I’m
just going to come out and say it: I miss packet craft. Sure, we can
always pull out Scapy, and slap amusing packets together, but
everything interesting is always at the other layers.
Or is it?
For CanSecWest this year, I thought it’d be interesting to take a
look at the realm of Deep Packet Inspectors. It turns out we were
doing a lot of this around 2000 through 2002, and then…well, sort of
stopped. So, in this year’s CanSecWest paper, “Staring Into The
Abyss: Revisiting Browser v. Middleware Attacks In The Era Of Deep
Packet Inspection” (DOC, PDF),
I’m taking another crack at the realm — and I’m seeing really
interesting capabilities to fingerprint, bypass, and otherwise
manipulate systems that watch from the middle of networks, using
protocol emulation abilities that have been part of browsers and their
plugin ecosystem from the very beginning.
Ah, but here’s where I need some help. I’ve worked pretty closely
with Robert Auger from Paypal, who just published his own paper, “Socket Capable Browser Plugins Result In Transparent Proxy Abuse”. We independently discovered the HTTP component of this attack pattern, and as I describe in my paper, we’ve kind of forgotten just how much can be done against Active FTP Application Layer Gateways.
So, if I may ask, take a look, check out my paper, and if you have
some thoughts, corrections, or interesting techniques, let me know so I
can integrate them into my CanSecWest presentation. Here’s the full
summary, to whet your appetite:
DPI
— Deep Packet Inspection — technology is driving large amounts of
intelligence into the infrastructure, parsing more and more context
from data flows going past. Though this work may be necessary to
support important business and even security requirements, we know from
the history of security that to parse data is to potentially be
vulnerable to that data – especially when the parser is designed to
extract context as quickly as possible. Indeed, companies
such as BreakingPoint and Codenomicon have made their names building
test tools to expose potential faults with DPI engines. But could
anyone actually trigger these vulnerabilities? In this paper, we
restart an old line of research from several years ago: The use of
in-browser technologies to “tweak” Deep Packet Inspection systems.
Essentially,
by controlling both endpoints surrounding a DPI system, possibly using
the TCP (and sometimes UDP) socket code that plugins add to browsers,
what behavior can we extract? We find three lines of attack worth noting.
First,
firewalls and NATs — the most widely deployed packet inspectors on the
Internet today — can still be made to open firewall holes to the
Internet by having the browser trigger the Application Layer Gateway
(ALG) for protocols like Active FTP. We extend older work by
integrating mechanisms for acquiring the correct internal IP address of
a client, necessary for triggering many inspection engines, we survey
other protocols such as SIP and H.323 that have their own inspection
engines, and we explore better strategies for triggering these
vulnerabilities without socket engines from browser plugins. We also explore a potentially new
mechanism, “Window Dribbling”, that allows an HTTP POST from a browser
to be converted into a full bidirectional conversation by only allowing
a remote sender to “dribble” a fixed number of bytes per segment.
Second,
we (along with Robert Auger at Paypal) find that transparent HTTP
proxies, such as Squid, will “override” the intended destination of
browser sockets, allowing a remote attacker to send and receive data
from arbitrary web sites. This allows (at minimum) extensive and
expensive click fraud attacks, and may expose internal connectivity as
well (HTTP or even TCP).
Third,
and most interestingly, we find that active DPI’s — those that actually
alter the flow of traffic between a client and a server — all seem to
expose subtly different parsers and handlers for the protocols they
manipulate. These variations of behavior can be remotely fingerprinted,
allowing an attacker to identify DPI platforms so as to correctly
target his attacks. This capability, understood particularly in light
of Felix Lindner’s recent work on generic attacks against Cisco
infrastructure, underscores the need for both DPI vendors to test their
platforms extensively, and for IT managers to deploy critical
infrastructure patches with at least as much vigor as desktop support
receives today.
For remediation purposes, we recommend two lines of defense – one policy, one technical. As a matter of policy, we find the most important recommendation of this paper that industry
reconsiders patching policies as they apply to infrastructure,
especially as that infrastructure starts inspecting traffic at ever
higher speeds in ever deeper ways. We are
actively concerned that administrators have internalized the need to
patch endpoints, but aren’t closely tracking the equipment that binds
endpoints together – despite their ever increasing intelligence. This
is as much a recommendation to vendors – to build patches quickly, and
to code audit and fuzz with software from companies like Breakingpoint
and Codenomicon – as it is a plea to IT departments to deploy the
patches that are generated. Also from a policy
perspective, while this paper does recognize the need for judicious use
of DPI technology, systems that are deployed across organizational
boundaries have particular need for correctness. There have been incidents in the past that have led to security vulnerability across entire ISPs.
On
the technical front, we defend the existence of socket functionality in
the browser, recognizing that constraining all networking to that which
existed in 2001 is not leading to more stable or more secure networks. We
explore a solution that potentially allow firewalls to integrate socket
policies into their ALG’s, encouraging plugin developers to eventually
join in with browser manufacturers and build a single, coherent,
cross-domain communication standard. We also discuss more
advanced transparent proxy caching policies, which will prevent the
Same Origin Policy bypasses discussed above. Finally, we remind home router developers that browsers are still
able to access their web interfaces from the Internet, and that this
exposure can be repaired by tying default password effectiveness to
either a button on the device or a power cycle.
The firewall fingerprinter should be online shortly, with source code for you to play with as well. Thanks!
(Incidentally, yep, Source is this week, and I
have something rather different in store for that event. The times,
they are busy.)