Cатсн²² (in)sесuяitу / ChrisJohnRiley » Security

{book review} The Tangled Web

ChrisJohnRiley — Fri, 03 Feb 2012 13:30:32 +0000

It’s been 6 years since Michal Zalewski’s “Silence on the wire” hit the shelves. Although “The Tangled Web” concentrates on a completely separate set of issues, you can’t fail but draw comparison between the two books. Zalewski’s unique style of writing brings both topics to life, not simply scratching the surface of a set topic, but diving headlong into the lowest levels to give the reader a true understanding of the reasons why, and the thought processes behind, any feature, bug, or technology discussed. The Tangled Web does for Web Applications what silence on the wire did for computers and networks.

The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.

Part 1: Anatomy of the web

It starts with a URL
Hypertext Transfer Protocol
Hypertext Markup Language
Cascading Style Sheets
Browser Side Scripts
Non-HTML Document Types
Content Rendering with Browser plug-ins

This not always pretty romp through an alphabet soup of acronyms gives the reader the knowledge need to not only understand and appreciate the 2nd part of the book as it should be, but is in my mind the single best source for anybody looking to really understand the web as it works today. Not the way you think it works, the way it should work, or the way the RFCs say it needs to work, but the down and dirty truth behind the web. Nothing is what it seems, and when you place the safety of your computer in the hands of browser vendors, you’re not quite sure what you’re going to get it seems.

Part 2 of the book moves from understanding the web to understanding how browsers see and interpret the web, and how the browser security models really work. You’d think every browser would see things and handle things the same, but after even the first few pages you get the feeling that no 2 browsers are going to handle things the way you expect, or want!

Part 2: Browser Security Features

Content Isolation Logic
Origin Inheritance
Life Outside Same-Origin Rules
Other Security Boundaries
Content Recognition Mechanisms
Dealing With Rogue Scripts
Extrinsic Site Privileges

Zalewski covers the very fundamentals the current generation of browsers use to protect users in a way that just seems to make things click. Even when discussing things like same-origin policy and how the different browsers interpret the rules, the information just seems to make sense without needing to re-read sections over and over (an issue I had with some of the “silence on the wire” content at times). A common theme that comes up in part 2 of the book is the “sins of the old”, were browsers are suffering from security issues due to lack of foresight. As more and more bandaids are stuck into the browser security models, things become ever complex. It’s sad to see however that companies still aren’t learning from this lack of foresight as issues crop up again and again (for example ).

Those who cannot remember the past are condemned to repeat it. (George Santayana)

The chapter discussing “Content Recognition Mechanisms could easily be renamed to “101 reasons to always set a charset”. The sniffing logic of browsers is both scary and often abused. What struck me more than the scary quirks of certain browsers was that most people just aren’t aware of these issues… I know I wasn’t!

Moving into part 3 of the book, Zalewski talks about what’s to come in terms of browser advancements.

Part 3: A Glimpe Of Things To Come

New And Upcoming Security Features
Other Browser Mechanisms Of Note
Common Web Vulnerabilities

Despite what the first 2 chapters of the tangled web bring to light, it doesn’t seem that browser vendors have learnt the lesson from history. New features seem to once again be applied unevenly across browsers, with Microsoft going their own route with things like xDomainRequest. Not to be left out in the cold, Mozilla’s drive for CSP is discussed in-depth along with other restriction frameworks. There’s a lot of ideas in this space it seems, but little consensus on how or what to implement.

Conclusions

I love this book… there’s no other way to say it. Every once in a while you get a book that’s well written, contains good content and sparks those little ideas in the back of your brain. For me, the tangled web met all of these points and then some. A book that gives you so much background on the how and the why of things, that you come out the other end really feeling like you know the subject matter.

That said, I’m not 100% sure who this book is targeted at… the addition of the “security engineering cheat sheets” at the end of each chapter is a great idea, and for a defender it provides some really good information. How ever I’m not sure I know many defenders that would pick this book up and give it the time it really deserves. Maybe I’m wrong on this, and I hope I am.

