Art of InfoJacking Detecting/Testing Web Network Devices – Hidden Patterns
Source Security Conference 15th-16th June 2011, Seattle Aditya K Sood
Software Confidence. Achieved.
Security Researcher adi_ks [at] secniche.org |
[email protected]
Sunday, April 01, 2012
1
About Me
Aditya K Sood ─ Founder , SecNiche Security (Research Arena) ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content for – ISSA/ISACA/Virus Bulletin/ CrossTalk/HITB/Hakin9/Elsevier NESE|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University
© 2011 Cigital Inc.
Sunday, April 01, 2012
2
Words Disclaimer
All vulnerabilities and attacks presented in this presentation were discovered during my professional avocation with web application penetration testing and research. This research is different from my ongoing routine work. All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers. All for Education and Development Purposes
Sincere Thanks
Joel Scambray (Managing Principal, Cigital) Richard J Enbody ( A. Professor, Michigan State University)
© 2011 Cigital Inc.
Sunday, April 01, 2012
3
Agenda Disclaimer
Information Gathering Facets Information Truth Web Network Devices HTTP Cloaking Inside Layer 7 (HTTP) Policy Metrics Custom HTTP Response Headers Cookie and IP Session Management Proxy Protocols Web Proxy Auto Detection (WPAD) Proxy Auto Configuration (PAC)
Anonymous Services Art of Information Gathering Vulnerable and Bad Design Practices in Network Devices Conclusion
© 2011 Cigital Inc.
Sunday, April 01, 2012
4
Information Gathering – Perspectives !
© 2011 Cigital Inc.
Sunday, April 01, 2012
5
Information Gathering – Truth !
© 2011 Cigital Inc.
Sunday, April 01, 2012
6
Web Network Devices
Pictures Courtesy – Google Search © 2011 Cigital Inc.
Sunday, April 01, 2012
7
HTTP Cloaking Inside Server Cloaking ─ Bait and switch paradigm ─ General working – To serve different pages to search engines and generic requests – Web server is scripted to return original pages to search engines by fingerprinting search spider requests – Basically, a stealth process of hiding the reality of web servers – Thought- cloaking is necessary to protect the meta data. Is it ethical?
─ Is it true server cloaking technique is used by web based security devices? – Yes, Web Application Firewalls (WAF’s) use this technique effectively – Zero visibility » » » »
Internal web servers Internal application servers Operating systems in use Applied patch levels
– Target – to conceal all sensitive information that may result in potential attack © 2011 Cigital Inc.
Sunday, April 01, 2012
8
HTTP Cloaking (Cont..) Considered as an implicit technique to thwart web attacks – Combining HTTP Cloaking with web net work security devices provides additional layer of security – It is required to protect the URL space of the internal web servers – Looks quite robust from security point of view
─ Applied Techniques ● HTTP response header manipulation and rewriting – Rewriting the sensitive data information from the headers – Manipulating the layout of HTTP response headers – Adding custom headers for traffic management based on user information
● URL translations – – – – –
© 2011 Cigital Inc.
Web Address Translation (WAT) proposed in 2007 by Net continuum URL address translation from exterior to interior networks Typically, based on DNS namespaces and implicit mapping Internal application changes does not impact the external URL scheme Web administrators have full access to the user requests and the resultant URL’s Sunday, April 01, 2012
9
Facets of HTTP Cloaking
Pictures Courtesy – Google Search © 2011 Cigital Inc.
Sunday, April 01, 2012
10
Layer 7 – HTTP Policy Designing Layer 7 Policy Differentiators Defining the depth of HTTP request parsing – Forcing the device to read the number of bytes in HTTP request
POST classification input handling – Forcing the device to scrutinize HTTP header or HTTP Body or both
Persistent switching mode – Defines behavior with multiple client requests over the same TCP connection. – First request/ complete and overwrite /complete and maintain
HTTP request normalization – Enables or disables normalization of URLs in HTTP requests, before parsing the HTTP request itself.
Explicit farm naming – Explicitly configure the name of the farm with the load that must be taken into consideration during the DNS resolve phase
Backend port encryption © 2011 Cigital Inc.
Sunday, April 01, 2012
11
Layer 7 Content Switching Effective process of switching traffic – Heavily used by web based network security devices – Content is switched based on the URL header information – Sometimes used collaboratively with the WAF’s
Content Switching – How? ● URL header matching criteria – – – – – – –
HTTP response header HTTP status codes Client IP address HTTP versions (HTTP1.0/ HTTP1.1) HTTP methods URL and URI pathinfo Header value
● Load balancing – Appropriate HTTP handling and redirection – Algorithms (Round Robin/ Weighted Round Robin / Least Requested)
© 2011 Cigital Inc.
