Tuesday 29 January 2013

Cell Injection

[Cell InjectionAttacking the end user through the application.

[Introduction]
At 7 Elements our approach to application security testing blends the identification of technical exposure with business logic flaws, which could lead to a breach in security. By taking this approach, and by understanding the business context and envisaged use, it is possible to provide a deeper level of assurance. We have used this approach to identify a novel attack that we have called, cell injection


[What is Cell Injection?]
Cell injection occurs where a user is able to inject valid spreadsheet function calls or valid delimited values into a spread sheet via a web front end that results in unintended consequences. A number of attacks exist, from simple data pollution to more harmful calls to external sources. 


[Basic injection technique]
At a simple level we can look to inject values that we can expect to be interpreted as valid Comma-Separated Values (CSV). For a widely used format, there is still no formal specification, which according to RFC4180 "allows for a wide variety of interpretations of CSV files". As such we should look to inject common values such as semicoloncomma or tab but also other values such as the ASCII characters " | ", "+" and "^". 


If these values are interpreted by the spreadsheet, then you can expect data pollution to occur . This happens by shifting cells from their expected location. The following example shows the "|" character being used to insert additional cells within a spreadsheet. This was done by inserting four "|" values within the 'Amount' field, which  results in the shifting of the values expected within D4 and E4 to appear in H4 and I4:



Where it is possible to insert the "=" sign, we can then attempt to use function calls within the spreadsheet. 

Microsoft list all possible functions, however, the one we are interested in for the purpose of attack is the HYPERLINK function. Which has the following syntax:

HYPERLINK(link_location,friendly_name)

What can you do with it? Firstly, we need to change the injected string to point to an external site under our control. For this example we will use our web site by submitting the following string:


If the friendly_name specified is created within the spread sheet then we have successfully injected our data: 




Within Microsoft Excel, a user clicking on this link will not be prompted for any confirmation that they are about to visit an external link. A single click will be enough to launch a browser and load the destination address. Using this approach, an attacker could configure the url to point to a malicious site containing browser based malware and attempt to compromise the client browser and gain access to the underlying operating system.



[Advanced Injection]
The basic HYPERLINK attack requires that you can inject double quotation marks around the link and friendly_name values. As this can be a commonly filtered out input, the basic attack may fail. To bypass this restriction, it is possible to use a more advanced technique to generate a valid HYPERLINK function. This approach uses calls to other cells within the spread sheet and therefore negates the requirement to supply double quotes. To use this approach you will need to set one cell as a “friendly_name” and a second cell as the "link_location”.  Lastly you will then need to inject the the HYPERLINK function, that references the locations of these fields. The following string shows such an attack:



As part of this Proof of Concept, we have hard-coded the cell values E4 and F4, but we believe it should be possible to dynamically create these using the ROW() and COLUMN() functions. Using this approach we can then create the 'Click Here' cell without the need for double quotes:



During our tests we have also identified other attack vectors, such as updating fields or cell value lookup functions, where we do not have direct access to the content from the web application. This could be used to overwrite data for our own gain or populate a cell that is then later used to echo out data to a client with a value from a normally hidden cell.



[Mitigation]
As this attack is focused on the end user of the spreadsheet, mitigation is best placed at the point the data is first input. As such we would recommend that user input is validated based upon what is required. The best method of doing this is via 'white-listing'. Where possible, all characters that have a valid meaning within the destination spread sheet should be removed from your white-list of valid characters.  We would also recommend that where possible you do not permit the equals sign as the first character in a field. 


Time for a working example and exploit:


[Setting the scene]

To illustrate this attack and to provide context we will use a scenario that we often come across during our engagements and is based on the use of third party provisioned services to deliver transactional functionality. With this type of service we often find that the back end data management and record retention is achieved by the use of spread sheets. To help provide a working example, we have developed a dummy transactional website. This site has two main functions, the end user facing application and an admin section. Users access the application over the internet to transfer funds electronically. The end organisation utilises the admin functionality to manage the site and via the application they can view transactions. They are also provided with the ability to download transactional data for internal processing and data retention. At a high level it would look like this:



[Attack Surface]
The main input fields that an attacker can interact with are as follows:



The application has been designed to provide defence against the OWASP Top 10. Specifically, the application has been coded to defend against common input validation attacks such as SQL Injection and Cross Site Scripting, as well as correctly validating all output that is displayed within the application. 

