1 / 23

Off-Path Attacking the Web

Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University. Off-Path Attacking the Web. Oscar: the Off-Path Attacker. Bob, I leave you! Alice. 4.4.4. Off-path Oscar 6.6.6.6. 1.1.1. 6.6.6. 3.3.3. Alice 2.2.2.5. 2.2.2. 5.5.5. Bob 3.3.3.7. Bob,

geri
Download Presentation

Off-Path Attacking the Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University Off-Path Attacking the Web

  2. Oscar: the Off-Path Attacker Bob, I leave you! Alice 4.4.4 Off-path Oscar 6.6.6.6 1.1.1 • 6.6.6 • 3.3.3 Alice 2.2.2.5 • 2.2.2 • 5.5.5 Bob 3.3.3.7 Bob, I love you! Alice

  3. Why Off-Path Attacks? • Why not MitM (Eavesdropper)? • Harder: physical access or control router • Can Oscar spoof IP packets? • Often not: most ISPs ingress-filter • But enough ISPs don’t (18%-22%) • What of challenge-response Defense? • Correct use of challenge-response suffices • But: Often, challenge-response used incorrectly • Since used for other purposes, e.g., in TCP for SEQ/ACK • This work: Off-Path TCP Injection • Allows XSS, phishing and more…

  4. Related Work • Predictable ISNs: Morris85, Mitnick95, Zalewski01,05 • Address-based client authentication vulnerable [Bellovin89] • `PoC’ for Windows clients: klm07 • We improve (FW, efficiency), extend to exploit • QianMao12, QMXie12: (limited) malware • QM12: Also assumes seq#-checking-fw • Does not work for Windows clients

  5. Attack Scenario and Goal • Alice surfs to Oscar’s site • Alice’s browser runs Oscar’s script (puppet) • Puppet sends HTTP requests to Bob • Oscar injects response into the connection between Alice and Bob (est. by the puppet) 3. Script opens (hidden) frame of Bob.com • Internet 1. Surf toOscar.com 4. Inject (e.g., script) as content from Bob 2. Send page with script

  6. Attack Goal and Scenario • Alice’s browser assigns Oscar’s spoofed response with context of `Bob’ • Can contain script: cross site scripting (XSS) • Request objects: cross site request forgery (CSRF) • Spoof a web-page, response may be cached

  7. What Do We Need? Grocery List • Task #1: identify the `victim-connection’ between Alice and Bob • Spoofed data needs to correspond with a real connection • Task #2: learn sequence numbers • TCP discards packets with invalid seq # • Task #3: exploit • Send (spoofed) data in correct HTTP context • Browser assigns data the credentials of server (Bob)

  8. Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions

  9. Identify Victim-Connection • A TCP connection has four Identifiers: • <ServerIP:port, ClientIP:port> • Puppet opens connection to Bob (server) • ServerIP:port selected by puppet (attacker) • Client IP: known from client connection to Oscar • Client port: sequentially assigned… [Windows] • Not sequential? See [GH PETS’12]

  10. Finding Server Sequence Number • TCP sequence numbers are 32-bits • that’s too long to guess • Need to learn the sequence #. How? • Use TCP responses to probe packets • Empty-ACK packets provide useful response: • If seq# out of WIN: send ACK • to re-sync • If seq# is in WIN: no response • to avoid `ACK storm’

  11. Finding Server Sequence Number • How to detect if response is sent? • Use IP-ID side channel • IP-ID: 16 bit identifier in IP header • Used to correctly reconstruct packet from fragments • In Windows: implemented as a global-counter • One connection (to Oscar) leaks info about another! • Old trick: NMAP’s idle-scan, Bellovin machine-count,…

  12. Finding Server Sequence Number • Puppet opens connection to server • Oscar sends query-probe-query: • Query: unordered 1-byte packets  ACK (ipid) • Probe (srcIP = server): empty-ACK with seq# =i∙w • w is estimate of WIN size • Found  binary search finds exact seq#

  13. Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions

  14. Finding Client Sequence Number • Already know server seq# (and IPs, ports) • This should have been enough to inject (according to TCP spec) • But Windows implementations (as of XP SP2) also validate the ack number of packets • The valid ack# is the client’s seq#

  15. Finding Client Sequence Number • To find client seq#: send pkt w/ data • With server’s IP:port, correct seq# • TCP’s handling depends on ack# • For Windows clients: • Silently discards pktwith `old` ack number • Otherwise: send ACK • Leaks: ack#>UNA • Binary search… Windows: silently discard RFC: Process (often, ack) UnAcked Process Next Discard and send duplicate Ack

  16. Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions

  17. Exploiting Injections: XSS, CSRF • Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com • Typical XSS: exploit bug in site or browser • Off-path-injected XSS: no need for vulnerable site/browser! • Script can post fake HTTP requests (CSRF)

  18. Exploiting Injections: XSS, CSRF • Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com • Typical XSS: exploit bug in site or browser • Off-path-injected XSS: no need for vulnerable site/browser!

  19. XSS Exploit: Results • Top 1024 sites, 10Mb win clients, 1Mb Oscar • Average 32 pkts/s `noise` • Immune sites: mostly SSL or non-persistent

  20. Phishing by Injection • Off-path XSS, CSRF may fail: • To collect user-entered data, e.g., passwords • Esp. if site uses SSL for passwords • Alternative: phish / deface ! • Change contents: steal PWDs, push malware… • Cache spoofed page • at local browser or network proxy • User receives the spoofed page when he/she expects real page

  21. Phishing by Injection • Off-path XSS, CSRF may fail: • To collect user-entered data, e.g., passwords • Esp. if site uses SSL for passwords • Alternative: phish / deface ! • Change contents: steal PWDs, push malware…

  22. Conclusions • TCP may not be secure against off-path attackers! • Use `real’ security: SSL/TLS, IPsec, etc • Attacks may be improved, abused further…

  23. Thank You! • Special thank you to CPIIS for supporting my research • Questions?

More Related