the discovery and execution of entirely new classes of
play

The discovery and execution of entirely new classes of Web attacks - PowerPoint PPT Presentation

Nov 28, 2022 •178 likes •455 views

The discovery and execution of entirely new classes of Web attacks i l l f b k in order to meet your girlfriend. By Samy Kamkar samy@samy.pl http://samy.pl Who is samy? Who is samy? "Narcissistic Vulnerability Pimp"

  1. The discovery and execution of entirely new classes of Web attacks i l l f b k in order to meet your girlfriend. By Samy Kamkar samy@samy.pl http://samy.pl

  2. Who is samy? Who is samy? • "Narcissistic Vulnerability Pimp" Narcissistic Vulnerability Pimp (aka Security Researcher for fun) • Author of The Samy Worm on MySpace • Author of The Samy Worm on MySpace • Co ‐ Founder of Fonality, IP PBX company • Chick Magnet [citation needed] • Lady Gaga aficionado y g

  3. Why the web? Why the web? • It’s new it’s cool it’s exploitable! • It s new, it s cool, it s exploitable! • Gopher isn’t used as much anymore • The web is a code distribution channel The web is a code distribution channel • Browsers can communicate in ways they don’t know • And much more!

  5. PHP Sessions: Overview PHP Sessions: Overview • session start() – initialize PHP session session_start() initialize PHP session

  6. PHP Sessions: Entropy PHP Sessions: Entropy • session_start()’s pseudo ‐ random data: • IP address: 32 bits • Epoch: 32 bits p 3 • Microseconds: 32 bits • Random lcg value() (PRNG): 64 bits • Random lcg_value() (PRNG): 64 bits • TOTAL: 160 bits • SHA1’d: 160 bits • 160 bits = 1,461,501,637,330,902,918,203,684,832,716, 283,019,655,932,542,976

  7. How big is a bit? g • For every 10 bits, add ~3 zeros • 10 bits = 1024, 20 bits = ~1 mil, 30 bits = 1 bil 10 bit 1024 20 bit 1 mil 30 bit 1 bil • At 100 trillion values per second, 160 bits would take… ld t k • (2 ^ 160) / (10 ^ 14) (3600 * 24 * 365 * 500000000) = 926,878,258,073,885,666 = ) 900 quadrillion eons • 1 eon = 500 million years • 160 bits = 1,461,501,637,330,902,918,203,684,832,716, 283,019,655,932,542,976 (2 ^ 160 = 10 ^ 48)

  8. PHP Sessions: Entropy PHP Sessions: Entropy • session_start()’s pseudo ‐ random data: • IP address: 32 bits • Epoch: 32 bits p 3 • Microseconds: 32 bits • Random lcg value() (PRNG): 64 bits • Random lcg_value() (PRNG): 64 bits • TOTAL: 160 bits • SHA1’d: 160 bits • 160 bits = 1,461,501,637,330,902,918,203,684,832,716, 283,019,655,932,542,976

  9. An Example: Facebook

  10. PHP Sessions: Entropy Redux PHP Sessions: Entropy Redux • Not so pseudo ‐ random data: Not so pseudo random data: • IP address: 32 bits (ACQUIRED) ‐ 32 bits • Epoch: 32 bits (ACQUIRED) ‐ 32 bits E h bi (ACQUIRED) bi • Microseconds: 32 bits? – only 0 – 1,000,000 … 20 bits = 1,048,576 – < 20 bits! (REDUCED) ‐ 12 bits ( ) • Random lcg_value() (PRNG): 64 bits • TOTAL: 84 bits (reduced by 76 bits) • TOTAL: 84 bits (reduced by 76 bits) • SHA1’d: 160 bits

  11. PHP LCG (PRNG): Randomness • php_combined_lcg() / PHP func lcg_value()

  12. PHP LCG (PRNG): Randomness • S1 WAS 32 bits, NOW 20 bits • SEED (s1+s2): 64 bits – 12 bits = 52 bits

  13. PHP LCG (PRNG): Randomness • LCG(s2) = (long) getpid(); • S2 = 32 bits • Linux only uses 15 bits for PIDs Linux only uses 15 bits for PIDs • S2 = 32 bits – 17 bits = 15 bits • SEED (s1+s2) = 15 bits + 20 bits = 35 bits ( ) • PHP function: getmypid() • Linux command: ps • Learn PID reduce ‐ 15 bits! Learn PID, reduce 15 bits! • SEED (s1+s2) = 0 bits + 20 bits = 20 bits

