Stephan Chenette – Script Fragmentation: Fear the new web attack vector
- Web exploit delivers
- Current detection bypass techniques
- Next generation exploit delivery
Exploit delivery is a large part of successful exploitation of a target. Without a suitable delivery method that avoid detection, an exploit will not be able to successfully attack the target. The goal is to make your attack look like normal traffic.
Various methods currently in use for content (obfuscated code, Polymorphic obfuscation, Encryption) and Network (Referral checks, Blacklisting known security companies,…).
Content in a web 1.0 world come back in one lump – Easy to detect malicious code at the gateway. Bypasses developed to obfuscate the code (including polymorphic) to avoid the filters and detection. Signature analysis is easy to bypass by changing the exploit code (changing vars, removing whitespace, renaming functions, encoding values,…). inclusion of anti-debugging measures.
Is their more attackers can do to foil detection ?
Malicious content can be split across several requests/responses – Harder to check before the malicious code is complete and running. Multi-part attacks. Most checkers do not keep state and can’t therefore draw correlation between separate connections used to build an attack.
- Exploit UGC
- Exploit transitive trust
- Exploit free access/accounts
- No change in Exploit delivery
But is their even more that attackers can do ?
Content in a web 2.0 is dynamic – Script fragmentation == Malicious AJAX
- TCP Fragmentation – Network Layer (RFCs and standard)
- Script Fragmentation – Application Layer (Custom apps, no standards here)
Script Fragmentation process (simplified)
- Stored malicious content on server
- SERVER: Serve client webpage with script fragmentation decoder routine
- CLIENT: Use XMLHTTPRequest object to request only a small chunk of the malicious content from the server
- SERVER: Responds with the requested chunk of malicious content
- CLIENT: Decode and run the malicious content on the client (using EVAL or creating a DOM element)
Options for data transfer
- RAW (user-defined)
Beyond the basics
- Hide decoder in Flash/PDF files
- Randomise sequence of offsets
- xor/encrypt data
- Previous fragment contains decryption key for next fragment
- Spread data across multiple webservers (botnet, XDR,…)
The more you can spread and obfuscate the malicious content the more chance there is of it succeeding and bypassing protections. 100 connections to different servers are hard to correlate.
DEMO ==> Using the MDAC exploit (design bug ?) using the script fragmentation method of deployment
Downsides of fragmenting the payload
- More data is transferred
- More packets are created
By running the payload through virus total the attack is detected without fragmentation, however cannot detect is when fragmentation is in use.
AV won’t detect script fragmentation attacks – No substantial content to trigger an alert
By generic, use existing engines – The more custom code used, the easier it is to detect and create signatures.
Future defenses .:
- Gateway/Worker Gateway defense combination
- Gateway/Client defense combination
- Desktop AV has to inspect the DOM/JS Engine
- Browser vendors have to better expose DOM/Scripting functionality
- Whitelist active content (eg. NoScript)