Given this scenario, the attack option will be limited to attacking the 'Back Office' component of this application. Robust security measures, as already discussed, have mitigated attacks against end users of the application, and direct attacks against the application and database have been mitigated. On further inspection, and through a manual testing approach that looks at the end to end business process involved, it would be noted that the 'Back Office' function of this application relies on the download and use of spread sheet data:



The data is lifted directly from the database and on download results in the spread sheet opening on the 'Back Office' computer screen: 



Let's now use our cell injection to compromise the integrity of the data stored within the spreadsheet and gain remote access to the 'Back Office' computer.  


[Exploit]
The following video shows how an attacker can use cell injection via the front client facing application to compromise an internal host. The attack requires the end user to place trust in the data, but then who doesn't trust content that they have decided to download?


Blogger video is a little limited, so for those who want to see all the detail, we have hosted the video here.

[Conclusion]
By taking the time to understand how data would be input into the system, and more importantly where the data is then output to an end user, we were able to develop a specific attack approach to directly target end users of the data and gain unauthorised access to systems and data. 

In this example, correct encoding of user supplied data in the context of its use had not been fully implemented and without this level of testing, would have appeared to be protected against input / output validation based attacks. This could lead to a false sense of security. Further to this, being able to attack internal hosts directly changes the assumed threat surface and therefore would raise issues around browser patch management and the lack of egress filtering in place.

As we have seen from this blog, testing should be more than just the OWASP Top 10. We need to think about the overall context of the application, the business logic in use and ultimately where and how our input is used and how it manifests as output. This provides a further example of the need to take a layered approach to security and accept that you can not achieve 100%. This highlights the need to implement a resilient approach, building upon a robust defensive posture, that takes into account the need to be able to detect, react and recover from a breach. 

Monday 21 January 2013

Vacancy: Security Tester






Just a quick reminder that our current vacancy for an experienced security tester closes on the 1st February 2013.

More information can be found here and here.


Wednesday 16 January 2013

Symposium on Information Security Part Two


Following on from the morning overview, Marek now takes a look at the afternoon sessions.

Alex Stobart from Mydex- Citizen-centred personal Data stores. Mydex has been chosen to be one of 9 Digital Public Services. Mydex will provide Identity Assurance that empowers the individuals to manage their personal data and acquire proof of claim and verification about any aspect of their life and identity. Citizens can create a Secure Personal Data Unit, which allows them to collect information and within the control layer decide with which party it will share certain types of information. The difference with Mydex is that individuals self drive the personal data unit rather than it be controlled by an organisation.

How does information security impact innovation and collaboration? This topic was presented by Richard Higgs from Brightsolid company, The presenter used real client experiences, describing how the company could manage the innovative collaborative space within the cloud and still assure a level of security. Nowadays a lot of companies are moving most of their business or even parts to the cloud and are facing issues related to how co-workers collaborate on new projects. Moving infrastructure to the cloud companies need to increase security awareness for their employees as well. Brightsolid showed how their company could achieve that.

David Stubley presented Resilient Information Security: A New Approach to Assurance. Many organisations nowadays see computer networks and applications as the backbone for their business and as a result focus on the implementation of defences and preventing attacks. This approach has directly influenced compliance and assurance approaches, such as vulnerability scanning and penetration testing. We cannot achieve 100% security and allow the business to run flawlessly. This approach is becoming unacceptable for many businesses. David presented a new approach to assurance that would not only test the defences of an organisation but also test it resilience to attack.
The example showed on the presentation was a Java zero-day, which was publicly announced just a day before. At the moment the zero-day is being publicly discussed and is marked as High-risk by Oracle. Countermeasures are available. The question is how long this zero-day was available? This new approach to assurance would allow implementing the resilience into the management of Information Security and will enable organisations to deliver a balance between security and operational requirements.