I also ~~don’t~~ didn’t see it being something the attacker types would be jumping all over themselves to read either. It’s not full of the usual hacking tips, tricks and tools you’ve come to expect from hacker books in the last few years. The information is more than that I find, but it needs to be applied to other ideas to be really useful. Still from a discussion with No Starch at Shmoocon, they sold out of the tangled web, so I hope I’m wrong on this too.

TL:DR; Read this book… give it your full attention, and come out the other end smarter for it!

Tagged: nostarch, tangled web, Zalewski

ShmooCon 2012: Raising The White Flag

ChrisJohnRiley — Sat, 28 Jan 2012 17:47:30 +0000

Raising The White Flag

:: Bypassing Application White Listing

– Curt Shaffer and Chris Cuevas

More and more people are seeing application whitelisting in their environments. Despite what marketing people say, these solutions don’t stop APT and other advanced threats. This talk is designed to shine a light on the issues with whitelisting.

Whitelisting is often touted as a replacement for AV. Despite the fact that something better than AV is needed, application whitelisting isn’t the solution. Their purpose seems good, for the execution is lacking. Things are headed in the right direction, but using simple bypass techniques it’s possible to bypass these whitelisting protections.

The following application whitelisting tools were tested.

Bit9 Parity 6.0.0
McAfee Application Protection
Microsoft Applocker

Methodology

Windows File Protection
File Naming Fun
Iexpress packagng
Java Exploits/Malware
Flash Exploits/Malware
Adobe Exploits/Malware
JavaScript
VBA
Raw Shellcode
Powershell

Some other things were excluded due to time constraints (including HTML5, CD-ROM ISO masquerading, Digitally Signed Malware).

Bypassing Techniques Attempted

ActiveX
PDF attacks
- Spawning shell
Office documents
- VBscript Macros
Shellcodexec
- Inject shellcode into memory
JAVA
- Applet
- Exploit
JavaScript
- BeEF hook
- Firefox Extension
Powershell
- Run script by piping into powershell.exe
- DLL Injection
- Shellcode injection
- Chrome Extension
Man-in-the-Middle
- Sniff, modify, replay

This is all know. We’ve been pissing on AV for a long time. Time to piss on whitelisting as well.

Results

McAfee

Most things worked, except Windows File Protection and Iexpress.

Bit9

Inconsistent results with Windows File Protection, and again Iexpress failed. However everything else works.

What Worked

JavaScript

Injecting BeEF into a browser process

Windows Help Files

Compiled HTML, but needs a degree of social engineering to get people to click

Can run cmd.exe and game over

Office Documents

Lots of work in this area by Didier Stevens

Powershell

Powershell code injection into any 32bit or 64 bit

Powershell syringe

Man-in-theMiddle

Get between the client and server

ARP spoof, iptables redirect

It’s HTTPS, but it doesn’t check the cert

Enables you to drop level from enforce blocks to only alert

Self protection

Abilty to inject code into the actual whitelisting exe (in this case parity.exe of Bit9)

Bit9 deny this is an issue.

[ demo of shellcode exection within the Bit9 Notifier process ]

Metasploit module for this will be released to demo this.

Stopping this attack

To protect this on Bit9, go to the admin control panel and add memory rules to protect the notifier.exe process. The memory protection menu is only available in versions above 6.0.1.

Links:

Talk abstract –> HERE

Tagged: Shmoocon, whitelisting

ShmooCon 2012: Java backdoors and Cross Framework Abuse

ChrisJohnRiley — Sat, 28 Jan 2012 16:42:13 +0000

Java backdoors and Cross Framework Abuse

– Nicholas (aricon) Berthaume

Adding backdoor(s)

Java has a number of different archive formats. This talk covers the J2SE / J2EE type archives. The goal here is to show how simple it is to add potentially malicious software to three of the most common format.

JAR – Java ARchive

Typical run in Java Virtual Machines on client system

ZIP files with manifests, metadata and Java byte-code

Can be digitally signed

WARs – Web application Archives

Typical run on Java application servers such as Tomcat

Run as the remote server user.

Can be digitally signed

EAR – Enterprise application ARchive

Very similar to WAR, but with extended enterprise features.

All three file formats when allowed to run can create sockets, interact with the filesystem outside of the respective virtual machines and execute commands there. This makes then perfectly suited for exploitation.

