Animal Farm TJ O’Connor March 2011
advertisement
Animal Farm
Protection From Client-side Attacks by Rendering Content With
Python and Squid
TJ O’Connor
March 2011
GIAC (GCIH Gold, GSEC Gold, GCIA Gold, GCFA Gold,
GREM, GPEN, GWAPT, GCFE, GCFW)
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Objective
•
•
•
•
•
•
•
•
Background
The Threat
Mitigating The Threat
PDF Exploits
Office Exploits
Internet Exploits
Results
Conclusion
SANS Technology Institute - Candidate for Master of Science Degree
2
Background
•
•
•
•
•
Annual Cyber Defense Exercise
Undergraduates defend against a highly skilled NSA red team
Last year introduced client side attacks as an attack vector
Unsophisticated users clicking on links for four straight days
How do you defend?
SANS Technology Institute - Candidate for Master of Science Degree
3
The Threat
•
•
•
•
January 2010 breach into Adobe, Google and 34 companies
Compromised via client side vulnerability in Internet Explorer
Targeted software configuration management servers
Client side attacks:
–
–
–
–
Can evade your antivirus
Run under the context of your app
Target the weakest link, your users
Prove an excellent vector to pivot
SANS Technology Institute - Candidate for Master of Science Degree
4
Mitigating The Threat
•
•
•
•
•
When the user opens the content, it is too late
The exploit can cause unrecoverable damage immediately
Instead, render the content benign when the user requests it
A transparent proxy can render content safe
Proxy can run content through a series of external scripts
SANS Technology Institute - Candidate for Master of Science Degree
5
Squid
•
•
•
•
Extremely fast and efficient proxy server and web cache daemon
Erite rules to redirect traffic transparently using redirect_program
Redirect it to a series of scripts based on file type
Redirect user to safely rendered content
while True:
cnt = cnt+1,
line = sys.stdin.readline().strip()
fileExt = (line.split('.')[-1]).upper()
if ("PDF" == fileExt): new_url = safePdf(line,cnt)
elif ("DOC" == fileExt): new_url = safeDoc(line,cnt)
elif ("XLS" == fileExt): new_url = safeXls(line,cnt)
elif ("PPT" == fileExt): new_url = safePpt(line,cnt)
elif ("EXE" == fileExt): new_url = safeExe(line,cnt)
elif ("HTM" in fileExt): new_url = safeHtm(line)
else: new_url = line+"\n"
sys.stdout.write(new_url)
SANS Technology Institute - Candidate for Master of Science Degree
6
Squid Redirection
GET http://maliciouspdfs.com/bad.pdf
SANS Technology Institute - Candidate for Master of Science Degree
7
PDF Exploits
•
•
•
•
•
Commonly exploits the JavaScript interpreter
Targets vulnerable functions such as getIcon() or util.printf()
Reference an exploit stored in an obfuscated stream
Take advantage of the automatic action
Starts immediately via /AA flag inside of JavaScript streams
SANS Technology Institute - Candidate for Master of Science Degree
8
PDF Exploits
%PDF-1.5
%PDF-1.5
1 10 0obj<</Type/Catalog/Outlines
2200R/Pages
obj<</Ty#70#65/#43#61#74al#6fg/O#75t#6c#69ne#73
obj<</Type/#43#61#74al#6fg/O#75t#6c#69ne#73
obj<</Type/Catalog/Outlines
obj<</Type/#43#61#74al#6fg/O#75t#6c#69ne#73
R/Pages3 30 0R/OpenAction
R/OpenAction
R/OpenAction
2 20 0R/P#61#67#65#73
2R/P#61#67#65#73
0 R/P#61#67#65#73
55050R>>endobj
0R>>endobj
R>>endobj
3 30 0 3 0
2R/O#70e#6e#41#63#74ion
R/O#70e#6e#41#63#74ion
0 obj<</Type/Outlines/Count
obj<</#54ype/Out#6cin#65#73/#43ou#6e#74
5 50 0R>>endobj
0>>endobj
R>>endobj
0>>endobj
32 20 0obj<</Type/Pages/Kids[4
obj<</#54ype/Out#6cin#65#73/#43ou#6e#74
obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4
obj<</#54ype/Out#6cin#65#73/#43ou#6e#74
0 R]/Count 1>>endobj
0>>endobj
0>>endobj
0 R]/C#6fun#74 1>>endobj
43 30 0obj<</Type/Page/Parent
3 0 R/MediaBox[0300612
obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4
obj<</T#79p#65/P#61#67#65/#50#61rent
obj<</#54y#70e/#50#61ge#73/#4b#69#64#73[4
R/#4dediaBo#78[0