As a result of this idea the Open Source Security Resilience Assurance Methodology (OSSRAM) was created. OSSRAM is an open source community looking at how to define this new approach to resiliency testing and assurance. The community is welcome to access the website and express their opinions.

Part of the symposium was the announcement of the Cyber Security Student of the year 2013, the first three finalists were: Charley Celice; Gordon Grey and Hector Grebbell, congratulations to all participants and winners.

Gordon Mullin from Memex presented Big Data, Analytics and Information Security. Gordon outlined the issues related to Big Data, how a company could take advantage of it, how and what models to use for sharing the amount of data and how to effectively implement the enforcement solutions using this data. Some of the examples showed how Big Data analysis could help the police effectively reduce violence during events. The Memex solution allows analysis of Big Data and provides relevant information to the right people.


Paul Thomas and Phil Strading from Microsoft presented Human Trust in Digital Life. This talk returned back to the e-Health topic and the potential role of e-Health to meet the higher demand of health and care service. These services, which are controlled by the public sector, are moving towards the sector consisting of family, individuals, and the commercial sector. This talk outlined the new technologies, processes and governance which need to take place in order to provide trust over the internet between individuals, third sector and statutory services. The program will help in UK to deliver a service for assisted living and manag the care system.

The last speaker was Don Smith from Dell SecureWorks who presented Governance, don't forget to lock your doors… Don outlined the problems that lie within the industry using live scenarios. One of their clients came under attack for some time. It was an un-known type of the attack with focus on a Java. The Java exploit was out for several months before it has been disclosed. As the exploit became disclosed it also became available to the public. There was still a time gap before the relevant companies released the patch to eliminate it. The other question raised is when the patch is available how long does it takes for organisations to deploy this patch to their environment? This scenario showed how vulnerable our data can be. They could be accessed maliciously using zero-day attacks and even when they are disclosed and patches made available there are still many companies that would be vulnerable to it.

Don as well as David before, mentioned the new Java zero-day disclosed by Alien Vault on 10 January.
David raised the question of how long was this zero-day wild on the Internet before the relevant organisations noticed?

Bill Buchanan closed the day thanking both speakers and the audience. I would like to say thank you for an opportunity to attend the Symposium and listen to professionals present their visions for the future.  Marek.

Friday 11 January 2013

Symposium on Information Security


Symposium on Information Security:
Governance, Sharing and Risk in a Digital Age.

For those who are not from Edinburgh or did not have a chance to attend the Symposium on Information Security, this blog will provide some basic information on what the symposium was about.
David and I managed to attend the symposium, mainly David needed to, as he was one of the speakers.

In general the Symposium was well organised, with some delays to the actual start of the presentations, but you would expect that. As the name suggest lot of presentation was about the sharing data and mostly with focus on e-Health systems. Prof, Bill Buchanan, from Napier Edinburgh University and person behind the conference opened the day and passed the event to Prof George Crooks and his talk about the NHS Scotland Telehealth and Telcare. The talk shows the vision forNHS Scotland. How and what they are proposing and working on. Especially in terms of creating and delivering the e-Health system for the patients using modern technologies. The NHS already has a pilot programme called DALLAS, where they can test the system before it will be widely deployed. The system centralised the e-Helath record for the patients and any NHS doctor who you granted the permission to see the file can access it.

Next speaker Ted Boyle presented how e-Health system can be similar to the Bank system. Scotland is ahead of medical sharing of data compare to the rest of the UK and as such, implementing full e-Health systems would be it easier in Scotland than in the rest of the UK.  The proposed system would allow sharing of medical information with the Police, Local Authority, Government and the 3rd Sector (Voluntary). There are factors which need to be defined as: How to share the data between all of the parties mentioned above and how to ensure that parties who have access to the record, follow the Data Protection Act and mainly in how to secure all of this data.  To establish this type of the system would require the creation of one ID per person, which will be used to store all of this information. To do this would bring more problems, one of them being the financial requirements needed to consolidate all of the data from different parties under one ID, not to mentioned deciding who is responsible for which part of the data, who can accesses, delete amend etc. The people using this system need to be educated and there is a need for support to be available for them to allow such as system to work properly.
These are the issues of implementing the centralised system, which need to be resolved.