Run typical with full permissions of the user and display very few warnings. At most you receive a “run or don’t run” style prompt. Signing, even with a self-signed certificate, reduces these warnings.

AV engines rarely do effective heuristic analysis on known malicious code when it’s inserted into a Java Archive format.

JAR backdoor payloads

File droppers that execute arbitrary code.

WAR backdoor payloads

Completely malicious additions to existing WAR files content, JavaScript and so on.

All of the same features of JAR files, but run on the remote server.

EAR backdoor payloads

Similar abuse to WAR, but also allow for greater reuse of classes and scaling across multiple servers and additional security roles.

Adding content to WAR files is often as simple as editing the manifest and adding the required backdoor code. EAR is however a little more complex due to the additional features. However it’s possible to set the security context used to run your backdoor code.

JAR is more complex however. The process involves extracting a JAR to use as the host, add files into the correct paths and edit the MANIFEST as required.

Enter RAWJAR

Tool designed to automate this functionality. Written in Python.

When combined with the JDK, this tools will give you the ability to add arbitrary Java to existing files.

Currently tested with EAR, WAR, JAR files using the JAVA meterpreter as the standard backdoor. However other can be used with minor modifications.

Due to the way code is run, closing the browser after infection leaves the code active on the system.

Cross-framework Injection

In additions to pure Java there are a number of extension APIs that are either included or installable.

Java Native Access (JNA)

Open-source utility for calling native and managed libraries/assemblies on nearly every platform that the JVM runs on.

.NET from the JNA

By using assembled code in .NET (using jython) it was possible to implement simple calls outside the framework without needing to recompile the classes due to the reasonable support found in the JNA.

From here the goal is to inject processes, hopefully using standard injection techniques to inject into .NET or inject a DLL into memory.

Links:

Talk abstract –> HERE
RAWJAR project –> HERE

Tagged: frameworks, java, Shmoocon

SANS Germany 2012

ChrisJohnRiley — Tue, 24 Jan 2012 18:00:17 +0000

So a little birdie told me that the fine folks over at SANS are arranging a conference in Germany this year. Unfortunately I can’t get the time off to attend, but I managed to wrangle a discount code incase any of you fine reader types are thinking of attending…

SANS Germany 2012
SANS Germany 2012 is coming up soon on 5-10 March at the Arcotel Camino in Stuttgart. This will be the first SANS training conference in the country since 2008. SANS is bringing some of its biggest classes back to Europe by popular demand.

SEC504: Hacker Techniques, Exploits and Incident Handling
MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression
DEV522: Defending Web Applications Security Essentials

So if you’re thinking of attending, the discount code “SANS5DE12” should be good for 5% off the cost of the course. Enjoy!

Links:

SANS Germany 2012

Tagged: SANS

Eurotrashsec… the year that was!

ChrisJohnRiley — Thu, 19 Jan 2012 13:00:44 +0000

2011 was a good year for the Eurotrash Security Podcast. We did some new stuff (being a media sponsor for the FIRST conference, and being 50% of the FIRST Podcast with Martin McKeay from the Network Security podcast), and we kept to an almost monthly schedule… which is much harder than you think. We also brought Ben (AKA Wicked Clown, AKA Mr Inappropriate) into the fold, and immediately started to need to edit out offensive content more often. A coincidence I’m sure

In general 2011 was a big year for us… and 2012 could be even bigger. Eurotrashsec got nominated for a social security blogger awards in the best security podcast category! An honor to be sure… even if we don’t (and we won’t) win.

So what was up in 2011 for Eurotrashsec… well, the man behind the curtain, @xme, sent over some stats and a wicked mashup of episodes downloads overlayed on Google Maps… so let’s get to some stats.

General stats:

Total hits: 2.493.500
Total MP3 downloads: 103.346
Total unique IP’s: 56.152
Visits: 5.013
Unique visitors: 3.501

Nice to see that the podcast topped the 100,000 downloads in 2011. I’m sure Pauldotcom does that in a weekend, but we like to be niche… honest! It’s not to late to download the episodes you missed now you know –> XML

Top-5 countries:

I’m pretty sure that the French listeners will be dropping after the last podcast… still we like to try and be equal opportunity offenders (we like to offend everybody equally that is). So looks like we need to move up the list to our German listeners next

I threw together some nice graphs in Excel (@wimremes is probably turning in his grave right now) that show the most popular episodes of 2011 and the downloads (full show and microtrash episodes). I also made a screenshot of @xme’s wonderful map overlay –> full version HERE

Let 2012 begin!