  14. PHP Sessions: Entropy Redux PHP Sessions: Entropy Redux • Not so pseudo ‐ random data: Not so pseudo random data: • IP address: 32 bits (ACQUIRED) ‐ 32 bits • Epoch: 32 bits (ACQUIRED) ‐ 32 bits E h bi (ACQUIRED) bi • Microseconds: 32 bits? – only 0 – 1,000,000 … 20 bits = 1,048,576 – < 20 bits! (REDUCED) ‐ 12 bits ( ) • Random lcg_value (REDUCED) ‐ 44 bits • TOTAL: 40 bits (reduced by 120 bits) • TOTAL: 40 bits (reduced by 120 bits) • SHA1’d: 160 bits

  16. PHP Sessions: Entropy Redux PHP Sessions: Entropy Redux • BUT WAIT, THERE’S MORE! BUT WAIT, THERE S MORE! • Microseconds: 32 bits down to 20 bits • Random lcg_value down to 20 bits R d l l d bi • 40 bits? No! We can calc lcg_value() first ! • In a few seconds , we’ve REDUCED 20 bits ! • 40 bits – 20 bits = 20 bits 40 bits 20 bits 20 bits 20 bits = 1,048,576 cookies , 4 ,57

  17. You down with entropy? Yeah you know me! • PHP 5.3.2: more entropy! • Create your own session values! Create your own session values! • PS, Facebook is NOT vulnerable!

  18. NAT Pinning: Proto confusion NAT Pinning: Proto confusion • HTTP servers can run on any port • A hidden form can auto ‐ submit data A hidden form can auto submit data to any port via JS form.submit() • HTTP is a newline ‐ based protocol HTTP i li b d t l • So are other protocols….hmmmm

  19. NAT Pinning: cont. NAT Pinning: cont. • Let’s write an IRC client in HTTP! • This uses the CLIENT’s computer to This uses the CLIENT s computer to connect, thus using their IP address!

  20. NAT Pinning: cont. NAT Pinning: cont.

  21. NAT Pinning: cont. NAT Pinning: cont. • Sweet! So what’s NAT Pinning? • NAT Pinning confuses not only the browser but also the ROUTER on the browser, but also the ROUTER on the protocol ‐ level • E.g., when communicating with port E h i ti ith t 6667, browser thinks HTTP, router thi k IRC thinks IRC • We can exploit this fact and use router conveniences to attack client

  22. NAT Pinning: cont. NAT Pinning: cont. • linux/net/netfilter/nf_conntrack_irc.c • DCC chats/file sends occur on a separate port than chat separate port than chat • Client sends: PRIVMSG samy :DCC CHAT samy IP port p • Router sees IP (determined from HTTP REMOTE ADDR) and port HTTP_REMOTE_ADDR) and port, then FORWARDS port to client! ANY PORT!

  23. NAT Pinning: cont. NAT Pinning: cont.

  24. NAT Pinning: blocked ports NAT Pinning: blocked ports • If browser doesn’t allow outbound connections on non ‐ http ports? • TCP / UDP ports = 16 bits = 65536 • So overflow the port! 65536 + 6667 So overflow the port! 65536 + 6667 • Some browsers check what port equals, not what (port % 2^16) equals l h ( % ^ 6) l * Webkit integer overflow discovered by Goatse Security

  25. NAT Pinning: prevention NAT Pinning: prevention • Strict firewall – don’t allow unknown outbound connections • Client side – run up to date browser Client side run up to date browser • Client side – use NoScript if using Fi Firefox f • Client side – run local firewall or tool like LittleSnitch to know if an application is accessing unknown ports pp g p

  26. Fin Fin phpwn: samy.pl/phpwn NAT Pinning: samy.pl/natpin Geolocation via XSS: samy.pl/mapxss y p / p HTML5 anti ‐ WAF XSS: namb.la/maht5 Samy Kamkar www.samy.pl samy@samy.pl y@ y p twitter.com/SamyKamkar

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Execution UW-STOUT MANUFACTURING OUTREACH CENTER A resource of the Discovery Center

Execution UW-STOUT MANUFACTURING OUTREACH CENTER A resource of the Discovery Center

Strategy &amp; Execution UW-STOUT MANUFACTURING OUTREACH CENTER A resource of the Discovery Center www.uwstout.edu/moc 866.880.2262 U N I V E R S I T Y O F W I S C O N S I N - Plan &amp; Execute S T O U T NO SIGNAL FOUND 2 U N I V E

