Risk Management through Threat Modeling
Download
Report
Transcript Risk Management through Threat Modeling
Black Ops 2007:
Design Reviewing The Web
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
copyright IOActive, Inc. 2006, all rights
reserved.
Introduction
• This is my seventh “Black Ops of TCP/IP” talk.
• Previous subjects have included:
– Everything over SSH
– Massive Speed Network Scanning
– Everything over DNS
– Pattern Analysis
– Neutrality Verification
• New Target: The World Wide Web
– Why?
That’s Not A Moon, That’s A Web
Browser
© LucasFilm
Mobile Too!
© LucasFilm
Where The Wild Things Are
• Rampant and persistent XSS/XSRF announcements
• Superbowl .WMF 0-day
– Two days before Superbowl, malicious image placed on
web page
– 1+M desktops compromised overnight
• DNS Rebinding Test By Dan Boneh’s Team at Stanford
– Test flash applet placed on an Ad network, distributed
across many web sites
– Applet acquired partial network connectivity to client LAN
– +100K networks exposed
These Are A Few Of My Favorite
Things
• DNS…? Tunneling…? Behind Firewalls…?
– “I try to get out, but they pull me back in!”
• DNS Rebinding is an old bug
– Dates back to 1996
– So old, people forgot about it, and started building
systems that didn’t defend against it
• Dan Boneh of Stanford University’s been driving the
most thorough research
– Attack dates back to 1996 (“Princeton Attack”)
– Martin Johns revived the attack in August 2006
– RSnake’s been pushing a lot of attention its way
• Effect: DNS Rebinding partially breaks the security
policy of the web.
How Does The Web Work?
• Web pages are pulled together in the browser,
from pieces that can come from all over the place
– You can even embed one web page inside
another one!
• This is an “IFrame”
– But what if someone embedded Hotmail, and
you were logged in? Would they be able to
read your mail?
The Same Origin Policy
• “Look but don’t touch”
– A web page can embed Hotmail, but it can’t “look inside”
to see what’s happening
– Access to “look inside” controlled by Same Origin Policy
– If foo.com has an iframe to foo.com, it can look inside.
– If foo.com has an iframe to bar.com, it can display
bar.com to the user, but it can’t peek inside and see what
the user sees.
• “If two things come from the same place, they must be
trusted the same”
– Same place = Same name, right?
The Bug
• Names don’t host anything.
• Everything comes from IP addresses
• We use DNS to translate between a name we trust and an IP
address we communicate with
– Foo.com -> 1.2.3.4
– Bar.com -> 3.4.5.6
• Assumption: The translations don’t change
– Reality: Both foo.com and bar.com can return any IP
address, at any time, whether they control that IP or not
• Bar.com can return an IP address of Foo.Com’s
Now What?
• One moment, bar.com could point to a server in Europe
• The next moment, bar.com could point to the printer down
the hall
• Suppose your browser loaded a page from each address
– The content from the European server would be from
bar.com
– The content from the printer down the hall would also be
from bar.com
– According to the Same Origin Policy, the server in
Europe can do whatever it wants to your printer!
• The server can’t get past your corporate firewall…
• …but it doesn’t need to. It’ll tell your browser what to
do, and your browser will report back with whatever
your printer is up to.
Why The Attack Works
• Browser doesn’t know bar.com from the external
IP is any different from bar.com from the internal
IP
– This is by design
– Major web sites have IP addresses spread
across the world, and resources acquired from
them need to be able to script against one
another
• Detecting that there’s a cross-IP scripting action
happening is only the beginning – what to do after
that is what people are trying to figure out.
What is the canonical attack here?
• Firewall Bypass
– Most corporate networks draw a significant
distinction between the external network and
the internal network
• Things inside can route out
• Things outside cannot route in
• By bouncing off a lured browser, an attacker
on the outside can access resources on the
inside
Levels of Exploitation
• Level 1: Browser-Only
– One IFrame is from Europe, the other is down the hall.
Same name, so they can script against eachother.
