New Technique To Perform Universal Website Hijacking

Sat, 20 Sep 2008 14:56:05 GMT

I'm really excited that HITBSecConf2008 Malaysia is coming up soon: end of October to be precise. I highly recommend our readers to attend such event, as it's organized by one of the finest security event crews I have ever dealt with. There are tons of talks I want to attend, which I will cover in another post. The GNUCITIZEN team would like to thank the Hack in the Box (HITB) staff for inviting us to the Malaysia edition of the conference, making this the second time pdp and I will speak at HITBSecConf. The HITBSecConf crew includes Dhillon, geek00l, spoonfork, Belinda, Prabu, ruFI0 and Amy among others. Thank you guys, we're really humbled by your invitation.

I will be delivering the updated version of my Cracking into Embedded Devices and Beyond! presentation, which will include a quite special - i.e.: unusual - 0day vulnerability which I have successfully reported via Zero Day Initiative.

The 0day Vuln

Well, I cannot give full details on the vulnerability at this moment, due to ZDI's advisory not being published yet. I'm planning to release the full details for the first time on 30th October at HITBSecConf2008 Malaysia. However, there are a few things I can tell you for the moment being. First of all, the affected system is an embedded device, which is quite obvious by reading the name of my presentation. More precisely, the vulnerability affects appliances of a well-known firewall vendor.

Usually, web cross-domain vulnerabilities, affect either a server-side service/application, or client-side software. For instance, we might have a cross-domain vulnerability on the target site itself (i.e.: XSS/HTML injection), or on a client-side component present on the victim's user component. i.e.: web browser itself or web browser plugin. In the case of my finding however, the targeted website can still be hijacked even if the site is NOT vulnerable to XSS, and even if the client-side software on the victim's computer is not vulnerable to any cross-domain vulnerability.

In this case, the attacker exploits a vulnerability which doesn't affect the targeted website, nor the software installed on the victim user's computer. Instead, the attacker exploits a vulnerability on the firewall appliance in charge of "protecting" the corporate user. Additionally, the cross-domain vulnerability is of universal nature, which means that any website can be hijacked as long as the victim user's connection is "protected" by a firewall appliance of the affected vendor in question.

In summary, by exploiting this vulnerability the attacker:

  • can hijack ANY website. i.e.: steal session IDs, inject non-legitimate HTML content, and other evil goodness
  • doesn't need to find any XSS on the website he/she wants to hijack
  • doesn't need to find any vulnerability on software present on the victim user's computer

There is virtually nothing the victim user can do to protect against this attack if his/her connection is "protected" by a firewall appliance affected by this vulnerability. There are other factors that make this vulnerability quite special, but as I said, I can't give too many details for now. All in all, this finding is a good reminder that our online security not only depends on end-point systems such as the client and server that have established a connection, but also all the hops/devices in between!

cisco pix?
I bet it's Agnitum Outpost firewall.
From a responsible disclosure standpoint, I would much rather have gotten the name of a product family than a list of bad stuff that this vulnerability exposes users to. Now I have to sit around wondering if any of the firewall appliances I've deployed are "the one" and throw extra wide-spectrum effort at the problem despite if I'm actually affected or not.
why tell us about something if your not going to share thats like saying heres some new shoes but you can't wear them.
There will never be a good way of disclosing vulnerabilities! At least we try to give you the heads up that an issue exists. The more inform you are the better decisions you can make.
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
guys, as I said I can't provide full details at this point, even though I would love to! I simply wanted to share what I could regarding the new material which I will present at HITBSecConf Malaysia.
@NurBo: At least Adrian is taking the appropriate steps after finding vulnerabilities, instead of abusing (or even selling!) them. But I am concerned. If Adrian found this one, who else found the same? And when? Did someone already abused any of my systems? We'll know after HITBSecConf Malaysia...
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@FlipM: we shouldn't turn selling a vulnerability into a synonym for irresponsible disclosure. There are several *responsible* vulnerability disclosure programs which pay researchers. ZDI for instance is the one I used, which reported the vulnerability I found to the vendor. Of course, the details will only be available once a fix is released.
I'd not think listing the vendor would fall into the realm "irresponsible disclosure" and I understand that disclosure is tricky business, and selling vulnerabilities is NOT always a bad thing. I've deployed many different solutions for customers, so there's a good chance I have a client whose dick is hanging in the breeze because of this. I just don't know which one(s). HITBSecConf is a long ways off. And people wonder why I get 15 hours of sleep per week.
You're right, I should have been more clear. I ment selling it to irresponsible groups or individuals who have some bad intentions with it. What about my concern? I know it's possibly impossible to answer correct, but if you have to make a guess, what are the chances that this vuln is already found (and abused) by someone else? Without revealing the details on howto, is there a way to check if someone has been a victim of the vuln? Or are there no traces at all? As you can notice, you post scared the sh*t out of me :oÞ
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
Sure there is always a possibility that someone else can find the same vulnerability. I wouldn't be so naive to think I'm the only one who found it. However, I must warn you that this vuln is a *weird one*. In fact I discovered it by pure accident. I'm planning to explain what lead me to discover it at HITBSecConf, because it's actually kind of a funny story ;)
I know some of my favorite vuln finds are serendipitous ones. That's always awesome. On a side note, your finding wouldn't happen to have anything to do with the huge pile of Cisco advisories that went out today, would it?
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@ax0n: no, my finding is not related with those advisories you mentioned.
Hi, Is it by chance related to Web security gateway software (Web filtering), aka Internet content-control ?
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@maxdj: can't comment on any details yet unfortunately :(