The discovery and execu1on ofen1relynewclassesofWeba7acksinordertomeetyourgirlfriend.
[email protected]://samy.plTwi7er:@SamyKamkar
Whoissamy?
• "NarcissisticVulnerabilityPimp" (akaSecurityResearcherforfun)
• CreatorofTheMySpaceWorm
• AuthorofEvercookies• Co‐FounderofFonality,IPPBXcompany
• LadyGagaaficionado
CyberWarrior
• Raided• Computeruselost(Hackers‐style)
• 700hoursofcommunityservice
• Restitution• Probation
Whytheweb?
• It’snew,it’scool,it’sexploitable!• Gopherisn’tusedasmuchanymore• Thewebisacodedistributionchannel• Browserscancommunicateinways
theydon’tknow
• Andmuchmore!
MyHomepage
• It’snew,it’scool,it’sexploitable!• Gopherisn’tusedasmuchanymore• Thewebisacodedistributionchannel• Browserscancommunicateinways
theydon’tknow
• Andmuchmore!
A6ackIndirectly• CertifiedInformationSecuritySpecialist
Professional• ChiefExecutiveOfficerofSecTheory• Co‐Authorof«XSSExploits:CrossSiteScripting
AttacksandDefense»• Authorof«DetectingMalace»• Co‐developerofClickjackingwithJeremiah
Grossman• Runsha.ckers.organdsla.ckers.org• CertifiedASS(ApplicationSecuritySpecialist)
A6ackIndirectly• Robert«Rsnake»Hansen• Howdoweattacksomeonewhosecureshimselfwell?
• Don’t.
A6ackIndirectly• XSS?Probablywon’tfallforit.• CSRF?Same.
PHP:Overview• PHP:extremelycommonweblanguage
• PHPsessions:extremelycommondefaultsessionmanagement
• PHPsessions:usedbydefaultinmostPHPframeworks(e.g.,CakePHP)
• PHPsessions:eitherpassedinURLor…
PHPSessions:Overview• session_start()–initializePHPsession
PHPSessions:Entropy• session_start()’spseudo‐randomdata:
• IPaddress: 32bits
• Epoch: 32bits
• Microseconds: 32bits
• Randomlcg_value()(PRNG): 64bits
• TOTAL: 160bits
• SHA1’d: 160bits
• 160bits=alot=1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976
Howbigisabit?Sometricks
• Forevery10bits,add~3zeros• 10 bits = 1,024 (thousand) • 20 bits = 1,048,576 (mil) • 30 bits = 1,073,741,824 • 25 bits = ~32,000,000
0bits 1bit 2bits 3bits 4bits 5bits 6bits 7bits 8bits 9bits
1 2 4 8 16 32 64 128 256 512
• 160bits=2^160=~10^48• 160bits=
1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976
• At100trillionvaluespersecond,160bitswouldtake…
• (2^160)/(10^14)/(3600*24*365*500000000)=926,878,258,073,885,666=900quadrillioneons
• 1eon=500millionyears
It’s Just Math!
PHPSessions:Entropy• session_start()’spseudo‐randomdata:
• IPaddress: 32bits
• Epoch: 32bits
• Microseconds: 32bits
• Randomlcg_value()(PRNG): 64bits
• TOTAL: 160bits
• SHA1’d: 160bits
• 160bits=alot=1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976
PHPSessions:EntropyRedux
• Notsopseudo‐randomdata:
• IPaddress:32bits• Epoch:32bits• Microseconds:32bits
– only0–999,999…20bits=1,048,576
– <20bits! (REDUCED)‐12bits
• Randomlcg_value()(PRNG):64bits
• TOTAL:148bits(reducedby12bits)
• SHA1’d:160bits
AnExample:Facebook
PHPSessions:EntropyRedux
• Notsopseudo‐randomdata:
• IPaddress:32bits• Epoch:32bits(ACQUIRED)‐32bits
• Microseconds:32bits– only0–999,999…20bits=1,048,576
– <20bits! (REDUCED)‐12bits
• Randomlcg_value()(PRNG):64bits
• TOTAL:116bits(reducedby44bits)
• SHA1’d:160bits
AnExample:Facebook
PHPSessions:EntropyRedux
• Notsopseudo‐randomdata:
• IPaddress:32bits(ACQUIRED)‐32bits
• Epoch:32bits(ACQUIRED)‐32bits
• Microseconds:32bits– only0–999,999…20bits=1,048,576
– <20bits! (REDUCED)‐12bits
• Randomlcg_value()(PRNG):64bits
• TOTAL:84bits(reducedby76bits)
• SHA1’d:160bits
PHPLCG(PRNG):Randomness• php_combined_lcg()/PHPfunclcg_value()
PHPLCG(PRNG):Randomness
• S1WAS32bits,NOW20bits
• SEED(s1+s2):64bits–12bits=52bits
PHPLCG(PRNG):Randomness
• LCG(s2) = (long) getpid();
• S2=32bits• Linuxonlyuses15bitsforPIDs• S2=32bits–17bits=15bits• SEED(s1+s2)=15bits+20bits=35bits• PHPfunction:getmypid()
• Linuxcommand:ps
• LearnPID,reducetheother15bits!• SEED(s1+s2)=0bits+20bits=20bits
PHPSessions:EntropyRedux
• Notsopseudo‐randomdata:
• IPaddress:32bits(ACQUIRED)‐32bits
• Epoch:32bits(ACQUIRED)‐32bits
• Microseconds:32bits– only0–999,999…20bits=1,048,576
– <20bits! (REDUCED)‐12bits
• Randomlcg_value(REDUCED)‐44bits
• TOTAL:40bits(reducedby120bits)
• SHA1’d:160bits
PHPSessions:EntropyRedux
• Microseconds:32bitsdownto20bits
• Randomlcg_valuedownto20bits
• 40bits?No!Wecancalclcg_value()first!
