Tuesday, August 14, 2007

Scanning with Flash

Thanks to Rsnake I learned of a proof of concept for Flash scanning.



I had to enable Javascript and have Adobe Flash installed. I used Firefox within Ubuntu 6.10. In the traffic you can see my host sending the following after finishing the three way handshake.

09:31:34.348028 IP 192.168.2.8.44235 > 10.1.13.4.21:
P 1:24(23) ack 1 win 1460
0x0000: 4500 004b 1f24 4000 4006 41d4 c0a8 0208 E..K.$@.@.A.....
0x0010: 0a01 0d04 accb 0015 f31e fbd2 a8ce 608e ..............`.
0x0020: 8018 05b4 df9f 0000 0101 080a 0018 e4f5 ................
0x0030: ea84 369b 3c70 6f6c 6963 792d 6669 6c65 ..6. 0x0040: 2d72 6571 7565 7374 2f3e 00 -request/>.

More to come, I'm sure.

On a related note, read Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF by Justin Schuh and XSRF^2 by Dan Kaminsky.

12 comments:

Adam said...

Pretty cool. I see what you mean when you said the Web browser is the new operating system...

Tyop? said...

I prefer to play with DNS Spoofing...
(^-^)

Abounasr Imad said...

hi richard,

I use the link to see my opened port and I see that a lot of my ports are open.
I use a Netgear wifi Router. is that normal ?

Imad.

Steven Andrés said...

Also worth checking out is the draft paper from some smart guys at Stanford (http://crypto.stanford.edu/dns). To prevent abuse, they require that you apply for an account before using it. I applied and was granted one within 12 hours of my original request. May be interesting to check out, Richard.

dre said...

Network security is dead. Don't bother learning application security - just drop out of the industry please.

Case example: Dan Kaminsky talking about CSRF (it's CSRF not XSRF please - how else am I going to pronounce it `sea-surf'?).

He just doesn't get it. CSRF doesn't need a password. That's why we call it session riding. That's why Microsoft coined it as the one-click attack (with the zero-click attack variant). He doesn't even understand DNS rebinding.

Also there are plenty of ways of protecting against DNS rebinding, XSS, CSRF, and Ajax attacks that cross the same-origin policy.

Not surprisingly, TAOSSA also presented a unique solution the problem, but there is no working code for this (or content-restrictions) as of yet.

While LocalRodeo, NoScript, and forcing SSL are great ideas in theory - in practice there are still plenty of ways to get around these Firefox add-ons because Firefox does not pass the web application hacker sniff test. It probably never will. IE7, Opera, and Safari are no better (they're, in fact, usually quite worse).

My suggestion is to use a browser that does not support Javascript, Java, or Flash - and that has been through complex code review, Fagan inspection, and is well tested. Links or ELinks (Elinks has some Javascript support) are good candidates, as is the command line utility, curl. I trust Lynx or wget less than the above mentioned tools, although lynx's lack of Javascript does make it a safer browser than any of the very popular ones out there. Also - Links and ELinks can utilize images properly.

In this article from gnucitizen, Tim Brown mentions in the comments that signed code (Javascript and Java) appears to be a sufficeable long-term solution.

Richard Bejtlich said...

Dre,

"Network security is dead. Don't bother learning application security - just drop out of the industry please."

Who are you addressing?

dre said...

Richard -

Whoever has been contributing to the myth that firewalls and IPS devices (or NAC, UTM, scan and patch, etc) protect against adversaries.

I know it sounds like I may be trying to harsh on you or Kaminsky - and while there is some truth to that - I really do like you guys and what you have to say. It's just that well, you're both a little late to the game and I'm disappointed.

What I'm really talking about are the new trends in information security and how these apply to the "old guard".

Also see anything and everything ever written by Marcus Ranum.

Richard Bejtlich said...

Dre,

I hope you don't think I'm contributing to that myth. I just posted two stories from Black Hat on the same subject.

As far as being "late to the game," sorry I'm not 31337 enough for you. Maybe if you blogged a little more often I would learn something?

I try to share a few thoughts here, while doing full time work that is not "security research." It must be fun to be paid to break things and live on the public edge, but the majority of us are too busy protecting customer assets with whatever our "old guard" minds can manage.

If you're "disappointed" then you're free to read someone else's blog.

dre said...

@ Richard: Yes, you're right. I was being a jerk about it.

It's not you that I'm trying to attack; it's mostly the vendors - which you are not. Any "defense-in-depth mantra" network security professional trying to defend customer assets does need to learn that what the vendors sell are not security products, but instead ways of stealing money. You're being lied to and you don't know it.

The snake-oil that comes out of selling security as a product is a huge problem that we are facing. We all have to change our minds and attitudes. I'm not trying to say that I'm better than you because "I've figured some of this out". In fact, I see it as quite the opposite. I still see network security professionals, network security vendors, pen-testers, and AV vendors as thinking that they are the 31337. The attitude that I still get from these folks is that they are above developers - that they know security best - that they know more about security than anyone else.

Maybe "disappointed" was the wrong word. Maybe "jaded" is a better one?

Richard Bejtlich said...

Hi Dre,

Ok, that's cool. I agree with what you said just now. I'm serious about you blogging more though. :)

dre said...

@ Richard: Heh. Yeah I apologize for coming off as intentionally mean.

Isn't blogging just as much about blog comments as it is about the blog entries? So by that theory - I do blog a lot.

Unfortunately, Google Reader doesn't include comments in their scraping routines.

Tyop? said...

He can.
Comment's feed