Feeds

Worms 2.0!

The Metasploit menace inside your firewall

Beginner's guide to SSL certificates

Interview Wade Alcorn recently published a paper explaining the technical details behind Inter-protocol Exploitation [PDF, 120kb].

In his research he focused on using a web browser as a beachhead to launch Metasploit-style attacks. What this means is that any Javascript enabled web browser might be used to launch an attack against a service, for example a VoIP server, and gain complete control of the box.

Generally exploits are executed inside a development framework such as Metasploit, or run directly from the code. But this time, the code would run inside the browser, using Javascript. And all of this takes palce without exploiting any bugs in the browser itself.

Your browser is now an active menace against the security of your internal network. However, the problem can't be easily fixed, because it is not based on a bug: it simply uses "Web 2.0" technologies against you.

Can you explain how this works, Wade?

Wade Alcorn: It is well known that an attacker can establish a control channel through a firewall/DMZ to a browser. The control channel usually maintains two-way communication through periodic command requests back to the attacker's web server. Using this control channel the attacker can send commands for the web browser to execute. The example most commonly demonstrated is the use of JavaScript code to display an alert dialog box.

My research has shown that the browser can be instructed to launch exploit code, encapsulated in HTTP, at machines on its internal network. Whilst my focus has been on HTTP as the carrier protocol, other protocols can also potentially encapsulate exploits. The examples in the paper employed JavaScript to construct the requests and generate the exploit payload.

Could you cite a real life example?

For successful Inter-protocol Exploitation there needs to be a method to encapsulate the exploit in the carrier protocol. Also, depending on the complexity of the communication flow which is a precursor to exploit delivery, a handshake may also be required. This is the case in the Asterisk manager interface vulnerability; it is exploitable only after authentication.

The Asterisk Inter-protocol Exploit example included in the paper illustrates the multiple requirements. Firstly the HTTP headers are simply interpreted as erroneous commands by the Asterisk server. Next, the encapsulated handshake is sent which, in this instance, is a valid set of authentication details. Now the server is in an exploitable state and the encapsulated exploit is interpreted by the asterisk server. The handshake and exploit use an HTTP multi-part POST request for encapsulation. In this instance the two protocols have communicated sufficiently to send exploit code from the web browser (via HTTP) to the Asterisk manager interface. The example starts a bindshell listening on port 4444.

How does this affect internal networks security?

Organisations commonly use a model that invests the majority of security resources into the external perimeter. This leaves the internal networks as a much softer target. The bug exposes a network's soft underbelly to Inter-protocol Exploitation.

Another danger is that web Inter-protocol Exploitation will be combined with cross-site scripting viruses. The infamous MySpace XSS virus payload was executed one million times. It is safe to presume that a subset of those infected browsers were likely to be connected to internal networks.

Significant damage could have been done if an Inter-protocol Exploit was used as the payload.

In short, an attacker can establish a control channel through a firewall/DMZ to a browser. From this position the browser can then be instructed to launch Metasploit style exploits at internal machines. This combined with non-hardened internal networks increases the risk of penetration by an attacker. In the future, the security of internal networks will need to increase to withstand attacks of this kind.

Is there any workaround that browsers could implement?

An option is to warn the user when a request is performed to ports other than 80 and 443 - like when an invalid HTTPS certificate is detected. This would give users a chance to prevent an Inter-protocol Exploit being launched from the browser.

You gave the example of Asterisk, that required authentication. I am wondering if this means that this could be used to launch password guessing attacks to ssh servers too.

It is unlikely because of the complexity of the SSH handshake. However, brute force attacks can be launched on other protocols eg. IMAP.

Since I don't think we can try to modify HTTP, I guess the best way is to improve the way network daemons handle "strange" garbage at the beginning of a connection. What is your suggestion for programmers of such software?

My suggestion is that network daemons drop the connection immediately after receiving an invalid command. This would reduce the error tolerance significantly and in turn reduce the likelihood of Inter-protocol Exploitation. If error tolerance is required for development or debugging purposes, it could be simply added as a configurable option.

What type of restriction is there in the exploit payload?

The main restriction is the control over the content. Further research is needed in employing different character sets. The method discussed in the paper can create the majority of the 256 bytes. However, there are some important bytes that it doesn't (ie, 0x00). My cursory look at different character sets suggests they can be used in a practical situation to achieve all the possible bytes.

The exploit will come from the machine of the web user, but how will the attacker be able to communicate with the target?

It may be possible to include all the commands in the payload. If it isn't possible or interactive communication is required, there are techniques to employ the browser as a middleman. Commands can be issued to the browser through an attacker control channel which then constructs Interprotocol Communication requests.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.