– The Win: Arbitrary HTTP Sites
• Level 2: Web Plugins
– MSXML* / XmlHTTPRequest / Silverlight
– The Win: HTTP + Web Services + Semi-Arbitrary
Headers
• Level 3: Socket Plugins
– Flash / Java, though different resources available through
each
– The Win: Everything from L1+L2, plus various degrees
of TCP or UDP access
Java
• Original Target of 1996 Princeton Attack
– From Applet interface, can only get high-port
UDP and TCP to the actual calling app
• More widely deployed than I thought
• LiveConnect
– Ability for Javascript to call Sockets directly,
without going through Applet interface
– Totally rebindable – effect is high-port UDP and
TCP to anyone
– FireFox and Safari only though
Flash
• Has worked hardest to make arbitrary socket
connections work when they’re supposed to
– Most mature security model in the industry
– They don’t handle rebinding well though
• Breaks what is otherwise a lot of really good
work
• Effect: Arbitrary TCP, though you have to pull
some tricks to get TCP ports below 1024
Mechanisms for rebinding an
address
• Lots of ways to use a rebind, but how do you
achieve it in the first place?
– How do you cause the DNS infrastructure to
accept your change of address?
– The entire architecture is designed to cache
across hours to days, not to be swappable in
seconds
• Three mechanisms
– Temporal
– Spatial
– Ridiculous
Traditional Rebinding: Temporal
Modulation
• DNS records have a TTL field – lets you declare how long a
record should live in the infrastructure before a second query
causes a new request to the original server
– Declare a 0 TTL and records will supposedly not cache
– Now every time the browser has a slightly different DNS
request, you get an opportunity to provide a different
location
• Problem: Some networks won’t respect your low TTL.
Some networks brag about that ;)
– You could wait until the network-enforced minimum TTL
expires, but that takes time
Another Rebinding Mechanism:
Spatial Modulation
• DNS responses can contain multiple addresses
• When bar.com is asked for its IP address, it
returns both its address and the address of the
printer
– This can have a infinite TTL
• Problem: Which record will the browser choose?
– Totally random.
• Solution: Try again
– Seriously.
Spatial Error Resolution
• Case 1: Browser wants external, gets internal
– Fix 1: External resource is hosted on an unusual port, so
the internal connection will fail and thus retry to external.
This has problems with outbound firewalls, though.
– Fix 2: Immediately after connecting, look for evidence in
the connected session that we’ve actually reached the
correct server. If not, destroy the object that did the
incorrect retrieve and keep trying until success.
• The trick: Retrieve the content with XMLHttpRequest
so that you can actually destroy the object that
guessed incorrectly.
• Case 2: Flash/Java wants internal, gets external
– Fix: Look for magic token on incoming session. If magic
token is returned, destroy the object and try again. If no
token, retry the applet a couple times just in case there’s
a extrusion firewall in the way.
Ridiculous?
• People are trying to use DNS TTLs as a security
technology
• DNS TTL’s are not a security technology
– Finally, something less a security technology
than Virtual Machines
• Overriding a TTL, if you control the record, turns
out to be very easy, and this is by design
– When something wasn’t designed to be a
security technology, don’t be surprised when it
isn’t one
CNiping
• CNAME Records: DNS Aliases
– Instead of returning an address, return what the
“Canonical”, or Official Name was, and then the
address of that Canonical Name
– If you are allowed to be the resolver for that
canonical name, your additional record
overrides whatever’s already in the cache, even
if the TTL hasn’t expired yet
• It’s not a bug.
• Works against most, but not actually all
name servers
CNiping Demo[0]
• dig 1.foo.notmallory.com
;; ANSWER SECTION:
1.foo.notmallory.com.
120
CNAME
bar.foo.notmallory.com
bar.foo.notmallory.com. 120
A
10.0.0.0
• dig bar.foo.notmallory.com
bar.foo.notmallory.com. 111
A
10.0.0.0
IN
IN
IN
CNiping Demo[1]
• dig 2.foo.notmallory.com
2.foo.notmallory.com.
120
IN
CNAME
bar.foo.notmallory.com.
bar.foo.notmallory.com. 120
IN
A
10.0.0.1
• dig bar.foo.notmallory.com
bar.foo.notmallory.com. 118
IN
A
10.0.0.1
Review
• By swapping addresses out from
underneath a web browser, we can get
arbitrary TCP (and sometimes UDP)
access to hosts reachable by the client.
