Entry point is from backend login console to website
19

20. Cross Interface Attack – Threat
 Remote Command Execution through CSRF: This type of vulnerability addresses
the remote code execution behavior
 Malware Infections – Executing payloads to conduct Drive by Download Attacks
 Information Stealing
 Tuning Network device into attack pot
20

21. Cross Interface Attack – (CIA)
 Hardware devices using admin interfaces.
 Admin interfaces : { Web, FTP, Telnet}
 Do we require all admin interfaces ?
• If web admin is allowed, so what about backend consoles!
• Is URL restriction a good practice?
• Is it advantageous to have backend consoles?
• Does access control serves well?
 CIA targets FTP/Telnet admin consoles.
 Step by step developing an attack surface.
 Hardware devices – firewalls, disk stations, management systems etc
21

22. Attack Launch Pad
 Attack base and considerations
• Presence of FTP/Telnet admin login console
• Hardware appliances have default error logging mechanism
• Log interfaces are served in HTML without filtering
• A bad design practice from security point of view
• Protocol such as FTP/Telnet default nature helps in information
gathering
22

23. Attack Launch Pad
 FTP Protocol Truth
• Collective username and password authentication
• Followed to avoid enumeration of user accounts
• No check on login attempts. No check on characters.
• Usually, accessible widely.
• Do you think access control is required?
23

24. Attack Launch Pad
 Attacking and testing
 Gathering information about allowed characters
 No aim to get authenticated
• FTP 530 Login Incorrect is what we require.
 Malicious payloads are used as username and password
• Injections / Scripts / Iframes / DOM Calls / Persistent Payloads
• Inject what ever you want !
• Good point for triggering CSRF attacks
 Of-course , Authentication failure. Error gets logged.
 Payloads become persistent. It can be reflective.
 Bad design practice – Unencoded / Unfiltered HTML rendering
• Inappropriate web logging mechanism
 Viola ! Something happens.
24

25. Vulnerability Exploitation
Injecting payloads
 Supplying payloads as credentials
 Input points – {FTP_USER_NAME , FTP_PASS_WORD}
25

26. Other Possible Injections
26

27. Attack – Step 1
 Finding and Detecting the vulnerable target
27

28. Attack – Step 2
 Testing the FTP Login Console
• To determine the number of characters that are allowed
• Supplying excess of buffer in FTP_USER_NAME input
• FTP_PASS_WORD reflects the allowed FTP_USER_NAME
• Injection points – {FTP_USER_NAME , FTP_PASS_WORD}
28

29. Attack – Step 3
 Injecting Payloads
29

30. CSRF Requests – Remote Command Exec
 Injecting Payloads
GET /webman/modules/logman.cgi dc=1273595767787 &action=view&start=0&limit=50&logtype=connlog
&sort=time&dir=DESC HTTP/1.1
GET /webman/modules/logman.cgi dc=1273595786011 &action=view&start=0&limit=50&
30

31. Case Study
CVE 2010 -3684 Synology Disk Station Manager
Persistent Cross Interface Attacks
Released collaboratively with Checkpoint Vulnerability Discovery Team
31

32. MITRE & NIST – CVE Entry
32

33. Synology Disk Station – Web Interface
33

34. Synology Disk Station FTP Payload Injections
34

35. Malicious Link is Stored in Logs
35

36. Cookie Stealing – FTP Log Module
36

37. Malicious Iframe is Rendered
37

38. Malicious XLS File Downloading
38

39. Effective Steps
 The FTP login consoles or the user verification module should scrutinize the
string parameter before verifying the user. A whitelist approach should be
followed at the protocol level to reduce the impact of exploitation.
 The applied design principle should be simplicity to avoid complexity that can
obscure vulnerabilities. For example, FTP logs should be rendered in a more
customized environment considering the access to a number of clients.
 The content should be sniffed to avoid the usage of malicious input thereby
defining the Content-Type appropriately.
39

40. Questions and Queries ?
40

41. Thanks
AVAR 2010 (http://www.aavar.org/avar2010 )
SecNiche Security (http://www.secniche.org )
41