Tagged: Eurotrashsec, podcast, stats

Unsung heros

ChrisJohnRiley — Fri, 13 Jan 2012 13:30:36 +0000

tl;dr : I’m searching for your suggestions for the unsung heroes of security tools (not the usual things we talk about every day). Please send your entries via the form HERE… there will be a random prize for people taking part.

Have you ever stumbled on a tool and wondered “Why didn’t I know this existed!” or “If only I’d had this last week on that test”… if you’re anything like me then it happens all to often. As an industry we have more ideas, methods and tiny tools/scripts than we know what to do with. Every time a conference rolls around (which is almost daily now it seems - Is the answer more InfoSec Conferences?) people are eager to pimp their wares (I’m no different), and sometimes it’s needed to show proof of concept, new technique or something else equally mind-blowing. Some (and only some) of those new techniques, methods, attacks, … will make the jump from niche tool into a framework (such as Metasploit or nmap). Some others will live on in individual tools/scripts. Projects like Backtrack Linux try to gather the most well-known of these tools into a central distribution, but inevitably there’s always the one or two real gems that fall between the gaps. You can’t cram everything into any single framework or distribution, otherwise it becomes unusable.

So where does that leave us? It’s leaves us with Google (or Bing, if you’re really hard up) as the only hope for finding those niche solutions for testing that funky web app that you didn’t even know would run on AIX 5.2.

Previously some very nice people have gone out of their way to document and bring these niche tools together, lest they be lost to the annuls of time. A few years back @mubix took the time to catalogue the tools released at just one conference. The Defcon Tools page shows the tools that could be catalogued after the Defcon 18 conference. That’s a lot of tools for a 3 day period! No wonder we skip over some of the ones we should be paying attention to… and there I finally get to the point of this blog post.

I’m attempting to (and I say attempting, as it relies on you the readers to help out) gather suggestions for your “unsung hero” of the tools world. As we work in Infosec I’m looking specifically to gather a list of tools that aren’t on ever penetration tester, or forensic investigators list, but that you have respect for. We all love Metasploit, nmap and the other popular tools voted for on the SecTool TOP 125 list. However I’m looking for something a bit different here, something off the beat and track.

So, if you’ve got a favourite tool (or 2) that you think are your unsung heroes, I want to hear about it. Don’t wait, don’t even think… you’ve got one in mind right now… just fill in that form and click submit!

Oh, did I forget to mention! I’ll be doing a random draw of 1 of the entries and sending you a book. Not sure what just yet, but I’m sure you’ll like it You’ve gotta be in it to win it!

[contact-form]

Please share this link with your friends, work colleagues, drinking buddies, or hobos… the more the merrier!

Short link –> http://c22.cc/heroes

* Why do I request your email address… simple, at some point (if this goes to plan) there will be a vote. I’m happy to email out links to the vote as and when… then again, if you don’t want to give me your email address, that’s fine too. Not like I’m gonna sell it

Tagged: forgotten, tools

The CSRF that almost was…

ChrisJohnRiley — Sun, 08 Jan 2012 17:07:38 +0000

It’s strange sometimes where your inspiration comes from, but regardless of where, it’s good to be back in the saddle when it comes to really enjoying some research. Some people close to me might already be aware, but I’ve not really been “into it” for a while now, as can be seen by the lack of blog posts or interesting content. Lets hope this is the light at the end of that tunnel (… and that it’s not a train, obviously ;)

So, back to the interesting idea. A lot of the research I did into the SAP Management Console was about what an attacker could do accessing it from the internet, or directly when on the local LAN segment. Although there’s probably a lot more attackers could do with this stuff, the protections that SAP have rolled out should be enough to deter most casual attackers. I’d also looked at what attackers could do to attack client-side, by sitting in the middle and providing a tainted JAVA applet when an administrator comes to load the SAP Management Console… or even forcing Basic Authentication at points before the application requires it. The thing I’d not really done was think about what an attacker could do from the internet without ever actually having access to the SAP Management Console.

