Feeds

Worms 2.0!

The Metasploit menace inside your firewall

5 things you didn’t know about cloud backup

Interview Wade Alcorn recently published a paper explaining the technical details behind Inter-protocol Exploitation [PDF, 120kb].

In his research he focused on using a web browser as a beachhead to launch Metasploit-style attacks. What this means is that any Javascript enabled web browser might be used to launch an attack against a service, for example a VoIP server, and gain complete control of the box.

Generally exploits are executed inside a development framework such as Metasploit, or run directly from the code. But this time, the code would run inside the browser, using Javascript. And all of this takes palce without exploiting any bugs in the browser itself.

Your browser is now an active menace against the security of your internal network. However, the problem can't be easily fixed, because it is not based on a bug: it simply uses "Web 2.0" technologies against you.

Can you explain how this works, Wade?

Wade Alcorn: It is well known that an attacker can establish a control channel through a firewall/DMZ to a browser. The control channel usually maintains two-way communication through periodic command requests back to the attacker's web server. Using this control channel the attacker can send commands for the web browser to execute. The example most commonly demonstrated is the use of JavaScript code to display an alert dialog box.

My research has shown that the browser can be instructed to launch exploit code, encapsulated in HTTP, at machines on its internal network. Whilst my focus has been on HTTP as the carrier protocol, other protocols can also potentially encapsulate exploits. The examples in the paper employed JavaScript to construct the requests and generate the exploit payload.

Could you cite a real life example?

For successful Inter-protocol Exploitation there needs to be a method to encapsulate the exploit in the carrier protocol. Also, depending on the complexity of the communication flow which is a precursor to exploit delivery, a handshake may also be required. This is the case in the Asterisk manager interface vulnerability; it is exploitable only after authentication.

The Asterisk Inter-protocol Exploit example included in the paper illustrates the multiple requirements. Firstly the HTTP headers are simply interpreted as erroneous commands by the Asterisk server. Next, the encapsulated handshake is sent which, in this instance, is a valid set of authentication details. Now the server is in an exploitable state and the encapsulated exploit is interpreted by the asterisk server. The handshake and exploit use an HTTP multi-part POST request for encapsulation. In this instance the two protocols have communicated sufficiently to send exploit code from the web browser (via HTTP) to the Asterisk manager interface. The example starts a bindshell listening on port 4444.

How does this affect internal networks security?

Organisations commonly use a model that invests the majority of security resources into the external perimeter. This leaves the internal networks as a much softer target. The bug exposes a network's soft underbelly to Inter-protocol Exploitation.

Another danger is that web Inter-protocol Exploitation will be combined with cross-site scripting viruses. The infamous MySpace XSS virus payload was executed one million times. It is safe to presume that a subset of those infected browsers were likely to be connected to internal networks.

Significant damage could have been done if an Inter-protocol Exploit was used as the payload.

In short, an attacker can establish a control channel through a firewall/DMZ to a browser. From this position the browser can then be instructed to launch Metasploit style exploits at internal machines. This combined with non-hardened internal networks increases the risk of penetration by an attacker. In the future, the security of internal networks will need to increase to withstand attacks of this kind.

Is there any workaround that browsers could implement?

An option is to warn the user when a request is performed to ports other than 80 and 443 - like when an invalid HTTPS certificate is detected. This would give users a chance to prevent an Inter-protocol Exploit being launched from the browser.

You gave the example of Asterisk, that required authentication. I am wondering if this means that this could be used to launch password guessing attacks to ssh servers too.

It is unlikely because of the complexity of the SSH handshake. However, brute force attacks can be launched on other protocols eg. IMAP.

Since I don't think we can try to modify HTTP, I guess the best way is to improve the way network daemons handle "strange" garbage at the beginning of a connection. What is your suggestion for programmers of such software?

My suggestion is that network daemons drop the connection immediately after receiving an invalid command. This would reduce the error tolerance significantly and in turn reduce the likelihood of Inter-protocol Exploitation. If error tolerance is required for development or debugging purposes, it could be simply added as a configurable option.

What type of restriction is there in the exploit payload?

The main restriction is the control over the content. Further research is needed in employing different character sets. The method discussed in the paper can create the majority of the 256 bytes. However, there are some important bytes that it doesn't (ie, 0x00). My cursory look at different character sets suggests they can be used in a practical situation to achieve all the possible bytes.

The exploit will come from the machine of the web user, but how will the attacker be able to communicate with the target?

It may be possible to include all the commands in the payload. If it isn't possible or interactive communication is required, there are techniques to employ the browser as a middleman. Commands can be issued to the browser through an attacker control channel which then constructs Interprotocol Communication requests.

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.