SSRF DoS Relaying and a bit more...

Similar documents
FTP e TFTP. File transfer protocols PSA1

SSRF pwns: new techniques and stories

Directory and File Transfer Services. Chapter 7

TOE2-IP FTP Server Demo Reference Design Manual Rev1.0 9-Jan-15

Internet Security [1] VU Engin Kirda

FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Attacks and Defense. Phase 1: Reconnaissance

My FreeScan Vulnerabilities Report

Introduction on Low level Network tools

CS5008: Internet Computing

Solution of Exercise Sheet 5

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Implementing Secure Converged Wide Area Networks (ISCW)

Abstract. Introduction. Section I. What is Denial of Service Attack?

TCP/IP Security Problems. History that still teaches

Networks and Security Lab. Network Forensics

This sequence diagram was generated with EventStudio System Designer (

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Lab 1: Packet Sniffing and Wireshark

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Denial of Service Attacks

Network Security - ISA 656 Firewalls & NATs

If you examine a typical data exchange on the command connection between an FTP client and server, it would probably look something like this:

Secure Software Programming and Vulnerability Analysis

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

WWA FTP/SFTP CONNECTION GUIDE KNOW HOW TO CONNECT TO WWA USING FTP/SFTP

Step-by-Step Configuration

How To Prevent DoS and DDoS Attacks using Cyberoam

Payment Card Industry (PCI) Executive Report 08/04/2014

Preventing credit card numbers from escaping your network

Payment Card Industry (PCI) Executive Report 10/27/2015

Networks & Security Course. Web of Trust and Network Forensics

File Transfer: FTP and TFTP

Configuring Security for FTP Traffic

BASIC ANALYSIS OF TCP/IP NETWORKS

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Denial Of Service. Types of attacks

Professional Penetration Testing Techniques and Vulnerability Assessment ...

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Fall 2007, TAIWAN

Course Content: Session 1. Ethics & Hacking

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

SNI Vulnerability Assessment Report

Firewalls and Software Updates

PCI Vulnerability Validation Report

2010 Carnegie Mellon University. Malware and Malicious Traffic

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Payment Card Industry (PCI) Executive Report. Pukka Software

Introduction to Computer Security Benoit Donnet Academic Year

1. Firewall Configuration

Penetration Testing. What Is a Penetration Testing?

Chapter 4 Firewall Protection and Content Filtering

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Exercise 7 Network Forensics

Vulnerability Assessment and Penetration Testing

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Proxies. Chapter 4. Network & Security Gildas Avoine

Network and Services Discovery

Project Overview and Setup. CS155: Computer and Network Security. Project Overview. Goals of the assignment. Setup (2) Setup

Advanced Higher Computing. Computer Networks. Homework Sheets

Job Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Vulnerability Scan. January 6, 2015


Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

CMPT 471 Networking II

Frequent Denial of Service Attacks

E-BUSINESS THREATS AND SOLUTIONS

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Steps for Basic Configuration

Transport Layer Protocols

TFTP TRIVIAL FILE TRANSFER PROTOCOL OVERVIEW OF TFTP, A VERY SIMPLE FILE TRANSFER PROTOCOL FOR SIMPLE AND CONSTRAINED DEVICES

Development of a Network Intrusion Detection System

Network Traffic Analysis

A Layperson s Guide To DoS Attacks

Web Application Security

Ethical Hacking as a Professional Penetration Testing Technique

Discovering passwords in the memory

Summary of the SEED Labs For Authors and Publishers

Web App Security Audit Services

April 11, (Revision 2)

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Device Log Export ENGLISH

Topics in Network Security

EXTENDED FILE SYSTEM FOR F-SERIES PLC

Transcription:

Alexander Bolshev @dark k3y 15th DefCon Russia meeting March 27, 2013

; cat /dev/user Alexander Bolshev aka @dark k3y IS auditor @ Digital Security Ph.D. just another man with somecolorhat

Back to 199x: SYN- and connect- DoS attacks Half-opened DoS SYN Attacker Victim Full-opened DoS SYN Attacker Victim SYN + ACK SYN + ACK ACK more SYNs TCP only resources exhaustion, easy to defend...data... ACK TCP and service resource exhaustion, much harder to defend

Full-opened connection DoS Full-opened connection DoS is much more effective against target....but! Full-opened connection DoS with data exchange requires much more resources on attacker host. Full-opened connection DoS cannot be spoofed (in general case).