What can we do with this?
– Can we VPN into corporate networks
with nothing but a lured web browser?
• Sure! It’s easy!*
* Actually a pain in the ass, but heh
Concentration
• Three actors in this little dance
– The Browser, which has access to internal
resources
– The Attacker, which wants access to those
internal resources
– The Proxy, which sends code to the Browser to
copy messages from the Attacker
• We will start with the Proxy, running software of
my design. This software is called Slirpie.
Slirpie, The Proxy
• Multiprotocol Server, Built using POE
– Accepts TCP streams for Browser delivery, containing
routing data
– Accepts HTTP requests for those routable streams
– Accepts DNS requests to direct routing
– Accepts XMLSocket requests to determine routing policy
• For Flash
• The basic theme is – Attacker connects to Proxy, which
manages the appropriate resources in Browser to
service the Attacker’s connections.
A Bucket of Suckets
• Browser connects, establishes an IFrame called a
“Bucket”
– A bucket is a collection of connection managers
– The bucket polls for new connections to establish
• Attacker connects to Proxy and requests a socket to
10.0.0.1, port 80.
• Browser Bucket retrieves list of new connections,
compares against the previous list, notices one new
demand for 10.0.0.1:80.
– Bucket opens up a 2nd level IFrame for this new IP
address.
• The IFRAME SRC attribute for the 2nd level IFrame
is set to 10.0.0.1.foo.proxydomain.com. For now, it
still resolves to the Proxy’s address.
– This 2nd level IFrame is called a “Sucket”.
Demo JSON (Looks Like TCP!)
• {
•
"10.0.0.1" : {
•
"3" : {
•
"from_browser_seq" : -1,
•
"server_state" :
"CONNECTED",
•
"from_browser_ack" : -1,
•
"to_browser" : {
•
"1" : "YQo=",
•
"0" : "Zm9vCg==",
•
"3" : "Ywo=",
•
"2" : "Ygo="
•
},
•
•
•
"dport" : 80,
"dproto" : 6,
"browser_state" :
"CONNECTING",
•
"to_browser_seq" : 3,
•
"to_browser_ack" : -1,
•
"from_browser" : {
•
•
}
•
}
•
}
• }
How many DNS requests does it take to get
to the center of your corporate network?
• Javascript alone will not open this Socket. Flash is
necessary.
– HaXe, a metalanguage, is used to compile both a Flash
object and a Javascript interface to it.
– The Flash object is loaded, and directed to create a
connection to 10.0.0.1:80
• QUERY ONE: Load the movie from
10.0.0.1.foo.proxyhost.com (actually Proxy’s IP)
• QUERY TWO: Load the security policy controlling <1024
port access from 10.0.0.1.foo.proxyhost.com (still Proxy’s IP)
• ARM THE REBIND: Tell the Proxy to return a different
address with the next query, using a special HTTP query.
• QUERY THREE: Connect to 10.0.0.1.foo.proxyhost.com:80
(now finally returning 10.0.0.1).
– Connection is in the applet loaded by the proxy, using the
Managing Dataflows
• 1) Data is received by Flash – sent down into the
Sucket’s DOM for eventual collection.
• 2) Bucket prepares to send an update to the
Proxy. It visits each Sucket, and retrieves the
latest list of updates.
• 3) Proxy received the update, acknowledges
reception, and sends any replies in the update
response.
• 4) Bucket receives the response, and tells each
Sucket to parse their replies and send() them up
through Flash.
But What Of Domains?
• Each of those IFrames inside the bucket is in a
different domain than the bucket itself.
– Why can they push stuff up, or pull stuff down?
• Same Origin Policy allows two subdomains from
the same domain to explicitly claim support for one
another
– So we do that.
– Thanks Same Origin Policy!
And that’s it!
• OK, a little bit of housekeeping for opening
and closing sockets, and eventually entire
suckets.
– Yeah, it’s a reimplementation of TCP in
Javascript. Who else was going to write
it?
• …but what about the attacker? How does
he open sockets?
Does anyone remember this?
