HTTP smuggling & splitting attacks

Discussion in 'privacy problems' started by pandlouk, Jun 18, 2009.

Thread Status:
Not open for further replies.
  1. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    I opened this new thread to answer some of the questions raised here.
    For preventing the some of the consiquences of those attacks take a look here.

    And I agree with LowWaterMark.
    The other thread reminded me of Matrix (the films). :p

    Panagiotis
     
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    Microsoft debugging tools for windows will do the job fine.

    Your Ram problems are a bios configuration issue or a hardware issue of the ram.
    I had some problems with XP SP3 and hardware DEP enabled. "ntoskrnl.exe" buffer overflows caused BSODs.

    No they do not "jump" unless they are intensionally made for causing buffer overflows or are badly written. In both cases they will lead to system instabilities, crashes, bsods. Do not worry about this.

    Panagiotis
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    1. As I said earlier is very very difficult to identify and prevent. Snort or other IDS can help (a little).

    2. You should not worry much about these attacks. You should worry most about the redirections which can compromise your sensintive data. Clearing your browser cache, cookies and closing your browser before important activities nullifies the danger.
    They can become more of a danger in the future with cloud OSes, programs, etc.

    layer 7 DPI hardware firewall helps but only a little. Anyway if you are interesting take a look at cfosspeed. Plays well with every other firewall and adds an extra layer of security (is has an inbound firewall only) and recently they added an ipfilter/ipblocker. And is a lifetime license(I have 2 licenses from 2005).
    It will prevent the drive by downloads. Not the overflows or the redirections.

    Panagiotis
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    My Windows system was infected with a few things. I wiped. I've been spinning a Live CD until I decide what I want to install.
    Something kept loading into RAM. Turns out it was coming from/through the router.
    There were sites I couldn't visit.
    Seems to be clear after router reset and reconfigure, 24hrs now.

    For Linux, P-town's CITP has Memory imaging tools.
    http://citp.princeton.edu/memory/code/

    http://www.owasp.org/index.php/Testing_for_HTTP_Exploit

    If these attacks target Web Servers how is Average Joe Surfer at risk?

    Do these attacks depend on what type of web server is running?
    IIS; Appache; Lighttpd
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Here is a list of some vulnerable applications.
    http://www.securityfocus.com/bid/13873

    Are there any other lists of vulnerable applications?

    Securiteam info very similar to OWASP in my link.
    I also perused the document about how an attacker can get feedback while executing the attack. Normally there is no feedback.

    It is all very interesting.
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Attn. Searching etc.

    Found these the other day which you and others might find useful. If anybody uses them please let us know your impressions.

    http://win32dd.msuiche.net/

    MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

    http://www.mantech.com/msma/mdd.asp
     
    Last edited by a moderator: Jun 20, 2009
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    HIPS can prevent or mitigate further intrusions put forth by buffer overflows and you can couple that with other buffer overflow protections. HIPS chosen should hooked deep enough to the kernel and not just userland, should cover wider coverage, and hopefully should record commandline parameters. In short, should not be bypassable.

    see posts by Rmus on this thread: link... https://www.wilderssecurity.com/showthread.php?t=210430&highlight=buffer overflow
     
    Last edited: Jun 19, 2009
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Interesting, but I disagree with the buffer over flows tho. there a few good hips around which monitors memory and all apps individual memory space protecting every running app from buffer overflow and remote code.


    You say to nullifie the danger of redirection to clear cookies and cache and to restart browser. But what about if cache and cookies are disabled like in my setup, would this nullifie and stop the attack in the first place?


    Also to an interesting statement from this site.
    http://www.owasp.org/index.php/Testing_for_HTTP_Exploit

    Quote
    A successful exploitation of HTTP Splitting is greatly helped by knowing some details of the web application and of the attack target.

    admuncher proxy has the ability to change/hide the user agent. when I surf websites they think I am using opera.exe when in fact I use firefox. I wonder how much protection this would give??
     
  10. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    @trismegistos & arran
    Hips cannot prevent buffer overflows. Yes, they can help in blocking some actions caused by them like drive by downloads,etc.; and so can software restriction policies.

