Malware Paradox

Persistent Cross Interface Attacks

Aditya K Sood, Richard J Enbody

Michigan State University

Soodadit [at] msu.edu | adi_ks [at] secniche.org 1

Vulnerabilities and attacks discussed in this talk is a part of my PhD research. We follow a responsible disclosure pattern in revealing vulnerabilities to vendors.

This is all for education purposes only.

A sincere thanks to my adviser Mr. Richard J Enbody for guiding me at every step.

Disclaimer

2

About Me

Founder , SECNICHE Security Labs. http://www.secniche.org PhD Candidate at Michigan State University.

Worked previously for COSEINC as Senior Security Researcher and Security Consultant for KPMG

Author for HITB EZine, Hakin9 ,ELSEVIER, ISSA, ISACA, USENIX Journals. Likes to do Bug Hunting and Malware dissection. Released Advisories to Forefront Companies. Active Speaker at Security Conferences including RSA etc.

Blog: http://zeroknock.blogspot.com

3

Agenda

Web 2.0 and Malware Malware through Network Devices with Web Interfaces Cross Interface Attack Details Release Vulnerability and Case Study Conclusion

4

Web 2.0 – The Real World

5

Malware Mess & Web Attacks

6

Generic – Web Malware Cycle !

© FireEye 7

World - Malware Lookup

© M86 Security Labs – (http://www.m86security.com/labs/malware-statistics.asp) 8

Malware Paradox – System & Web

© UCSB 9

Malware Trends

Financial abuse and mass identity theft

The mass destructor – Botnet infection and zombie hosts

Exploiting the link dependency – Pay Per click hijacking

Traffic manipulation – Open redirect vulnerabilities at large scale

Spywares , crypto virology , ransom ware etc

Distributed Denial of Service – The service death game , extortion

Industry change semantics – Malware activation change line

Infection through browsers and portable gadgets – the biggest step

Exploiting anti virus loopholes

10

Malware Contributing Issues

Publicly available malware source code

Unpatched vulnerabilities and loosely coupled patches

Demand of underground services and self exposure

Global surveillance mode and information stealing in the wild

Software discrepancies and inherited design flaws such as Browsers.

Exploitation at web level is easy. It opens a door to System Level Fallacies.

Inappropriate security solutions deployed and irrelevant security paradigm

Botnet Infection – The easy way to launch diversified attack

11

Security Solutions – Is this All ?

12

The Truth – Web Malware Die Hard

13

Websites are Infected with Malware so as Web Servers – Right !

Is it possible to Infect Peripheral Network Devices !

(Firewalls, DiskStation Managers, Storage Devices, Routers etc)

Breaking the Limits !

14

Yes ! Network Devices are Prone to Malware

Network devices having web interface for administration

Inappropriate Web Interface design

Misconception ! Web Interface is just used for administration !

Vulnerability in Web adminisatrion panels

Open FTP and Telnet Login Consoles

Exploiting the default nature of protocol such as FTP and Telnet

15

Fundamental thinking

Reflective Attacks does not make much sense in Network Devices

Persistent attacks are more intense

Modus Operandi plays a critical role

Exploiting the every element that is used for network device management

16

Application Bad Design

Source of major Vulnerabilities in real time world• Design issues are repetitive in nature. • Successful exploitation results in malware and code execution

17

Understanding – Cross Interface Attack

18

Cross Interface Attack - Base

Is this a Cross Site Scripting Attack ?

What exactly is Cross Interface Attack ?

Cross Interface Attack • It uses backend login consoles to inject payload in vulnerable websites.• Exploits the default nature of FTP /Telnet Protocol• Vulnerability in log storage modules• Attacks are persistent in nature• Payloads are designed using same XSS injection

Entry point for exploitation is different from XSS. XSS Entry point is from web to webCIA Entry point is from backend login console to website

19

Cross Interface Attack – Threat

Remote Command Execution through CSRF: This type of vulnerability addresses the remote code execution behavior

Malware Infections – Executing payloads to conduct Drive by Download Attacks

Information Stealing

Tuning Network device into attack pot

20

Cross Interface Attack – (CIA)

Hardware devices using admin interfaces.

Admin interfaces : { Web, FTP, Telnet}

Do we require all admin interfaces ?• If web admin is allowed, so what about backend consoles!• Is URL restriction a good practice?• Is it advantageous to have backend consoles?• Does access control serves well?

CIA targets FTP/Telnet admin consoles.

Step by step developing an attack surface.

Hardware devices – firewalls, disk stations, management systems etc

21

Attack Launch Pad

Attack base and considerations• Presence of FTP/Telnet admin login console

• Hardware appliances have default error logging mechanism

• Log interfaces are served in HTML without filtering

• A bad design practice from security point of view

• Protocol such as FTP/Telnet default nature helps in information gathering

22

Attack Launch Pad

FTP Protocol Truth• Collective username and password authentication

• Followed to avoid enumeration of user accounts

• No check on login attempts. No check on characters.

• Usually, accessible widely.

• Do you think access control is required?

23

Attack Launch Pad

Attacking and testing Gathering information about allowed characters No aim to get authenticated

• FTP 530 Login Incorrect is what we require.Malicious payloads are used as username and password

• Injections / Scripts / Iframes / DOM Calls / Persistent Payloads• Inject what ever you want !• Good point for triggering CSRF attacks

Of-course , Authentication failure. Error gets logged. Payloads become persistent. It can be reflective. Bad design practice – Unencoded / Unfiltered HTML rendering

• Inappropriate web logging mechanism Viola ! Something happens.

24

Vulnerability Exploitation

Injecting payloads Supplying payloads as credentials Input points – {FTP_USER_NAME , FTP_PASS_WORD}

25

Other Possible Injections

26

Attack – Step 1

Finding and Detecting the vulnerable target

27

Attack – Step 2

Testing the FTP Login Console• To determine the number of characters that are allowed• Supplying excess of buffer in FTP_USER_NAME input• FTP_PASS_WORD reflects the allowed FTP_USER_NAME • Injection points – {FTP_USER_NAME , FTP_PASS_WORD}

28

Attack – Step 3

Injecting Payloads

29

CSRF Requests – Remote Command Exec

Injecting Payloads

GET /webman/modules/logman.cgi dc=1273595767787 &action=view&start=0&limit=50&logtype=connlog&sort=time&dir=DESC HTTP/1.1

GET /webman/modules/logman.cgi dc=1273595786011 &action=view&start=0&limit=50&

30

CVE 2010 -3684 Synology Disk Station Manager

Persistent Cross Interface Attacks

Released collaboratively with Checkpoint Vulnerability Discovery Team

Case Study

31

MITRE & NIST – CVE Entry

32

Synology Disk Station – Web Interface

33

Synology Disk Station FTP Payload Injections

34

Malicious Link is Stored in Logs

35

Cookie Stealing – FTP Log Module

36

Malicious Iframe is Rendered

37

Malicious XLS File Downloading

38

Effective Steps

The FTP login consoles or the user verification module should scrutinize the string parameter before verifying the user. A whitelist approach should be followed at the protocol level to reduce the impact of exploitation.

The applied design principle should be simplicity to avoid complexity that can obscure vulnerabilities. For example, FTP logs should be rendered in a more customized environment considering the access to a number of clients.

The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.

39

Questions and Queries ?

40

Thanks

AVAR 2010 (http://www.aavar.org/avar2010 )SecNiche Security (http://www.secniche.org )

41