•
Back In The Day, When I Was Young
I’m Not Runnin’ 95 Anymore
• SLiRP
– 1995 era tool that turned shell connections (text only) into
PPP connections (pretty pretty pictures)
– Was old school when I used it in my talk back in 2001
– What SLiRP actually does: Given a stream of packets,
create sockets and send the data in the packets into the
sockets
• SLiRP was Userspace NAT
– Where to find SLiRP: Recent versions … uh …
disappeared.
• Found in my “ancient cool stuff” archive
SLIRP and PPTP
• PoPToP: Linux PPTP Daemon
– PPTP: Horrifyingly hideous VPN protocol, ultimately
uses a PPP encapsulated stream of packets
– PoPToP can hand this PPP stream to SLiRP for
termination
• Makes setting up a VPN link much easier
• Makes VPN’ing into a web browser possible.
• Normally, SLiRP would now handle sockets directly
– What if, instead, it gave the socket requests to Slirpie?
The General Idea
•
•
•
•
The Attacker runs applications that use sockets.
The sockets get their traffic sent over PPTP to SLIRP.
SLIRP provides a set of streams to the Proxy.
The Proxy tells the Browser’s bucket to open
appropriate suckets.
• The Browser opens suckets, which themselves provide
sockets.
• The Proxy mediates traffic between the Attacker’s
sockets and the Browser’s sockets.
• And it all just works.
– Nessus over IE: Nessie!
– WoW over IE: Wowie!
– Any TCP-based protocol should work.
Impacts
• 1) Corporate firewalls are bypassable via lured
browsers
– Special case: Home router management
interfaces are now fully exposed to every web
page
• 2) Every browser is a proxy
– No botnet necessary – just view this ad
– Every browser can send SPAM
• SMTP
• HTTP
• IM
– Every browser can proxy Click Fraud
This is expensive ($1B to Google)
Other Attacks
• “Stealth Tor”
– Nothing wrong with Tor, but consent is a good thing
– People can be forced to be exit nodes for proxy networks
• Protect Network Neutrality
• P2P Networking
– Java gives us UDP
– UDP sockets are simultaneously clients and servers
– May be able to repurpose rebindable UDP sockets for
P2P in stock browser
• There’s more…
IP OVER SPAM
• Defcon 14, TCP/IP Drinking Game
– “How would you get around the great firewall of
China?”
• “Correct Answer”: Drop all RST packets,
ignore the firewall trying to shut you down
• My Answer: Encapsulate data in SPAM.
• We have IP (or at least TCP) inbound
• We have SPAM outbound
• Uh…
– You know, I was originally joking…
Fixing This: Possible?
• Flash: They’ll be able to fix their arbitrary TCP/UDP.
• Java: Unknown, but doesn’t work in IE
• Browsers Themselves: Possibly broken forever
– Have to detect that there’s a cross IP script
– Have to do something about it
• What can you do? People are using cross-IP
scripting (one host, multiple IP’s – Google, Yahoo,
etc)
• Need those using cross-IP scripts, to securely opt
their addresses into a shared domain
• When can we enforce this? Some point in the long
and distant future?
Mitigations [0]
• HOST Header Checking
– Same Origin Policy was broken from the start.
– Coincidentally, legitimate web browsers send a HOST
header containing the domain the client thinks its talking
to
• Used for virtual hosting
• “Lets make a security technology out of it!”
• Idea: Servers that don’t want to get DNS rebound,
can see that the client is sending it the wrong HOST
header
– Can’t work for devices, as devices don’t know their own
name
– Does sort of handle click fraud
Mitigations [1]
• External to Internal Routing Checks
– Stop sites on the Internet from routing to targets
on the Intranet
– Handles internal devices…sorta
• You have to know what “internal” means
• So, we can sorta fix some servers, and sorta
protect some devices
– Browser as router will probably live forever.
– *sighs*
Oh, People Are Interested In This
Whole Network Neutrality Thing?
• I…was unaware this was such a hot button subject when I
started developing tools to detect problems with it
– First of all, we need to start using the correct language:
We wish to detect Provider Hostility
• If you’re sniffing my traffic, you’re hostile.
• If you’re altering my traffic, you’re hostile.
