The Metasploit menace inside your firewall
Interview Wade Alcorn recently published a paper explaining the technical details behind Inter-protocol Exploitation [PDF, 120kb].
Your browser is now an active menace against the security of your internal network. However, the problem can't be easily fixed, because it is not based on a bug: it simply uses "Web 2.0" technologies against you.
Can you explain how this works, Wade?
Could you cite a real life example?
For successful Inter-protocol Exploitation there needs to be a method to encapsulate the exploit in the carrier protocol. Also, depending on the complexity of the communication flow which is a precursor to exploit delivery, a handshake may also be required. This is the case in the Asterisk manager interface vulnerability; it is exploitable only after authentication.
The Asterisk Inter-protocol Exploit example included in the paper illustrates the multiple requirements. Firstly the HTTP headers are simply interpreted as erroneous commands by the Asterisk server. Next, the encapsulated handshake is sent which, in this instance, is a valid set of authentication details. Now the server is in an exploitable state and the encapsulated exploit is interpreted by the asterisk server. The handshake and exploit use an HTTP multi-part POST request for encapsulation. In this instance the two protocols have communicated sufficiently to send exploit code from the web browser (via HTTP) to the Asterisk manager interface. The example starts a bindshell listening on port 4444.
How does this affect internal networks security?
Organisations commonly use a model that invests the majority of security resources into the external perimeter. This leaves the internal networks as a much softer target. The bug exposes a network's soft underbelly to Inter-protocol Exploitation.
Another danger is that web Inter-protocol Exploitation will be combined with cross-site scripting viruses. The infamous MySpace XSS virus payload was executed one million times. It is safe to presume that a subset of those infected browsers were likely to be connected to internal networks.
Significant damage could have been done if an Inter-protocol Exploit was used as the payload.
In short, an attacker can establish a control channel through a firewall/DMZ to a browser. From this position the browser can then be instructed to launch Metasploit style exploits at internal machines. This combined with non-hardened internal networks increases the risk of penetration by an attacker. In the future, the security of internal networks will need to increase to withstand attacks of this kind.
Is there any workaround that browsers could implement?
An option is to warn the user when a request is performed to ports other than 80 and 443 - like when an invalid HTTPS certificate is detected. This would give users a chance to prevent an Inter-protocol Exploit being launched from the browser.
You gave the example of Asterisk, that required authentication. I am wondering if this means that this could be used to launch password guessing attacks to ssh servers too.
It is unlikely because of the complexity of the SSH handshake. However, brute force attacks can be launched on other protocols eg. IMAP.
Since I don't think we can try to modify HTTP, I guess the best way is to improve the way network daemons handle "strange" garbage at the beginning of a connection. What is your suggestion for programmers of such software?
My suggestion is that network daemons drop the connection immediately after receiving an invalid command. This would reduce the error tolerance significantly and in turn reduce the likelihood of Inter-protocol Exploitation. If error tolerance is required for development or debugging purposes, it could be simply added as a configurable option.
What type of restriction is there in the exploit payload?
The main restriction is the control over the content. Further research is needed in employing different character sets. The method discussed in the paper can create the majority of the 256 bytes. However, there are some important bytes that it doesn't (ie, 0x00). My cursory look at different character sets suggests they can be used in a practical situation to achieve all the possible bytes.
The exploit will come from the machine of the web user, but how will the attacker be able to communicate with the target?
It may be possible to include all the commands in the payload. If it isn't possible or interactive communication is required, there are techniques to employ the browser as a middleman. Commands can be issued to the browser through an attacker control channel which then constructs Interprotocol Communication requests.