163 views • 12 slides
Growth through disciplined execution September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1

Growth through disciplined execution September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1

Growth through disciplined execution September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1 Successful execution of Wizard Lake Drilling Program Rex-1 Discovery Dec 2018 facilities and pipeline June 2019 Rex-2 stellar result of over 800

594 views • 14 slides
Growth through disciplined execution Good Oil September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1

Growth through disciplined execution Good Oil September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1

Growth through disciplined execution Good Oil September 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1 Successful execution of Wizard Lake Drilling Program Rex-1 Discovery Dec 2018 facilities and pipeline June 2019 Rex-2 stellar result

247 views • 10 slides
Growth through disciplined execution October 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1 Successful

Growth through disciplined execution October 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1 Successful

Growth through disciplined execution October 2019 Slide 1 I NVESTMENT H IGHLIGHTS 1 Successful execution of Wizard Lake Drilling Program Rex-1 Discovery Dec 2018 initial facilities and pipeline June 2019 Rex-2 stellar result of

219 views • 18 slides
MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS

MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS

MASTERING STRATEGY EXECUTION 18 BEST PRACTICES FOR STRATEGY EXECUTION STRATEGY EXECUTION AS COMPETITIVE ADVANTAGE STRATEGY EXECUTION IS CRUCIAL FOR EVERY ORGANIZATION o Successful execution of strong and robust strategies gives any organization

641 views • 32 slides
3 4 5 6 K Classes K Classes K Classes K Classes Student-Teacher Ratio 24 :1 72 96 120

3 4 5 6 K Classes K Classes K Classes K Classes Student-Teacher Ratio 24 :1 72 96 120

&quot;What If&quot; Scenarios -- K classes limited to specific # 3 4 5 6 K Classes K Classes K Classes K Classes Student-Teacher Ratio 24 :1 72 96 120 144 # of grades in K-5 6 Eventual K-5 Total 432 576 720 864 Total TK-5

621 views • 5 slides
4 CORE CLASSES HEALTH / CCR + 2 CLASSES OF YOUR CHOICE! ENCORE CLASSES PLEASE SELECT YOUR TOP

4 CORE CLASSES HEALTH / CCR + 2 CLASSES OF YOUR CHOICE! ENCORE CLASSES PLEASE SELECT YOUR TOP

ENGLISH/LANGUAGE ARTS MATH SCIENCE SOCIAL STUDIES 4 CORE CLASSES HEALTH / CCR + 2 CLASSES OF YOUR CHOICE! ENCORE CLASSES PLEASE SELECT YOUR TOP 4 OPTIONS COURSES WILL BE SCHEDULED AND ASSIGNED BASED ON AVAILABILITY. ENCORE CLASSES NEW

300 views • 13 slides
and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main

and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main

Unreal Engine 4: Delegates, Async and Subsystems A follow up session on UE4s async execution model Michele Mischitelli Main topics of this meetup Delegates Asynchronous Subsystems execution Data types that Strategies and classes

1.1k views • 27 slides
Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes

Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes

Runnable JAR archives % java -cp eharold.jar MainClassName Inner Classes Inner Classes Inner classes may also contain methods. They may not contain static members. Inner classes in a class scope can be public, private, protected,

1.2k views • 99 slides
Writing Classes We've been using predefined classes. Now we will learn to write our own

Writing Classes We've been using predefined classes. Now we will learn to write our own

Writing Classes We've been using predefined classes. Now we will learn to write our own classes to define Writing Classes in Java objects Chapter 4 focuses on: class definitions Selim Aksoy encapsulation and Java modifiers

351 views • 10 slides
Some Standard Classes Chapter 13 1 For Next Time Read Chapter 13 2 Packages Classes

Some Standard Classes Chapter 13 1 For Next Time Read Chapter 13 2 Packages Classes

Some Standard Classes Chapter 13 1 For Next Time Read Chapter 13 2 Packages Classes can be organized into packages The core classes reside in the java.lang package No import is needed Classes include System , String , Math ,

394 views • 12 slides
Topic 6: Inner Classes Inner Classes What's an inner class? A class defined inside another class

Topic 6: Inner Classes Inner Classes What's an inner class? A class defined inside another class

Topic 6: Inner Classes Inner Classes What's an inner class? A class defined inside another class First understanding of Java: Three kinds: all classes are &quot;top level&quot;, usually one per file inner classes static nested classes

455 views • 4 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
CTE It is something I have wanted to do my whole life # of Classes 8 7 6 5 4 3 2 1