• If you’re censoring my traffic, you’re hostile.
• If you’re selling my traffic, you’re very very hostile.
• Would the military bomb you for doing it to them?
You’re hostile. Deal.
– RST injection, Comcast
What Do We Need To Detect
Provider Hostility?
• Downloading data from two separate sites, at two
separate speeds, unfortunately doesn’t tell us
much
– Too many factors are conflated to determine
what one thing is causing the problem
• What we want: “Given identical network paths for
two web sites, is the last mile provider hostile to
content from one site vs. another?”
– Detect differential speeds
– Correct content injection
SOMEBODY is buying this stuff
• Everyone who knows anyone who makes routers
knows that carriers are desperately trying to buy
routers that support hostility.
• There are repeated news articles about ISPs
replacing ads and companies setting themselves
up as ad replacers
• Can we monitor the spread of this problem?
– Can we defend Online Advertising against
the Times Square effect?
The Times Square Effect
• Movies that show Times Square replace all the ads.
– No contractual obligation not to
– No real expectation from the viewer that this is reality –
it’s a movie
• Carriers are under no contractual obligation to host the web
sites they say they are
– “Provider In The Middle” attacks might very well be
profitable!
• Web sites and ads
– Users tolerate them
– Businesses would pay dearly to be top ranked on Google
– Google Times Squared would not be…good.
The Transparent Proxy Gem
• Some consumer networks have transparent proxies
– These take all traffic outbound on Port 80 and coalesce
onto a single proxy instance that uses the Host: header
to route requests to the correct destination
– Arbitrary TCP = Arbitrary Headers
– So an attacker can go back to the IP address that
provided the applet, and ask for Host: www.fark.com – it’ll
get routed to Fark instead of to the original host
• What this means
– Since the same infrastructure ultimately hosts all
web content, all sites (once they’re cached in proxy)
come from the same host
– A speed test against this “transparent” (easily detectable)
proxy for various sites will directly yield information about
hostility
The Silent Censor Detector
• Even if there’s no transparent proxy, a filter box
can still limit traffic for web requests with nonpreferred Host: headers.
• Using Flash, we can impersonate being a Host: for
any site on the Internet when we provide a speed
check.
– The thinking is that the attacker/provider won’t
monitor the IP address used to contact Host:
www.whatever.com, and will thus equally rate
limit traffic with that Host: no matter what
provider.
The Detectability Problem
• In every major networking company, I
assume there is a protocol guy as ornery
as I am
– “Oh yeah, well I’ll just detect him doing
that…this way!”
• Is it possible to build a hostility detection
system that uses traffic indistinguishable
from real world traffic?
Well…
• We want to spoof sites on the Internet.
• We want to know what these sites would see.
• We want to be able to respond as if we were these
sites.
• We don’t want the real sites to interfere with our
interference.
• Good luck! That would require…sequence
numbers.
– We’d have to know where in the TCP stream an
attacker was, and that’s clearly not possible…
OMG ACTIVEX FTW
PACKET CLAUS IS COMING TO
TOWN
Introducing: INSPECTOR PAKKET
• What normally stops Mallory from pretending to be a random
site on the Internet?
– Mallory doesn’t know sequence numbers client will
accept
– Mallory has to compete with real server for the sending of
data
• What do we have?
– A sniffer that will leak sequence numbers to Mallory
• What can Mallory now do?
– Send data to the client that it’ll accept
– Send a RST to the server so it’ll shut down the
session it has with the client
Go Pakket Go!
• About that RST…
– RST is a TCP Reset message – it shuts down a socket
rather unceremoniously
• Requires correct SEQ#, but don’t worry, we have that
• When Mallory spoofs Bob to Alice, Alice is going to ACK to
Bob
– Normally, Bob will send RSTs back to Alice, since there’s
no associated session
– Thankfully, Bob is usually running a firewall that long
since shut down its connection for Alice…and so drops
all of Alice’s ACKs that have been stimulated by Mallory’s
traffic!
• And just to be clear, how is Mallory getting those ACKs?
