240 likes | 420 Views
Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University. Off-Path Attacking the Web. Oscar: the Off-Path Attacker. Bob, I leave you! Alice. 4.4.4. Off-path Oscar 6.6.6.6. 1.1.1. 6.6.6. 3.3.3. Alice 2.2.2.5. 2.2.2. 5.5.5. Bob 3.3.3.7. Bob,
E N D
Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University Off-Path Attacking the Web
Oscar: the Off-Path Attacker Bob, I leave you! Alice 4.4.4 Off-path Oscar 6.6.6.6 1.1.1 • 6.6.6 • 3.3.3 Alice 2.2.2.5 • 2.2.2 • 5.5.5 Bob 3.3.3.7 Bob, I love you! Alice
Why Off-Path Attacks? • Why not MitM (Eavesdropper)? • Harder: physical access or control router • Can Oscar spoof IP packets? • Often not: most ISPs ingress-filter • But enough ISPs don’t (18%-22%) • What of challenge-response Defense? • Correct use of challenge-response suffices • But: Often, challenge-response used incorrectly • Since used for other purposes, e.g., in TCP for SEQ/ACK • This work: Off-Path TCP Injection • Allows XSS, phishing and more…
Related Work • Predictable ISNs: Morris85, Mitnick95, Zalewski01,05 • Address-based client authentication vulnerable [Bellovin89] • `PoC’ for Windows clients: klm07 • We improve (FW, efficiency), extend to exploit • QianMao12, QMXie12: (limited) malware • QM12: Also assumes seq#-checking-fw • Does not work for Windows clients
Attack Scenario and Goal • Alice surfs to Oscar’s site • Alice’s browser runs Oscar’s script (puppet) • Puppet sends HTTP requests to Bob • Oscar injects response into the connection between Alice and Bob (est. by the puppet) 3. Script opens (hidden) frame of Bob.com • Internet 1. Surf toOscar.com 4. Inject (e.g., script) as content from Bob 2. Send page with script
Attack Goal and Scenario • Alice’s browser assigns Oscar’s spoofed response with context of `Bob’ • Can contain script: cross site scripting (XSS) • Request objects: cross site request forgery (CSRF) • Spoof a web-page, response may be cached
What Do We Need? Grocery List • Task #1: identify the `victim-connection’ between Alice and Bob • Spoofed data needs to correspond with a real connection • Task #2: learn sequence numbers • TCP discards packets with invalid seq # • Task #3: exploit • Send (spoofed) data in correct HTTP context • Browser assigns data the credentials of server (Bob)
Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions
Identify Victim-Connection • A TCP connection has four Identifiers: • <ServerIP:port, ClientIP:port> • Puppet opens connection to Bob (server) • ServerIP:port selected by puppet (attacker) • Client IP: known from client connection to Oscar • Client port: sequentially assigned… [Windows] • Not sequential? See [GH PETS’12]
Finding Server Sequence Number • TCP sequence numbers are 32-bits • that’s too long to guess • Need to learn the sequence #. How? • Use TCP responses to probe packets • Empty-ACK packets provide useful response: • If seq# out of WIN: send ACK • to re-sync • If seq# is in WIN: no response • to avoid `ACK storm’
Finding Server Sequence Number • How to detect if response is sent? • Use IP-ID side channel • IP-ID: 16 bit identifier in IP header • Used to correctly reconstruct packet from fragments • In Windows: implemented as a global-counter • One connection (to Oscar) leaks info about another! • Old trick: NMAP’s idle-scan, Bellovin machine-count,…
Finding Server Sequence Number • Puppet opens connection to server • Oscar sends query-probe-query: • Query: unordered 1-byte packets ACK (ipid) • Probe (srcIP = server): empty-ACK with seq# =i∙w • w is estimate of WIN size • Found binary search finds exact seq#
Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions
Finding Client Sequence Number • Already know server seq# (and IPs, ports) • This should have been enough to inject (according to TCP spec) • But Windows implementations (as of XP SP2) also validate the ack number of packets • The valid ack# is the client’s seq#
Finding Client Sequence Number • To find client seq#: send pkt w/ data • With server’s IP:port, correct seq# • TCP’s handling depends on ack# • For Windows clients: • Silently discards pktwith `old` ack number • Otherwise: send ACK • Leaks: ack#>UNA • Binary search… Windows: silently discard RFC: Process (often, ack) UnAcked Process Next Discard and send duplicate Ack
Attack and Talk Overview • Learn connection identifiers (IPs:ports) • Learn server’s sequence number • Learn client’s sequence number • Exploit(s): • XSS • CSRF • Phishing • Conclusions
Exploiting Injections: XSS, CSRF • Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com • Typical XSS: exploit bug in site or browser • Off-path-injected XSS: no need for vulnerable site/browser! • Script can post fake HTTP requests (CSRF)
Exploiting Injections: XSS, CSRF • Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com • Typical XSS: exploit bug in site or browser • Off-path-injected XSS: no need for vulnerable site/browser!
XSS Exploit: Results • Top 1024 sites, 10Mb win clients, 1Mb Oscar • Average 32 pkts/s `noise` • Immune sites: mostly SSL or non-persistent
Phishing by Injection • Off-path XSS, CSRF may fail: • To collect user-entered data, e.g., passwords • Esp. if site uses SSL for passwords • Alternative: phish / deface ! • Change contents: steal PWDs, push malware… • Cache spoofed page • at local browser or network proxy • User receives the spoofed page when he/she expects real page
Phishing by Injection • Off-path XSS, CSRF may fail: • To collect user-entered data, e.g., passwords • Esp. if site uses SSL for passwords • Alternative: phish / deface ! • Change contents: steal PWDs, push malware…
Conclusions • TCP may not be secure against off-path attackers! • Use `real’ security: SSL/TLS, IPsec, etc • Attacks may be improved, abused further…
Thank You! • Special thank you to CPIIS for supporting my research • Questions?