Injections!

Injections! Gavin Miller @gavingmiller gavinmiller.io

Cisco Advanced Malware Protection (AMP)

I am wary of software security advice that leads with
"don't trust user input", or revolves around "validate user input". That principle has been the core of software security strategy for going on 20 years, and has bought us very little. In the real world, we have to start by acknowledging that the verb "trust" is situational, and that in some circumstances virtually all user input is "trusted" somehow. You could phrase this less tactfully as "Validate user input? No shit? Now what?" - Thomas Ptacek Source: https://news.ycombinator.com/item?id=3940286

Goals •  Exploit Situational Trust •  Examine in-use injection attacks
•  Could we be breached like that?

Injection Attacks 1.  CSV Injection 2.  XML Injection (aka XXE)

CSV INJECTION

CSV Injection •  Occurs when untrusted input is embedded into
CSV files •  Then when a spreadsheet program like Excel, OpenOffice, or Google Spreadsheets opens the file, the payload executes •  First published discovery: – Jan 2013 •  Most recent work: – Oct 2017 Source: https://www.owasp.org/index.php/CSV_Injection

How To Perform •  =cmd|' /C calc'!A0 •  Launches Calc

Does Excel Warn the User?

Does Excel Warn the User? •  Yes

Doesn't Excel Warn the User?

Does Excel Warn the User? •  Yes

Does Excel Warn the User? •  Yes, but …

Habituation: a dramatic drop in the visual processing centers of
the brain after only the second exposure to a warning, with further decreases with subsequent exposures Source: https://neurosecurity.byu.edu/chi_fmri_habituation/

Does Excel Warn the User? •  Yes, but …

Impact •  Exploit vulnerability in the spreadsheet software. EG: CVE-2014-3524
•  Exfiltrating contents from the spreadsheet, or other open spreadsheets. •  Pop a Shell

"Not A Problem" ... Google thinks this isn't something we
are in the best position to fix or that would have sufficient impact on our users or products security Source: https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection

AlphaBay Disagrees Source: https://www.thedailybeast.com/this-is-how-cops-trick-dark-web-drug-dealers-into-unmasking-themselves

AlphaBay Disagrees <Relationship Id="rId5" Type="http:// schemas.openxmlformats.org/officeDocument/2006/relationships/ image" Target="http://217.182.159.33:9998/img/ xxxxxxxxxxxxxxxxxxxxxxxxxxxx/logo/logo.png" TargetMode="External"/>
Source: https://www.thedailybeast.com/this-is-how-cops-trick-dark-web-drug-dealers-into-unmasking-themselves

Mitigation Filter out "=" when exporting to CSV

Doesn't Excel Warn the User?

Filter Evasion =cmd|... =0-cmd|... =(cmd|...) "=cmd|..." ""=cmd|... -cmd|... +cmd|... @sum(cmd|...)
%0A-2+3+cmd| Sources: https://www.slideshare.net/exploresecurity/camsec-sept-2016-tricks-to-improve-web-app-excel-export-attacks https://bugzilla.mozilla.org/show_bug.cgi?id=1263581 https://bugzilla.mozilla.org/show_bug.cgi?id=1259881

CSV INJECTION DEMOS

Mitigation (for realz!) •  Blacklists are always changing (and usually
bypassable) – Create a strict whitelist •  Strip exports aggressively (whitelist) – Input validation blacklists may not be robust – Easier/Cheaper/Better to support bugs (legit use cases) than compromised users •  If you have to: ^\W.+\(.+\) Source: https://www.slideshare.net/exploresecurity/camsec-sept-2016-tricks-to-improve-web-app-excel-export-attacks

Further Reading/Research •  CSV –  https://www.slideshare.net/exploresecurity/camsec-sept-2016-tricks-to-improve-web-app-excel- export-attacks –  https://www.owasp.org/index.php/CSV_Injection – 
http://georgemauer.net/2017/10/07/csv-injection.html •  DDE –  System that allows CSV injection to work –  https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/ –  https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx

XML INJECTION (XXE)

XXE •  An attack against XML parsers that attempts to
get the parser to execute a malicious payload resulting in information disclosure, or service disruption. Source: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

XXE •  The XML standard provides a means of removing
repetition via entities. – Basically variable interpolation with access to system functions

Entities •  Two types of entities: – General Entity – Parameter Entity

General Entity

Parameter Entity

Attacks – DoS via Recursion

Attacks – DoS via Large File

Attacks – DoS via Billion Laughs

Attacks – Server Owned

Server Owned •  Can be easy or really difficult • 
Trouble is exfiltrating (exfil) data

Exfil Nieve

Exfil via Error Response Source: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/

Exfil via PHP/base64 Source: http://www.informit.com/articles/article.aspx?p=24992&seqNum=5

Exfil via CDATA Source: https://web-in-security.blogspot.ca/2016/03/xxe-cheat-sheet.html

Exfil via FTP Source: https://gist.github.com/staaldraad/01415b990939494879b4

Exfil via DNS

In The Wild •  Paypal –  https://seanmelia.files.wordpress.com/2015/12/paypal-xxe-doc.pdf •  Twitter – 
https://hackerone.com/reports/248668 •  Uber –  https://hackerone.com/reports/154096 •  Google –  https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/

Mitigations •  Disable: – Doctype Declarations – Loaded External DTD – External Generated
Entities – External Parameterized Entites •  Remove PHP (aka unneeded software) Source: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

XML INJECTION DEMOS

Further Reading/Research •  General Info: –  https://www.owasp.org/images/5/58/XML_Based_Attacks_-_OWASP.pdf –  https://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf • 
Payloads: –  https://web-in-security.blogspot.ca/2016/03/xxe-cheat-sheet.html –  https://gist.github.com/staaldraad/01415b990939494879b4 –  Google XXE Cheatsheet

Thanks :) Make good decisions @gavingmiller gavinmiller.io

Injections!

Injections!

More Decks by Gavin Miller

Other Decks in Programming

Featured

Transcript