– AJAcks: TCP Acks over AJAX
Go Go Pakket Pwn
• ‘The goal is to identify the applications being used on the
network, but some of these devices can go much further;
those from a company like Narus, for instance, can look
inside all traffic from a specific IP address, pick out the HTTP
traffic, then drill even further down to capture only traffic
headed to and from Gmail, and can even reassemble emails
as they are typed out by the user.’
– How creepy is that?
• Against this, given a colluding client, I can:
• Impersonate anyone who doesn’t ACK my traffic
• Generate arbitrary traffic that is completely
indistinguishable from theirs
• Provide deep packet inspectors with a whole new
realm of content to inspect.
• I recommend inspecting this information. Deeply.
Conclusions
• DNS Rebinding threatens the boundaries of your network
– There are multiple rebinding mechanisms and many
major use cases for each of them; this will not be an easy
problem to fix.
– The web could use some real work on its underlying
security models
• We may need to consider applying integrity, and perhaps
encryption to all web traffic due to provider hostility
• There are mechanisms for detecting such hostility that
should be deployable shortly.
[extra slides]
My Process
•
•
•
•
•
Sit down
Relax
Put some music on
Start writing code
Get totally distracted
– Write something completely different
than intended
– Find out later why
A Fun Little Distraction
• “Dotplots??? WTF!”
– Best feedback I’ve ever gotten
• Dotplots are a mechanism for visually analyzing similarity
across a dataset
– See last year’s talk for details
• So I decided to port last year’s talk to WinAMP.
– I’m listening to music
– I like pretty pictures
– I should like listening to music that generates pretty
pictures!
• Be nice to code something that I’d never show at a security
con!
The Chemical Brothers,
“Where Do I Begin”
+30% vs. -30% tempo
LudiVu: Realtime Audio Visualizer
• Images are based directly on spectral similarity
– “How similar is what I’m hearing now, to what I’ve heard
for the last n seconds?”
• Bass = Red
• Midrange = Green
• Treble = Blue
– Our auditory system almost certainly does this too
• Always good to match what the ear is up to
– Our auditory system almost certain does this better
• Amazingly apocalyptically naïve similarity metric!
What We See
• “Visual Hash” of auditory segments, based on mutual
similarity/dissimilarity across frequencies
– Reflects overall timbre of what we’re hearing
• Vertical lines representing repeated structures in the music
– Lines close = Fast Tempo
– Lines far away = Slow Tempo
• Tradeoff between visual hash and structure detection
– Blur less, get better visual hashing
– Blur more, get better structure detection
So Why Is This Here?
• I’m doing web research!
• One of my friends, Zane Lackey, knows
AJAX quite well and is in town
– We go out for beers.
– Me: “So I’m working on this really cool
thing, it makes pictures from sound!”
– Zane: “What, for Audio CAPTCHAs?”
– Me: “…”
Whatsa CAPTCHA?
• CAPTCHA: “Completely Automated Public Turing test to tell
Computers and Humans Apart”
• Used to bind access to a resource to the presence of a
human
– Web sites use them to suppress bots
• So I get this email, in response to me breaking CAPTCHAs...
– “CAPTCHA is quite annoying. I use a few programs to
send "auto-messages" and to "steal friends" from others'
pages. They had a way around the CAPTCHA system for
a while, but not anymore. Check out www.xxx.com and
www.yyy.com. I dunno, I have 5 different accounts, and I
add 300 people a day on each one, so imagine - I'm
typing 250+ CAPTCHA codes a day on this damn thing.
;)”
AmIHumanOrNot
• The general idea is to use a human’s superior
ability at figure/ground separation to differentiate
human/machine
• Image Captchas: Text, distorted and overlaid with
lines and other non-text shapes
– Problem: Blind people can’t get in
• Audio Captchas: Speech, distorted and overlaid
with quieter speech
– Humans get a 10db boost in perception simply
by paying conscious attention
– Problem: Audio is actually easier to hack.
Detecting “8”…
…and “9”
Tips For Building Better Audio
CAPTCHAs
• Don’t actually make your speech much louder than
your noise
– Easy to sync on regions of high volume
• Expand your vocabulary
– Use a sentence, rather than words in isolation,
as we’re much better at parsing them
• Ask a question, perhaps?
– “My name is Bob. How many letters are in my
name?”