All you know what is SSRF(hopefully). Vulnerable Server SSRF Attacker Internal Target Classic SSRF attack scheme

Idea! We can relay connections with SSRF We can relay full-opened DoS with it!

But you can t just simply relay it... 1 2 You can t just simply DoS with pure SSRF. 1 [ ], but I couldn t resist to place this pic 2 sometime$ you can...

You can t just simply relay it... Why? Full-opened DoS attack with pure SSRF will be ineffective cos of: You should hold opened connection with the relay, while relay holds connection with the victim. Most protocols drops connection when you re using invalid format (HTTP && others). You re dependant on your host capacity, not on relay host capacity.

But we have FTP! Almost all SSRF-enabled technologies support FTP URI scheme. The FTP for relaying is interesting cos of: FTP has two connections between client and server: control and data. While control connection may be closed, data connection will exists till the end of transaction or timeout. FTP passive mode allow to exact specific remote port(!) and host (!!) for data connection.

FTP passive connection scheme FTP Client SYN, port 21 SYN + ACK FTP Server ACK protocol commands... PASV Passive mode (h,o,s,t,50,2) SYN, port 12802

Difference between PASV and EPSV PASV: EPSV: old version of FTP, allows to establish control connection to any host/port. modern versions of FTP, allows to establish control connection only to specific FTP server port. So we can t use PASV anymore?

We just can say that we didn t support it! 220 i58 FTP server ready. USER anonymous 331 Guest login ok, send your email address as password. PASS Java1.6.0_01@ 230 Guest login ok, access restrictions apply. TYPE I 200 Type set to I. EPSV ALL 500 Command not implemented, superfluous at this site. PASV 227 Entering Passive Mode (vic,tim,server,ip,0,80). RETR doc 150 Opening BINARY mode data connection for doc (99999 bytes).

Attack scheme Fake FTP Attacker (0) FTP PASV (2) 227 Entering Passive Mode (victimhost,victimservice) (3) SSRF (1) ftp://fakeftp/file FTP Data Conn (4) Victim Vulnerable Server

Attack inside wireshark Attacking HTTP server on remote host (46.4.x.x) with 192.168.200.138 relay using Fake FTP on 192.168.200.128.

Knowing technology features makes you stronger Technology Ability to relay DoS with FTP PHP Yes 1 curl Yes LWP Yes 1 Java 1.6.x Yes 1 Java 1.7.x Partially 1 2 ASP.Net No 3 Python Yes 1 DoS with FTP control connection available 2 only supports data connections to localhost and FTP server address. 3 but as always has a killer feature...

Java trying to defend: Fail! In Java 1.7.x devlopers tried to mitigate this feature by disabling data connections to any other hosts except FTP server. But they forgot to disable data connections to localhost!

ASP.Net: Much More FAIL. ASP.Net don t support PASV command. Only EPSV...but..!... when an XXE injection is executed, control FTP connection to the remote host is established in any case. This connection is sustained after the termination of the SSRF attack connection.

Possible mitigations On administrators side: Disable ALL non-established outgoing TCP packets from host (on ALL ports, even on TCP). Hard to do, more problems, much pain. On developers side: Don t make mistakes that lead to SSRF. (cap is laughing here) On vendors side: Disable PASV command at all (because there are no more FTP servers that don t support EPSV). But to it in another way than Oracle and Microsoft.

Back to 199x again: other funny stuff (not mine) There re more techniques that exploits the client side of SSRF: libcurl SASL buffer overflow vulnerability (by Volema, see CVE-2013-0249) 1 port scanning like FTP BOUNCE (hello, Fydor!) but with SSRF (several whitepapers on the internet) and more (google for Vladimir Vorontsov SSRF Bible cheatsheet ) 1 http://curl.haxx.se/docs/adv_20130206.html

More fun some bombs and ldap freeze Another cool stuff to do: gzip bombs in PHP and LWP (PHP didn t support gzip-compression in HTTP, but... FAIL! compress.zlib://http:// and zlib://http:// are your friends). Have you ever tried to search the base DN with a filter of userid=* (or similar) with a SORT on userid on LDAP server with 10k users? DoS on client side and freeze on server side: double strike!

; lookman SSRF DoS Relaying article: http://habrahabr.ru/company/dsec/blog/171549/ [RUS]

; thanksgiving Thanks to: Alexander Polyakov aka @sh2kerr for the idea Vladimir Vorontsov aka @d0znpp for the SSRF Bible cheatsheet Fedor Savelyev aka alouette for some good thoughts about PHP defcon 7812 :)

Q & A Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information