David Livingston presented the Economic Opportunity in Cyber Security. Nowadays the changes within the cyberspace allow businesses create new ways to approach clients, it brings financial savings and the ability to reach clients globally. These changes also bring new risks, as organised crime is moving from traditional approach to cyberspace. Hactivist, espionage and terrorism. These risks have a big impact on potential financial loss, loss of intellectual property, compromise of identity and infrastructure compromise.  

UK Cyber strategy vision is to create a more secure place to do business, be more resilient to the cyber attacks, help shape an open cyberspace. 

The main key pillars to Cyber Security are: critical infrastructure, e-Crime, Informational Assurance, Digital Participation and Enterprise. The approach to deliver this is through:

  •  Focus on organisational concepts and rely less on technology.
  • Develop a risk based approach.
  • Increase a knowledge of cyberspace.
  • Develop skills and support innovation.
  • Improve communications.
Government will set the direction, but experts will set this up, this is already happening as David Stubley, our director is a Cyber Security Strategy Adviser on the Resilience Advisory Board for Scotland (RABS).

Andrew Wadsworth from Amor group, talked about the Critical National Infrastructure and about proces controls. There are many processes, which do not provide as high a security control as they should. It is not just computer systems, which are targeted, but also the Control System itself. Some of the examples presented showed how easy it can be to fail on a large scale, e.g. Stuxnet (we heard and read about it a lot last year),  a further example provided was around medical devices, which are controlled wirelessly but do not provide any form of authentication or encryption. The problems with Critical Infrastructure are: old systems running old type of the software, there is no authentication and no encryption, poor or no network segregation. Some of the fact related to Process Control Systems were shocking: Average time for successful attack to be detected is 18 month, Anti-Virus are out of date, 75 % of oil and gas installations have viruses. The life cycle for thepatching is 24 month. These are the issues, which need to be resolved to ensure t the higher protection of the Critical Infrastructure.

This brings us up to lunch. Over the lunch brake we had a time to catch up with the rest of the audience and share our opinions on the industry and talks so far. In part two of my blog we will look at the afternoon sessions. 

Marek.


Wednesday 9 January 2013

Port Scanning the World


Or just “large sized networks”


Intro


In his spare time Tiago leads a Portuguese based research team. Recently they have undertaken a research project to port scan the world. In this blog post Tiago takes a look at how they approached this and the key lessons learnt so far.

The overall aim of the project is to have an automated system that scans the entire world, with a super fast querying system that delivers a real-time dashboard of incoming scans.

The key difference in our project to previous attempts to scan the world is in the collection, storing and interrogation of the data in conjunction with known exploits.

By combining the output with collected vulnerability data we can then deliver the following:
  • A list of vulnerable machines that we report to the different CERT teams/ responsible parties.
  • A list of machines that have been compromised and have backdoors on them.
  • Statistical data on the countries with most vulnerable machines.
  • Statistical data on the services that are running out there.


Scope

The initial proof of concept and design used the IP range assigned to Portugal. This provided a discreet scope that was not too small, yet still manageable at around 5.8 million IP address.

Approach

To deliver this initial proof of concept we first had to identify the test population and then configure a suitable scan. Once we had the date we then had to determine how best to analyse. The following section outlines how we achieved this.

Information Acquisition and Service Decisions

Initially the team obtained all the CIDRs for Portugal. Acquiring the CIDR information was relatively easy as the assigned range information can be obtained from RIPE’s FTP server. We then converted these into CIDRs using a set of scripts that will be published soon on the 7E github page.

We then determined which set of services we wanted to scan for. The services to be scanned were chosen by identifying the most common services where vulnerabilities are found, and ports that are frequently found open during security testing engagements.

The following table shows the ports and protocol that we decided to scan for.