0792]>>endobj
0R]/C#6fun#74
R]/C#6fun#741>>endobj
0 1>>endobj
612
obj<</Type/Action/S/JavaScript/JS
6 60 0R>>endobj
4 40 0obj<</Type/Action/S/JavaScript/JS
5792]>>endobj
obj<</T#79p#65/P#61#67#65/#50#61rent
obj<</T#79p#65/P#61#67#65/#50#61rent
R>>endobj
3 30 0R/#4dediaBo#78[0
R/#4dediaBo#78[00 0612
612
65792]>>endobj
0 obj<</Length
6475/Filter[/FlateDecode/ASCIIHexDecode]>>
792]>>endobj
obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS
6475/Filter[/FlateDecode/ASCIIHexDecode]>> 6 0 R>>endobj
65 50 0obj<</L#65#6eg#74#68
stream
obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS
obj<</#54#79pe/#41c#74i#6fn/S/#4aav#61Scr#69#70#74/#4aS6 60 0R>>endobj
R>>endobj
6 60 0obj<</L#65#6eg#74#68
6475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
obj<</L#65#6eg#74#68
6475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
6475/Fil#74#65#72[/FlateD#65cod#65/AS#43#49#49H#65#78#44ec#6f#64e]>>
import pdfid_PL as pdfid
xmldoc, cleaned = pdfid.PDFiD('file.pdf', disarm=True, output_file='cleaned.pdf',
raise_exceptions=True, return_cleaned=True)
SANS Technology Institute - Candidate for Master of Science Degree
9
Office Exploits
• As simple as an embedded malicious exe or macro
• As complex as shell code inside of an OLE structure
• Are found in specific OLE structures
– DOC – ‘Macros\Vba’ OLE
– XLS – ‘WorkBook’ OLE
– PPT – ‘PowerPoint Document’ OLE
from classOLEScanner import *
oleScanner = pyOLEScanner(file)
eole = oleScanner.embd_ole_scan()
epe = oleScanner.embd_pe()
shellc = oleScanner.shellcode_scanner()
oleScanner.xor_bruteforcer()
SANS Technology Institute - Candidate for Master of Science Degree
10
Internet Explorer Exploits
• Specific to the OS and browser because of protection
mechanisms (DEP, ASLR, NX, UAC)
• Use user-agent strings to craft payload
• Easy to test for auto-targeting of browsers
try:
opener=urllib2.build_opener()
opener.addheaders = [('User-agent',agent)]
opener.open(addr)
print "[*] Fetch Worked for: "+agent+"."
return 0
except urllib2.HTTPError:
print "[*] Fetch Failed for: "+agent+"."
SANS Technology Institute - Candidate for Master of Science Degree
11
Strange IE Exploits with Python
• Uses obfuscated JavaScript to evade signature detection
• Use Python to extract JavaScript
• Examine contents for malicious activity such as several
mallocs() that would indicate heap-spray
animal@animalFarm:~# python malloc.py
9008,3072,4096,9239,7187,1047,1047,1047,21534,1047,1040,1040,1047,1536,8211,9
239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,923
9, 9239,9239,9239,9239,9239,9239,9239,9239,9239,9239,1047,8211,1536,2048,
SANS Technology Institute - Candidate for Master of Science Degree
12
Strangle IE Exploits with Python
•
•
•
•
•
•
•
•
•
•
Strip dynamic content out of Adobe PDF documents
Remove embedded executables, macros, or shell code
Strip embedded macros out of Microsoft Word Documents
Strip JavaScript that allocates large, repeated blocks of memory
Prevent pages that only offer content to only specific browsers
Remove <script> tags dynamically
Replace suspected shell code with NOPs
Remove specific XSS attempts against clients
Check MD5 Sum of executables against known malware
Prevent files that contain file mismatch errors
SANS Technology Institute - Candidate for Master of Science Degree
13
Results
• 2010 Cyber Defense Exercise was the proving ground
• Four days of users clicking on content built by the NSA red team
• Zero compromises to the end users
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
•
•
•
•
•
Client side attacks are a dangerous threat vector
They can bypass several of our protection mechanisms
We examined specific techniques for rendering files benign
Employing these techniques in the context of a proxy works
Additional scripts can be added to mitigate newer threats
SANS Technology Institute - Candidate for Master of Science Degree
15