    For the moment the best protection against buffer overflows are address space layout randomization (ASLR). Executable space protection (for example DEP) can help further.
    All of these make the exploitations caused by buffer overflows more difficult to trigger, but they cannot prevent the memory overflows.

    Commonly speaking they cure some of the symptoms but not the disease.

    Panagiotis
     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Exactly, that's why, what I said was HIPS can prevent further intrusions put forth by buffer overflows and I failed to add the phrase doesn't prevent buffer overflows.

    Buffer overflows is just the first step in a typical attack to gain remote access to a system. Once remote access is gained, attackers usually clean the logs, trojan the system and install rootkits. The latter steps are the further intrusions prevented by HIPS.

    Regarding DPI... another point of view: http://www.securityfocus.com/infocus/1817

    Thanks for the input, by the way.
     
    Last edited: Jun 20, 2009
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    What I don't understand is that it is recommended to use https whenever possible. So what do you do? Just add the "s" manually? (I'm sure that sounds like a silly question to most here, but I truly do not know.) And just so I am clear, https is creating an encrpyted connection between you and the website? Is this correct?
     
  13. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    -Actually, adding the "s" manually is one way to do it. :)
    (not all sites support https)
    -Correct.

    Panagiotis
     
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Pandlouk You say to nullifie the danger of redirection to clear cookies and cache and to restart browser. This indicates for the attack to succeed it requires cache and cookies.

    But what about if cache and cookies are disabled like in my setup, would this nullifie and stop the attack in the first place?
     
  15. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    I already said, that I do not have very good knowledge of these attacks; so I cannot really answer to your question. :doubt:

    Panagiotis
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    [joke]
    I don't think this will work, but OK.

    Desperately seeking l337 h4x0r
    For long term friendship
    Must be willing to hand hold and spoonfeed.
    I enjoy staring at a computer screen and the occasional infection.
    [/joke]

    Thanks for the links they have all been very informative. This is an amazing time for vulnerabilities.

    I wonder if this is along the lines of what Manuel Caballero discussed in "A Resident in My Domain". Also featured on sirdarckcat's blog in the article "Browser's Ghost Busters".
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    wtf are you on about??
     
  18. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Those cross-browser exploits and vulnerabilites is no different to "Clickjacking" using Iframes and javascripts or just iframes only.
    http://www.gnucitizen.org/blog/ghost-busters/
    http://hackademix.net/2008/09/27/clickjacking-and-noscript/

    Noscript or a noscript alternative like Kye U's Andrew's Security filters for Proxomitron ,which works on non firefox browsers as well, can protect you from those.

    While for buffer overflow vulnerabilities from targetted attacks as well as by most malwares, a strong HIPS can mitigate further advances and instrusions. Though HIPS can't prevent the initial actual buffer overflows to gain remote access to your system, the next steps, like cleaning the logs, trojanning the system and the installing of rootkits can be prevented.

    So even, an unpatched OS, completely free from the update vicious cycle, can be malware and attack-free by using bufferoverlow protections, a stateful firewall, good browser security and privacy measures and HIPS.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Depending on the particular exploit, a HIPS may well prevent gaining access where a malware executable is involved.

    In the recent PDF exploits, buffer overflow vulnerabilities in the Acrobat Reader were used by specially crafted PDF files to trigger the download of the malware. Here is one:

    The trojan load.exe would be blocked by a HIPS or similar:

    [​IMG]



    ----
    rich
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    its funny you say that, because one day I will be going to Russia and I intend on doing just that, first I will be challenging them to hack into my pc on the net.

    where would you get hold of Kye U's Andrew's Security filters ??
     
  21. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    [joke]
    On an AMD 64x2 Turion processor with 2 gigs of RAM.
    Why do you ask? :D
    [/joke]

    Cabellero's Talk was not released and sirdarckcat surmised what the talk was about for his exploits.
    But if you say it is clickjacking I will say OK.
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  23. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
Thread Status:
Not open for further replies.