ID
Port Number
TCP/UDP
Service
1
80
TCP
http
2
443
TCP
https
3
8080
TCP
http alternative
4
21
TCP
FTP
5
22
TCP
SSH
6
23
TCP
Telnet
7
53
UDP
DNS
8
445
TCP
Samba
9
139
TCP
Samba
10
161
UDP
SNMP
11
1900
UDP
UPNP
12
2869
TCP
UPNP
13
5353
UDP
MDNS
14
137
TCP
Netbios
15
25
TCP
SMTP
16
110
TCP
POP3
17
143
TCP
IMAP
18
3306
TCP
Mysql
19
5900
TCP
VNC Server
20
17185
UDP
VoIP
21
3389
TCP
Rdesktop
22
8082
TCP
TR 069


Scanning 

We then used NMAP to scan the services and finally produced a SYN scan of Portugal.  For the full trials and tribulations of making this happen see Tiago’s personal blog.


As you can see from the following screenshots, there was a huge amount of data created.






This provided us with more data than we could handle, so we needed to find a way to be able to interrogate it.  For this we built a web application that would let us query the data.  After several iterations we finally settled on the following approach and used mongoDB rather than MySQL.





Improvements

Analysing the Nmap scans, we noticed that doing the –sS was fast, however doing –sV and DNS resolution was really slowing things down. So we decided to create a methodology for our portscans.
This was based on splitting the scan. First of all we completed a FAST scan against the IP range. Then extracted hosts that had ports open and finally ran the SLOW part of the scan only on those open ports.

Phase 1
nmap -v –randomize-hosts -sS –iL CIDRS-PORTUGAL.txt -p 21 --open -n -PN –T5 --host-timeout 3000ms --min-hostgroup 400 --min-parallelism 100 --disable-arp-ping –oA PORT21-OPEN-TOBEFILTERED

Phase 1.1 – Filter IP addresses with open ports
cat PORT21-OPEN-TOBEFILTERED.gnmap | grep -w "21/open" | awk '{print $2}' > PORT21-OPEN

Phase 2
nmap -vvv -d -sV -p 21 -iL PORT21-OPEN -Pn -n --host-timeout 30s --disable-arp-ping --min-parallelism 100



Things worked much better with this process and scans were coming in fast and with consistent results. We then started importing more and more sources of information into our database, including vulnerabilities, exploits and some cuckoo sandbox results.

Next on the list for improvements was UDP scanning.

Nmap, has a UDP Scan mode. However, when we attempted to scan anything with it, it would run for weeks and weeks and would never finish. UDP is picky. There are plenty of issues when scanning UDP and lots of references that can explain why UDP is picky:


So we went to our labs, and started messing around with other options including using Scapy. The following table demonstrates the tests we did. These tests were for 1 IP and 1 port only.

Test
Lab time results
Internet time results
Nmap UDP mode
25s 506ms
41s 050ms
Scapy v.1
2s 702ms
2s 522ms


The script we wrote for Scapy was way faster and worked well. With this success we then proceeded to do mass tests (1 port against 5.8M IP Addresses) and these were the results:

Test
Time results
Notes
Nmap
4+ weeks
Never finished
Scapy v.1
1 week
Python+Scapy only
Scapy v.2
3 days
Python+scapy+multithreading

We were very happy with these results. But still it wasn’t at a point we were satisfied with. However, we had reached the limit of our knowledge at the time when it came to mass UDP scanning. So we asked for some help on twitterverse, and in came HD Moore to give us a hand.  He sent us some of his code and explained how his UDP scanner worked. Using the same test approach his scanner finished in 4 minutes and 45 seconds. However, this approach requires the tool to be preconfigured with sample UDP packets for the port to be scanned. Where as Scapy v.2 was capable of scanning for all ports (more slowly, but still faster than Nmap!).

Key Points:

One of the key points we have taken from this is that tools are good, but you have to invest time and effort to tailor them to deliver the results you need. So next time you grab your security tool of choice, don’t just accept the way it works. Get coding and make it do what you need.

This is a brief overview of PTcoreSec’s project and we have only covered a few of the key points in the process.  As with any large project covering a new topic, it did not run this smoothly.  To find out about the problems the team faced and how they overcame them visit Tiago’s blog. 



Part Two:

Watch out for part two of this blog. We will analyse and explain all the different components of the scanning system. We will take a look at the different technologies  used, how they work and how they allow for an automated system. This will enable you to conduct large scale scans, store data and most importantly query the data fast and maybe just do this: