Cenzic 232 Patent
Paid Advertising
web application security lab

Inter Protocol Exploitation

Wade sent me a link to a paper he’d written on Inter Protocol Exploitation. If that sounds vaguely familiar, it’s because it is. We have been talking about that on and off for a while now, specifically around the JavaScript spam technique we’ve talked about, and the IMAP3 XSS. This time he does a good job of explaining not just how to execute a function, or how to get it to error out, but rather he talks specifically about how to run buffer overflows against servers using XSS. Yes, you heard me.

In the paper he talks about a theoretical buffer overflow against a tiny C script that is listening with an open socket. While interesting, it’s also theoretical. Then he whips out a working buffer overflow for Asterisk (VOIP) server. Wow! So add buffer overflows to the sum of things we can now do against servers with XSS and intranet hacking. It’s the first time MetaSploit and XSS have really met on the same proving grounds. This gives credence to something Jeremiah’s been saying for a while - JavaScript is the new shell-code. Well maybe not the new shell-code, but definitely the transmission mechanism for the shellcode! Very cool paper, and I highly recommend the read.

12 Responses to “Inter Protocol Exploitation”

  1. Wladimir Palant Says:

    Are you sure this is theoretical? See http://www.microsoft.com/technet/security/bulletin/ms07-019.mspx - not sure whether you can send this special HTTP request with a browser however.

  2. beNi Says:

    Evil.. Waaaah! XSS is getting worse, and the bad thing is: Web2.0 is pretty pretty insecure as you all know.

  3. /nul Says:

    JS as shellcode? Maybe… in any case, JS for sure helps creating reliable heap overflows in Windows. Just look at Heap Spraying and Heap Feng Shui.

    http://www.determina.com/security.research/presentations/bh-eu07/bh-eu07-sotirov-paper.html
    http://sf-freedom.blogspot.com/2006/06/heap-spraying-introduction.html

  4. hackathology Says:

    This article is absolute amazing and i never thought it is possible to do it. Now, my whole point of view of XSS is changed

  5. zeno Says:

    Um, ever heard of MX Injection?

    http://www.webappsec.org/projects/articles/121106.shtml

  6. Jungsonn Says:

    Well, I don’t want to burst a bubble here but it actually exist quite some time now, not in the way it is written but rather much easier. And it even can be done with plain HTML. The step of using shellcode in this manner depends on the port that is used, and JavaScript can be a carrier in this case, but it could be PHP, or plain HTML also.

    Just like the old case of of posting a simple HTML form to port 7 on a debian server (which is the echo port).

  7. Jungsonn Says:

    I wrote a quick blog item about it, thought it would be a nice addition to it:
    http://www.jungsonnstudios.com/blog/?i=228&bin=11100100

  8. secian Says:

    You are missing the point. The paper is demonstrating exploitation not communication. AFAIK, MetaSploit style exploitation hasn’t been done like this before.

  9. RSnake Says:

    Jungsonn - that was already discussed in the JavaScript Spam post I linked to. Also, this couldn’t be done with PHP on the Internet because PHP on a remote server only has access to other Internet sites, not Intranet sites. HTML wouldn’t work unless you could trick someone into clicking on a form button. This is a pretty specific use case that nothing else really does.

  10. Jungsonn Says:

    Ah ok, this is different. think Im missing the point on missing the other guy’s point missing my point. Thats a lot of points misssed.

    I didn’t say PHP on intranets, I said remote servers which is another ballpark and far more dangerous. Cause if you already have access to an intranet why the hassle of probing ports, get root while you’re at it and install some other stuff like rootkits and loggers.

    And it is different from the javascript mail thing, that’s only for spam. Thing is with the echo port, that you are able to steal the session of someone by just letting him submit to port 7. Oh yes through a button, but how hard is that to accomplish? pretty darn easy if you ask me.

    But when I said it’s already being done I meant: the method isn’t new, doesn’t matter if you talk about intras or whatever, clearly here it can be done with JavaScript, but that doesn’t mean it’s a ‘new thing’.

    But, and I guess most sysadmins know about this echo port, chances are very rare that such ports are open. Still, it’s a nice exploit and could be used for CSRF and XSS, which likewise the given article but then far more easier and remotely triggerable. :D

  11. secian Says:

    Jungsonn, this attack doesn’t rely on ”you already hav[ing] access to an intranet“. The intranet (in this case a VoIP server on the intranet) can be attacked by a user browsing through a DMZ to a dangerous site. Only after/during the attack can the attacker “install some other stuff like rootkits and loggers”.

    It is true that because something is “done with JavaScript, [it] doesn’t mean it’s a ‘new thing’.“ The paper “has demonstrated the practicality of encapsulating an exploit within one protocol to exploit an application using a different protocol.” Can you provide a link to another MetaSploit style (buffer overflow) exploit that is launched from a browser? I couldn’t find one.

  12. Jeremiah Blatz Says:

    It’s worth noting that gopher:// style URLS are still supposedly supported by Mozilla and IE in some configurations (according to wikipedia, I tried a trivial test in Mozilla just now and it didn’t work, so who knows). gopher://foo:bar/baz should open a connection to host foo at port bar, and send ascii data baz, followed by crlf. This should allow much more precise exploitation than using a form, and also allow much easier exploitation (0wn3d by loading an image). The downsides are the practical length limitation imposed by browsers on URL strings, and the fact that you have a limited charset to work with.