Looking back at history a bit, I re-read some posts on using CSRF attacks to change settings on local ADSL routers. The attack isn’t new, and there’s more than a few resources discussing it. However I was interested to see if this sort of attack could be used to perform remote code execution on the SAP Management Console using the OSExecute method. Normally this is an authenticated method, so an attacker would need a username / password, but by using CSRF, this seemed like it could be bypassed if certain conditions were met (i.e. an administrator can be lured to the CSRF page, and they are logged into the SAP MC, or have clicked the “save password” prompt to save time on future logons).

Starting off I needed to find a solution to force a user to perform a POST request, as the SOAP message can’t be sent over GET unfortunately. After a bit or playing and research I stumbled on a post by pentest monkey detailing some work he’d done on the same issue. Using an HTML form containing the contents of the POST request as the name field, it was possible to send the desired request. By adding a JavaScript trigger it was also possible to send the form (and thus the POST request) without user actions. So, all well and good.

The above FORM includes a complete SOAP request (using the OSExecute method) within the first input name field. In the case of the POC script, the servername is set using a variable passed to the page forming the POST message. The name of the SAP system internally can easily be found using one of the SAP Management Console modules that are now in Metasploit.

To get the form to automatically submit without user interaction, I added the following JavaScript… (tested in Chrome, IE and Firefox)

function myfunc () {
var frm = document.getElementById("sap");
frm.submit();
}
window.onload = myfunc;

The result is a page that forms a valid POST request to the SAP Management Console inside the targets network.

POST / HTTP/1.1
Host: server.example.com:50013
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
Referer: http://www.catch22insecurity.com/POC/soap_post.php?servername=server.example.com
Content-Type: text/plain
Content-Length: 575

truecmd /c echo "wimming" > c:\temp\proof.txt0=

Despite the additional “=” sign being tagged onto the end (as a result of the HTML FORM), the request is valid and will be honored by the SAP Management Console if valid credentials are already saved in the browser being used, or a valid Basic Auth header is present… and THIS is where the “almost was” comes into play.

When testing it became evident that browsers (IE and Firefox at the very least) don’t automate the response of valid credentials when they’re stored in the browsers password store. When the SAP Management Console responds to the target asking for credentials, even if they’re stored in the browser, the user is prompted to click OK on the already filled out username/password box.

Well that’s a pity! … and no change when serving it up over SSL either.

So where does this work?

So as to not totally come out of this a looser, where does (or could) this attack work. Sticking with SAP Management Console there are a few places it could still work well.

The obvious –> Admins that click-through anything. If the user accepts (or enters) valid credentials, then the OSExecute will be successful.
SAP MC Methods that are not protected –> Anything where a blind request can be sent and an action is performed without requesting credentials. This is limited in SAP, and as no response can be received by the attacker, the scope is limited.
Attacks against specific SSO implementations –> Not naming names, but there are more than a few Single Sign On solutions out there that take the place of browser passwords stores (and other password stores). These solutions may act differently when saving a password… I’ve seen implementations that fill in the credentials and submit them without user action.
Situations where an SAP Administrator has already performed direct actions against the SAP Management Console through the browser, thus setting a valid Basic Auth token –> Few and far between, as the interaction is mostly through MMC of JAVA applets that do not need to use the browser.
Exploit delivery –> There are, and will probably be in the future, valid one request exploits against SAP Management Console. This attack vector would allow these exploits to be delivered as long as no credentials or other user input is required.

Well there it is… The time invested was minimal and as with everything, you learn as you fail… Feel free to take a look at the POC I put up on my site if you want to try it out for yourself. Please don’t abuse it though!

