Cатсн²² (in)sесuяitу / ChrisJohnRiley

Stephan Chenette – Script Fragmentation: Fear the new web attack vector

• Web exploit delivers
• Current detection bypass techniques
• Next generation exploit delivery

Exploit delivery is a large part of successful exploitation of a target. Without a suitable delivery method that avoid detection, an exploit will not be able to successfully attack the target. The goal is to make your attack look like normal traffic.

Various methods currently in use for content (obfuscated code, Polymorphic obfuscation, Encryption) and Network (Referral checks, Blacklisting known security companies,…).

Content in a web 1.0 world come back in one lump – Easy to detect malicious code at the gateway. Bypasses developed to obfuscate the code (including polymorphic) to avoid the filters and detection. Signature analysis is easy to bypass by changing the exploit code (changing vars, removing whitespace, renaming functions, encoding values,…). inclusion of anti-debugging measures.

The AV vendors began to build integrate JavaScript engines within their products to defeat the obfuscation. These engines are usually simplistic and easily bypassed

Is their more attackers can do to foil detection ?

Malicious content can be split across several requests/responses – Harder to check before the malicious code is complete and running. Multi-part attacks. Most checkers do not keep state and can’t therefore draw correlation between separate connections used to build an attack.

• Exploit UGC
• Exploit transitive trust
• Exploit free access/accounts
• No change in Exploit delivery

But is their even more that attackers can do ?

Content in a web 2.0 is dynamic – Script fragmentation == Malicious AJAX

• TCP Fragmentation – Network Layer (RFCs and standard)
• Script Fragmentation – Application Layer (Custom apps, no standards here)

Browsers allow an unknown entity to execute arbitrary code (JavaScript) on the clients machine once it arrives – This is by design.

Discussion of XDR (XML Domain Request Object) as well as examples of standard JavaScript attacks on the DOM.

Script Fragmentation process (simplified)

• Stored malicious content on server
• SERVER: Serve client webpage with script fragmentation decoder routine
• CLIENT: Use XMLHTTPRequest object to request only a small chunk of the malicious content from the server
• SERVER: Responds with the requested chunk of malicious content
• CLIENT: Use JavaScript variables to save the chunk of malicious code and repeat request process from the SERVER until the content is complete
• CLIENT: Decode and run the malicious content on the client (using EVAL or creating a DOM element)

Options for data transfer

• RAW (user-defined)
• XML
• JSON
• Etc…

Beyond the basics

• Hide decoder in Flash/PDF files
• Randomise sequence of offsets
• xor/encrypt data
• Previous fragment contains decryption key for next fragment
• Spread data across multiple webservers (botnet, XDR,…)

The more you can spread and obfuscate the malicious content the more chance there is of it succeeding and bypassing protections. 100 connections to different servers are hard to correlate.

DEMO ==> Using the MDAC exploit (design bug ?) using the script fragmentation method of deployment

Downsides of fragmenting the payload

• More data is transferred
• More packets are created

By running the payload through virus total the attack is detected without fragmentation, however cannot detect is when fragmentation is in use.

AV won’t detect script fragmentation attacks – No substantial content to trigger an alert

By generic, use existing engines – The more custom code used, the easier it is to detect and create signatures.

Future defenses .:

• Better JavaScript emulation
• Gateway/Worker Gateway defense combination
• Gateway/Client defense combination
• Desktop AV has to inspect the DOM/JS Engine
• Browser vendors have to better expose DOM/Scripting functionality
• Whitelist active content (eg. NoScript)