Sunday, April 01, 2012
12
HTTP Request Normalization Security Devices and Normalization – WAF’s and IDS/IPS has to perform normalization to incoming HTTP requests – Normalization is required to manage the detection/prevention control mechanism – Depends on web server compliance in accordance to HTTP RFC
Productivity ● HTTP Requests Fuzzing – – – –
Analyzing HTTP responses by sending invalid HTTP verbs Return status code provides a lot of information Also depends on the configuration of web server that allows HTTP methods WAF’s and IDS/IPS – fuzzing may result in bypass and helps in designing bypasses – Examples – Invalid verbs (POSTTT , GETTT, ROGUE, \r\n\r\n\r\n etc) – Using encoded separators instead of white characters (%20 \t) – Encoding (Unicode, double encoding, %, //, %00, etc) © 2011 Cigital Inc.
Sunday, April 01, 2012
13
HTTP Cloaking (Example 1) Response Check 1 HTTP/1.1 200 OK\r\n Date: Tue, 05 Jul 2007 17:05:18 GMT\r\n Server: Server\r\n Vary: Accept-Encoding,User-Agent\r\n Content-Type: text/html; charset=ISO-8859-1\r\n nnCoection: close\r\n Transfer-Encoding: chunked\r\n
Citrix NetScaler (WAF + Load Balancer)
Response Check 2 send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1 =084307701560&SignatureVersion=1&Version=2007-01- 03&Signature= HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept- Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 200 OK\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT
send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Signature= HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept-Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close
© 2011 Cigital Inc.
Sunday, April 01, 2012
14
HTTP Cloaking (Example 2) Request /Response Check GET / HTTP/1.1 Host example.com User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Keep-Alive 115 Connection keep-alive (Status-Line) HTTP/1.1 301 Moved Permanently Citrix NetScaler Date Mon, 08 Nov 2010 19:49:23 GMT (WAF + Load Balancer) Cneonction close Content-Type httpd/unix-directory Set-Cookie uu=9mjpm8rn90Duu4CQwFOZbQPyOCTl4V6yoHENgcCxLaHVsZ3h5dQ99JSlTTGlpO4Tw/IehNChD cKgwZ4SkLD98SNSnGEggS3RM4FdkEVkaDIDUknUIRRI9fOEyYXz10uCA9bKIgdm+sIHNgpXl6Y Lh+ChPhIREU2wQKD9obDCvgGQ0Y3BwNGN8eNSvhGz0h6ypaRIUuPyHvWQ8paioPEtkaDRnSGA wr4RsLFNwcDRnSGDwr4Rs9IesqPUWCLgwh6yoME9ocDRnSGT4r4Rs9IesqPyHvLjom6Co=;expires =Thu, 30 Dec 2037 00:00:00 GMT;path=/;domain=.imdb.com Set-Cookie session-id=284-9245763-9527093;path=/;domain=.imdb.com Set-Cookie session-id-time=1289332163;path=/;domain=.imdb.com Vary Accept-Encoding,User-Agent Content-Encoding gzip P3P policyref="http://i.imdb.com/images/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " Content-Length 20
© 2011 Cigital Inc.
Sunday, April 01, 2012
15
HTTP Cloaking (Example 3) Response Check 1 HTTP/1.0 404 Not Found\r\n Xontent-Length: \r\n Server: thttpd/2.25b 29dec2003\r\n Content-Type: text/html; charset=iso-8859-1\r\n Last-Modified: Tue, 05 Jul 2010 17:01:12 GMT\r\n Accept-Ranges: bytes\r\n Cache-Control: no-cache, no-store\r\n Date: Tue, 05 Jun 2010 17:01:12 GMT\r\n Content-Length: 329\r\n Connection: close\r\n
Citrix NetScaler (WAF + Load Balancer)
HTTP/1.0 302 Moved Temporarily Age: 0 Date: Thu, 11 Mar 2010 12:01:55 GMT Xontent-Length: Connection: Close Via: NS-CACHE-7.0: 11 ETag: "KXIPDABNAPPNNTZS" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.1.6 Location: http://216.99.132.20/smb/index.php Content-type: text/html Xontent-Length: \r\n:”
© 2011 Cigital Inc.
Sunday, April 01, 2012
16
Custom HTTP Response Headers Custom HTTP Response Headers ─ Web security devices add its own custom response headers ─ General working – – – –
WAF’s usually adds HTTP response headers All the HTTP traffic is routed through the intermediate security device Basically, VIA: and Cache: response headers are added Primarily, there is no need to request web server every time if an updated copy of web site is present in the cache – Via: header supports the fact that traffic is handled by another device in the network which can make changes in the inbound and outbound HTTP traffic
© 2011 Cigital Inc.
Sunday, April 01, 2012
17
Custom HRH (Example) Response Headers HTTP/1.0 200 OK Date: Wed, 25 Aug 2010 08:45:45 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Wed, 25 Aug 2010 08:45:46 GMT X-BinarySEC-Via: frontal2.re.saas.example.com HTTP/1.0 301 Moved Permanently Content-length: 0 Content-language: fr X-binarysec-cache: saas.example.com Connection: keep-alive Location: http://www.binarysec.fr/cms/index.html Date: Tue, 24 Nov 2009 22:49:01 GMT Content-type: text/html
BinarySec Device
Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Last-Modified: Wed, 25 Aug 2010 08:45:46 GMT X-BinarySEC-Via: frontal2.re.saas.example.com
© 2011 Cigital Inc.
Sunday, April 01, 2012
18
Cookie and IP Session Management Custom HTTP Response Header (Set-Cookie) ─ Web security devices add its own Set-Cookie response header – – – –
Adding Security to existent cookie (Web Server) HTTP Web security devices manages sessions using self driven cookies Effective way to manage sessions with intermediate layer of working Use internal IP addresses to generate sessions (BIG IP Devices)
─ WAF’. Do they play around with cookie? ● Cookie Encryption (configuration specific) – Encrypting cookies before sending it to client. Hard to interpret. – Possible protecting the integrity of the cookies
● Cookie Signing (configuration specific) – – – –
© 2011 Cigital Inc.
Adding digital signature as second line of defense to existent cookie If tampered, digital signature wont be verified in general Simple and direct detection mechanisms Example: Barracuda Web Application Firewalls does this.
Sunday, April 01, 2012
19
CSM (Example 1) Response Check (It uses Set_Cookie with “Barracuda” name parameter) HTTP/1.0 500 Internal Server Error Date: Thu, 11 Nov 2010 05:52:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Barracuda WAF X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 5145 Set-Cookie: BNI__BARRACUDA_LB_COOKIE=df0fa8c000005000; Path=/; Max-age=1020 HTTP/1.0 400 Bad Request Content-Type: text/html Date: Thu, 11 Nov 2010 05:02:23 GMT Connection: close Content-Length: 39 Set-Cookie: BARRACUDA_LB_COOKIE=192.168.155.11_80; path=/ HTTP/1.0 200 OK Date: Thu, 11 Nov 2010 10:29:51 GMT Server: BarracudaServer.com (Windows) Connection: Keep-Alive Content-Type: text/html Cache-Control: No-Cache Transfer-Encoding: chunked Set-Cookie: BarracudaDrive=3.2.1; expires=Wed, 07 Sep 2011 10:29:51 GMT
© 2011 Cigital Inc.
Sunday, April 01, 2012
20
CSM (Example 2) Request / Response (GEO Location Based Session Management) (Request-Line) GET / HTTP/1.1 Host www.example.net User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language en-us,en;q=0.5 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 115 Juniper Sec Device Connection keep-alive (Status-Line) HTTP/1.1 200 OK Accept-Ranges bytes Content-Type text/html; charset=UTF-8 Date Mon, 08 Nov 2010 18:48:02 GMT Connection keep-alive Set-Cookie rl-sticky-key=b159fd3052f1f60eea47e0dc56d57d62; path=/; expires=Mon, 08 Nov 2010 19:35:22 GMT Set-Cookie CT_Akamai=georegion=264,country_code=US,region_code=MI,city=EASTLANSING,dma=551,msa=4 040,areacode=517,county=INGHAM,fips=26065,lat=42.7369,long=-84.4838,timezone=EST,zip=4882348826,continent=NA,throughput=vhigh,bw=1000,asnum=237,location_id=0; path=/; domain=example.net © 2011 Cigital Inc.
Sunday, April 01, 2012
21
CSM and IPSM ( Example 3) Request / Response E:\audit>nc example.com 80 GET / HTTP/1.1 HOST:example.com HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Big IP Sec Device Date: Mon, 08 Nov 2010 17:41:56 GMT X-Powered-By: ASP.NET Location: http://www.example.com/us/index.asp Content-Length: 159 Content-Type: text/html Set-Cookie: ASPSESSIONIDCCCCSBAA=AHLDLDDANEKJOOPHGOHAAKBA; path=/ Cache-control: private Set-Cookie: http.pool=167880896.20480.0000; path=/ Object moved Object MovedThis object may be found here.
© 2011 Cigital Inc.
Sunday, April 01, 2012
22
CSM and IPSM ( Example 3 Cont…..) Request / Response E:\audit>nc example.com 80 GET / HTTP/1.1 HOST:example.com
Big IP Sec Device
HTTP/1.1 302 Object moved Set-Cookie: http.pool=167880896.20480.0000; path=/ Converting to Binary: Binary ( cookie ) Part == 00001010000000011010100011000000 Converting to blocks of 4 00001010 00000001 10101000 11000000 00001010 10 00000001 1 10101000 168 11000000 192
192.168.1.10 © 2011 Cigital Inc.
Sunday, April 01, 2012
23
Web Proxy Auto Detection Protocol (WPAD) Inside WPAD – – – – –
© 2011 Cigital Inc.
To detect network proxy automatically Protocol based on DHCPINFORM query. DHCP based , No DNS. Query is sent through URL Configuration entries are present in wpad.dat file FindProxyForURL () function is used
Sunday, April 01, 2012
24
Web Proxy Auto Detection Protocol (WPAD) Information Driven – Access to wpad.dat leverages lot of critical information – Becomes easy to map proxy servers and internal network
© 2011 Cigital Inc.
Sunday, April 01, 2012
25
Web Proxy Auto Detection Protocol (WPAD) Information Driven – Beneficial in penetration testing
© 2011 Cigital Inc.
Sunday, April 01, 2012
26
Proxy Auto Config (PAC) Inside PAC – Indicates browser to find proxy t( manual implementation) – FindProxyForURL () function is used
© 2011 Cigital Inc.
Sunday, April 01, 2012
27
Proxy Auto Config (PAC) Information Driven
© 2011 Cigital Inc.
Sunday, April 01, 2012
28
Anonymous Access and Exploitation Anonymous Access ─ General working – – – –
© 2011 Cigital Inc.
Some network based security devices allows anonymous access To what extent we can exploit the scenario? Tactical exploitation and robust techniques are required Typically protocol that falls under this is {FTP} as an example
Sunday, April 01, 2012
29
Anonymous Access and Exploitation Is that all ?
© 2011 Cigital Inc.
Sunday, April 01, 2012
30
Anonymous Access and Exploitation Is that all ? NO !
© 2011 Cigital Inc.
Sunday, April 01, 2012
31
Case Study – Synology Diskstation Manager Is that all ? NO !
© 2011 Cigital Inc.
FTP Console – Default Buffer Tactic Determining the number of characters that are acceptable FTP Protocol Username – Another generic input point Password – Another input point
Sunday, April 01, 2012
32
Case Study – Synology Diskstation Manager Is that all ? So what !
FTP Console – Using it as an entry point to conduct XSS Exploiting the vulnerable log module at the backend Remote code execution using CRSF payload injected through FTP console
Advisory : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3684 © 2011 Cigital Inc.
Sunday, April 01, 2012
33
Case Study – Synology Diskstation Manager Pwned !
Advisory : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3684 © 2011 Cigital Inc.
Sunday, April 01, 2012
34
HTTP Web Server – Network Devices HTTP Web Server Types and Usage
© 2011 Cigital Inc.
Listed web servers are used effectively in network based devices Comparative study of the acceptable HTTP verbs
Sunday, April 01, 2012
35
The Culprit – CGI Implementation Implementation of CGI enabled interfaces ─ Web security devices uses CGI interface for HTTP functionality ─ Point of command injection. Hidden services execution ─ Unauthorized access and implicit restriction bypasses ─ Examples ( never ending ………) – /cgi-bin/filemanager/filemanager.cgi?folder=/home/httpd/cgibin/filemanager/share&lang=eng [NAS Device] – /cgi-bin/password.cgi – /cgi/maker/unittest.cgi?action= – /cgi/maker/tools.cgi?command= – /control/click.cgi?list | /img/image.cgi?next_file=main_fs.htm – /control/rotorcgi?help – /en/help.cgi?ID=25 | /main_activex.cgi – /cgi-bin/wg_login-act.cgi – /CgiStart?page=Login&Language=0 – /cgi/b/users/usrpage/?nm=1 – /cgi-bin/csi_login-act.cgi © 2011 Cigital Inc.
Sunday, April 01, 2012
36
Bad Design or Ignorance !!
© 2011 Cigital Inc.
Sunday, April 01, 2012
37
Binary Controls and Decompilation Binary Authentication Controls ─ Bad practice in authentication process ─ Usage of [0|1] and [Yes|No] in the authentication modules ─ Verifying authentication information in URL’s ─ http://www.example.com/auth.php?authenticated=YES|NO
Decompiling Java Applets (JAR Files) ─ Very effective process in detecting and finding information ─ Devices using Java applets must be decompiled ─ Leverages lot of information ─ Hard coded passwords ; Reflected information about sessions ─ Understanding about the login algorithm and specific details
© 2011 Cigital Inc.
Sunday, April 01, 2012
38
Encryption Issues in Binary Data
© 2011 Cigital Inc.
Sunday, April 01, 2012
39
Information Patterns – Never Ending
© 2011 Cigital Inc.
Sunday, April 01, 2012
40
Conclusion
© 2011 Cigital Inc.
Sunday, April 01, 2012
41
Questions and Gratitude
© 2011 Cigital Inc.
Sunday, April 01, 2012
42