• Withatime‐memorytrade‐off(4MB),wecanlearnthelcg_valueoriginalseedinafewseconds,REDUCINGto20bits!
• 40bits–20bits=20bits
20bits=1,048,576cookies
GREATSUCCESS!
• 500,000requestsonaverage!• Canbecompletedinhours
Youdownwithentropy?Yeahyouknowme!• PHP5.3.2:abitmoreentropy
• Createyourownsessionvalues!
• Attackisdifficulttoexecute!
• PS,FacebookisNOTvulnerable!
• <3Facebook• Pleasehelpmyfarmville* Thanks to Arshan Dabirsiaghi and Amit Klein for pointing me in the right direction
GREATSUCCESS!
• Usingoldvictim’scookie,messageournewvictimwithamaliciouslink!
Thisisyournetwork.
Thisisyournetworkondrugs.
ANAT
Cross‐ProtocolScrip[ng(XPS)
• HTTPserverscanrunonanyport• Ahiddenformcanauto‐submitdatatoanyportviaJSform.submit()
• HTTPisanewline‐basedprotocol
• Soareotherprotocols….hmmmm
Cross‐ProtocolScrip[ng:Examplesintherealworld
• Let’swriteanIRCclientinHTTP!
• ThisusestheCLIENT’scomputertoconnect,thususingtheirIPaddress!
IRCExample
Hos[ngtheXPS
NATPinning:cont.
HTTPPOSTw/IRCcontent
NATPinning:XPS[mesOVER9,000
• Sweet!SowhatisNATPinning?
• NATPinningconfusesnotonlythebrowser,butalsotheROUTERontheapplicationlayer
• E.g.,whencommunicatingwithport6667,browserthinksHTTP,routerthinksIRC
• Wecanexploitthisfactanduserouterconveniencestoattackclient
NATPinning:IRCDCC
• linux/net/netfilter/nf_conntrack_irc.c• DCCchats/filesendsoccuronaseparateportthanchat
• Clientsends:PRIVMSGsamy:DCCCHATsamyIPport
• RouterseesIP(determinedfromHTTP_REMOTE_ADDR)andport,thenFORWARDSporttoclient!
• ANYPORT!
NATPinning:cont.
NATPinning:blockedports
• Ifbrowserdoesn’tallowoutboundconnectionsonspecificports?
• TCP/UDPports=16bits=65536
• Sooverflowtheport!65536+6667
NATPinning:blockedports
• 6667+65536=72203• 6667 = 00001101000001011 • 72203 = 10001101000001011
• Somebrowserscheck:
if port == 6667 … but
72203 != 6667
• Correctcheck:port % 2^16*WebkitintegeroverflowdiscoveredbyGoatseSecurity
NATPinning:preven[on
• Strictfirewall–don’tallowunknownoutboundconnections
• Clientside–runuptodatebrowser
• Clientside–useNoScriptifusingFirefox
• Clientside–runlocalfirewallortoollikeLittleSnitchtoknowifanapplicationisaccessingunknownports
Penetra[on2.0
TRIPLE X!
TRIPLE X!
SS!
Geoloca[onviaXXXSS
Geoloca[onviaXXXSS
• Annavisitsmalicioussite
Geoloca[onviaXXXSS
• Annavisitsmalicioussite
• XXXSSscansherlocalnetworkforthetypeofroutersheuses
Geoloca[onviaXXXSS
• Annavisitsmalicioussite
• XXXSSscansherlocalnetworkforthetypeofroutersheuses
Geoloca[onviaXXXSS
• Annavisitsmalicioussite
• XXXSSscansherlocalnetworkforthetypeofroutersheuses
• Ifnecessary,loginwithdefaultcredentials!
Geoloca[onviaXXXSS
• Annavisitsmalicioussite
• XXXSSscansherlocalnetworkforthetypeofroutersheuses
• XSSroutertoloadremotemaliciousJS
Geoloca[onviaXXXSS
• RemoteJSusesAJAXtoacquireMAC
WhyMACAddress?
• JustBingit!
WhyMACAddress?
• JustBingit!• Typewww.bing.cominyourURLbar
WhyMACAddress?
• JustBingit!• Typewww.bing.cominyourURLbar
• Typein“Google”inthesearchbox
WhyMACAddress?
• JustBingit!• Typewww.bing.cominyourURLbar
• Typein“Google”inthesearchbox• Hitenter!
WhyMACAddress?
Geoloca[onviaXXXSS
• UponMACacquisition,asktheGoogle
• SeeFFsourceforLocationServices
Geoloca[onviaXXXSSlatitude: 36.0920029 longitude: -123.3461946
Geoloca[onviaXXXSS
Geoloca[onviaXXXSS
NATPinning:preven[on
• Strictfirewall–don’tallowunknownoutboundconnections
• Clientside–runuptodatebrowser
• Clientside–useNoScriptifusingFirefox
• Clientside–runlocalfirewallortoollikeLittleSnitchtoknowifanapplicationisaccessingunknownports
PRIVACY IS!DEAD!
Q&A
Agentlemanneverasks.
Aladynevertells.
Finphpwn:samy.pl/phpwnNATPinning: samy.pl/natpin
Geoloca1onviaXSS:samy.pl/mapxss
SamyKamkar
www.samy.pl
twi7er.com/SamyKamkar* No IRC channels were trolled in the making of this presentation.!