POC .:

HTTP –> http://www.catch22insecurity.com/POC/soap_post.php?servername=server.example.com
HTTPS –>https://www.catch22insecurity.com/POC/soap_post_ssl.php?servername=server.example.com
- Self signed certificates on HTTPS may cause issues in your testing. YMMV

Tagged: CSRF, sap, So Close, SOAP

Some stuff about SVN

ChrisJohnRiley — Sat, 31 Dec 2011 17:00:47 +0000

As I mentioned in my earlier post, the automated Metasploit Modules posts are going the way of the dodo. Still, there are a few things from my automated posts that I didn’t want to just disappear, mainly because I’m sure I’ll forget them if I don’t post about them. Ignoring all the issues with setting up mutt to email a file at a set time, and getting WordPress to correctly format an emailed HTML file, the main thing I wanted to note was some SVN tricks I picked up while writing my automated shell script. I’m not sure how well-known or useful these tips are, but here that are anyway, for those that are interested.

svn diff

There are various uses for the svn diff command. However for the purposes of automating a list of new modules added to Metasploit I used the diff command to summarize changes to the TRUNK itself.

Example:

svn diff https://metasploit.com/svn/framework3/trunk –summarize -r 14450:HEAD –non-interactive

….

M https://metasploit.com/svn/framework3/trunk/lib/msf/core/rpc/v10/client.rb
M https://metasploit.com/svn/framework3/trunk/lib/msf/core/model/workspace.rb
A https://metasploit.com/svn/framework3/trunk/lib/msf/core/post/windows/shadowcopy.rb
M https://metasploit.com/svn/framework3/trunk/lib/msf/core/auxiliary/report.rb
....

This example will output all changes (Additions, Deletions, Modifications) to the files in the TRUNK between revision 14450 and HEAD (a shortcut for the current revision). This is great, but not everybody happens to remember the revision numbers used on a set date, and although it was useful for automated scripts (simply save the HEAD revision number for use as a starting point in the next script) it doesn’t lend itself to easily seeing what’s been changed in the last week/month/year.

So what can we do to get just the last weeks changes… the -r in the above example can be altered to include a set date as either the start of end point. By putting a date inside {} brackets you can see exactly what was changed in the last week.

Example:

svn diff https://metasploit.com/svn/framework3/trunk –summarize -r {2011-12-24}:{2011-12-31} –non-interactive

We can obviously take this a step further and begin filtering the output for only the newly added scripts using simple regex. I implemented this in a shell script by piping the output to ”grep ‘^A’ | cut -b 8-” to select only the Additions and remove the preamble from the output.

svn info

As an aside, the following command will give you the current revision as well as further information

svn info https://metasploit.com/svn/framework3/trunk

….

Path: trunk
URL: https://metasploit.com/svn/framework3/trunk
Repository Root: https://metasploit.com/svn
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 14492
Node Kind: directory
Last Changed Author: rapid7
Last Changed Rev: 14492
Last Changed Date: 2011-12-30 23:04:03 +0000 (Fri, 30 Dec 2011)

of course, if you just want the Last Changed Rev number, then piping this into “grep ‘^Revision:’ | cut -b 11-” will give you just the reference number itself.

Well there it is, I hope some of you find it a little useful.

Here’s to 2012! See you on the other side…

Tagged: Metasploit, svn, tricks, updates

Metasploit Modules: A Year in Review

ChrisJohnRiley — Sat, 31 Dec 2011 15:15:39 +0000

A month of so back now I started automating some posts on the new Metasploit modules released. As luck would have it, about the same time, the guys over at Rapid7 started to churn out more regular blog post themselves, giving details of the key modules and changes. Although the posts were interesting to a select few, I never saw them as a long-term thing and as the year ticks over to 2012 it’s time to put them to bed. After all, the people at R7 are bound to have a better overview of Metasploit than I am.

Before it goes though, I took time to output newly added modules between 2011-01-01 and now (2011-12-31)… just to show what’s been accomplished in 2011. I’m sure the fine folks at R7 will be putting out a more detailed review together with pretty charts, and maybe even an Infographic or two. Still, I hope this proves useful for some as we wave goodbye to the automated weekly posts.

Note: These are only the modules marked as Additions within the modules / tools or scripts directories. Some modules may be excluded and others may appear if they were Deleted and reAdded at some point in the year. I’ll be posting up something about how the lists were created in a separate post soon.

The following modules have been added to the Metasploit SVN between 2011-01-01 and 2011-12-31

Tagged: additions, Metasploit, svn, year in review