Script Fragmentation Attacks

Script Fragmentation Attacks PacSec 2008 Stephan Chenette, Security Researcher Websense Security Labs

What am I talking about today The success of any exploit depends on some basic assumptions: The vulnerable service or application is: • Active • Accessible The exploit is: • Reliable • Undetected

What am I talking about today This presentation will focus on: Evading detection of the exploit Specifically: A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs)

Why is this important to you • Who I’m assuming you are: • Reporter • Researcher • Security Administrator • Technical Manager • You have an interest in new exploit attacks and evasion techniques and/or protecting an organization

Web threat landscape basics Attack trends have shifted over the years. Intruders are focusing more prominently on the Web Most companies/users don’t block HTTP at the firewall Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS.

Reality check Current Desktop and Gateway AV do not protect against Script Fragmentation attacks.

HTTP client/server communication • GET / HTTP/1.1 • Web Server • Client Browser

Current desktop/gateway protection Looking at initial content

Current evasion techniques Obfuscated JS code

Successful Evasion… Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic.

Script Fragmentation Script Active Content e.g. JavaScript, VBscript, etc. FragmentationLittle chunks of data Note: The use of AJAX for malicious use was mentioned at Toorcon 2007, but not in the detail I’m about to go in…

Basic recipe Works with no additional mechanisms. Browser JavaScript XMLHTTPRequest This works flawlessly in: Internet Explorer, Firefox, Safari, Opera and Konqeror

Example 1: Basic HTML document <html> <body> <div id=“target” /> </body> </html>

JavaScript DOM manipulation JavaScript has objections/functions to alter the DOM var d = document.getElementById(“target”); var n = document.createElement(“script”); n.text = “alert(‘test’);” d.appendChild(n);

New DOM <html> <body> <div id=“target”> <script> alert(‘test’); </script> </div> </body> </html>

Example 2: Basic HTML document <html> <body> </body> </html>

JavaScript DOM manipulation var text = “alert(‘test’);” eval(text); eval() will execute it’s argument as script code

New DOM <html> <body> </body> </html>

The power of scripting JavaScript will of course also allow us to concatenate multiple strings together. We can then execute the resulting string as code. e.g. var text = “ale” + “rt(“ + “‘te” + “st’” + “);” eval(text);

Dynamic retrieval of data • GET /index.php?q=2+2 “4” • Web Server • Client Browser <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script>

Technology used for good • JavaScript != EVIL • XMLHTTPRequest != EVIL • Benign JavaScript/HTTPXMLRequest technologies: • Gadgets • Widgets • Mashups • Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest.

Steps for script fragmentation attack • Store malicious content on server • SERVER: Serve client webpage with script fragmentation decoder routine. • CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server • SERVER: respond with requested chunk of malicious content • CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data • CLIENT: Execute resulting code once all data is received

Steps in action • Web Server Step 1) Store malicious content on server

Steps in action • <DECODER> • Web Server • Client Browser Step 2) SERVER: Serve client webpage with script fragmentation decoder routine.

Script Fragmentation decoder routine

Steps in action • GET /index.cgi?o=0&rl=3 • Web Server • Client Browser Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server

Steps in action • “var” • Web Server • Client Browser Step 3) SERVER: respond with requested chunk of malicious content

Steps in action • GET /index.cgi?o=3&rl=3 • “ he” • Web Server • Client Browser • var text = “var he”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

Steps in action • GET /index.cgi?o=6&rl=3 • “apS” • Web Server • Client Browser • var text = “var heapS”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

Steps in action • GET /index.cgi?o=9&rl=3 • “pra” • Web Server • Client Browser • var text = “var heapSpra”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

Steps in action • GET /index.cgi?o=12&rl=3 • “yTo ” • Web Server • Client Browser • var text = “var heapSprayTo”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

Steps in action • Client Browser • // Method 2 • var div = GetElementById(‘target’); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); • // Method 1 • eval(text); Step 5) CLIENT: execute resulting code once all data is received.

The possibilities Beyond the basic script fragmentation attacc: Randomize sequence of offsets xor/encrypt data Spread data across multiple web servers (botnet) In memory keep string encrypted until the last minute

Options for data transfer XMLHttpRequest is the object to make dynamic remote HTTP request, but there are multiple data formats that may be used for data transfer: RAW XML JSON etc.…

RAW data format • GET /index.cgi?o=0&rl=3&u=guid “var” • Web Server • Client Browser

XML data format • GET /index.cgi?o=0&rl=3 “<Data eof=“0” text=“var” />” • Web Server • Client Browser

JSON data format • GET /index.cgi?o=0&rl=3 “{ eof : “0”, text : “var” }” • Web Server • Client Browser // S = server resp. var data = eval(S); var text = data.text;

Flawlessly works on all major browsers Proof of concept (POC) with debug output

AV won’t detect Script Fragmentations Initial page will hold decoder routine in script tag and then blank body. The file on disk will never change DOM in memory will never change NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS!

Proof of concept page

HTML file on disk File on disk is the same before and after C:\Documents and Settings\<USER>\Local Settings\Temporary Internet Files

DOM in memory Method 1: DOM doesn’t change at all

DOM in memory Method 2: Only the DOM has changed

Victory! Script Fragmentation is a very successful evasion attack that current AV desktop and gateway do not detect.

Ending remarks Did I scare you? …sorry. This attack is still a few years away We haven’t seen this in the wild Obfuscation still the biggest problem

Possible solutions Detecting the decoder routine Detecting network anomalies Using a “feedback loop” and executing in remote location. Browsers add protection? Perhaps Functionality over Security wins here though.

Thank you. Any questions? Stephan Chenette, Websense Security Labs schenette@websense.com Check out our website and blogs http://securitylabs.websense.com/content/blogs.aspx http://securitylabs.websense.com/

Script Fragmentation Attacks

Script Fragmentation Attacks

Presentation Transcript

IP Fragmentation

Habitat Fragmentation

Fragmentation experiments

Habitat Fragmentation

Disk Fragmentation

Disk Fragmentation

Habitat Fragmentation

Element Fragmentation

Script less Attacks

Android Fragmentation

Land Fragmentation

IP Fragmentation

Habitat Fragmentation

Neck fragmentation

Defeating Script Injection Attacks with Browser-Enforced Embedded Policies

Fragmentation Functions and Fragmentation Processes

Fragmentation

Fragmentation

Project Fragmentation

Habitat Fragmentation

Vertical Fragmentation

Fragmentation