CTE It is something I have wanted to do my whole life # of Classes 8 7 6 5 4 3 2 1

CTE It is something I have wanted to do my whole life # of Classes 8 7 6 5 4 3 2 1 0 1 2 3 4 5 6 7 8 9 10 # of Classes AP/IB beneficial to me to take classes where I can learn essential skills # of Classes

542 views • 5 slides
Topic 24 More on Classes Classes Part II Classes are programmer defined data types In

Topic 24 More on Classes Classes Part II Classes are programmer defined data types In

Topic 24 More on Classes Classes Part II Classes are programmer defined data types In Java the primitives (int, char, double, &quot;Object-oriented programming as it emerged boolean) are the core data types already in Simula 67 allows

215 views • 6 slides
Inheritance in Python Thomas Schwarz, SJ Inheritance Sometimes, classes have other classes as

Inheritance in Python Thomas Schwarz, SJ Inheritance Sometimes, classes have other classes as

Inheritance in Python Thomas Schwarz, SJ Inheritance Sometimes, classes have other classes as components: Clients have addresses Class Client has a field of type Class Address Sometimes, classes expand other classes Example:

622 views • 29 slides
1 June 26. Punch-through detection using Muon Spectrometer Showers &amp; MET resolution

1 June 26. Punch-through detection using Muon Spectrometer Showers &amp; MET resolution

1 June 26. Punch-through detection using Muon Spectrometer Showers &amp; MET resolution and tails Atlas Hadronic Calibration Workshop 23-27 June 2009 Johan Lundberg, with David Berge CERN, 2009 slide 2-6: Slides for MET session, Friday,

685 views • 29 slides
Differential analysis of microarray data, Multiple testing problems and Local False Discovery

Differential analysis of microarray data, Multiple testing problems and Local False Discovery

Differential analysis of microarray data, Multiple testing problems and Local False Discovery Rate. S. Robin robin@inapg.inra.fr UMR INA-PG / INRA, Paris Math ematique et Informatique Appliqu ees Semi-parametric modeling joint work

559 views • 37 slides
Algorithmique des structures dARN H el` ene Touzet Groupe de travail COMATEGE

Algorithmique des structures dARN H el` ene Touzet Groupe de travail COMATEGE

Algorithmique des structures dARN H el` ene Touzet Groupe de travail COMATEGE Combinatoire des mots, algorithmique du texte et du g enome RNA - RiboNucleic Acid DNA messenger RNA noncoding RNA protein RNA structure C A G A C

805 views • 52 slides
Stochastic models of protein production with feedback Renaud Dessalles joint work with Vincent

Stochastic models of protein production with feedback Renaud Dessalles joint work with Vincent

Stochastic models of protein production with feedback Renaud Dessalles joint work with Vincent Fromion and Philippe Robert INRA Jouy-en-Josas - INRIA Rocquencourt (Fance) 16th. May 2016 1/29 Presentation Biological context Mathematical

533 views • 42 slides
Re-Open S martly with Confidence Jeri Denniston Small Business Development Center At Yavapai

Re-Open S martly with Confidence Jeri Denniston Small Business Development Center At Yavapai

Re-Open S martly with Confidence Jeri Denniston Small Business Development Center At Yavapai College Re-Open S martly with Confidence Enable safe GOAL re-opening in small _____________ gatherings Target Date Economy improves Then

439 views • 4 slides
DataMods Programmable File System Services Noah Watkins*, Carlos Maltzahn, Scott Brandt UC Santa

DataMods Programmable File System Services Noah Watkins*, Carlos Maltzahn, Scott Brandt UC Santa

DataMods Programmable File System Services Noah Watkins*, Carlos Maltzahn, Scott Brandt UC Santa Cruz, *Inktank Adam Manzanares California State University, Chico 1 Talk Agenda 1. Middleware and modern IO stacks 2. Services in middleware and

446 views • 42 slides
When Semi-Supervised Learning Meets Ensemble Learning Zhi-Hua Zhou http://cs.nju.edu.cn/zhouzh/

When Semi-Supervised Learning Meets Ensemble Learning Zhi-Hua Zhou http://cs.nju.edu.cn/zhouzh/

http:/ / lam da.nju.edu.cn When Semi-Supervised Learning Meets Ensemble Learning Zhi-Hua Zhou http://cs.nju.edu.cn/zhouzh/ Email: zhouzh@nju.edu.cn LAMDA Group National Key Laboratory for Novel Software Technology, Nanjing University, China

838 views • 64 slides
August 28, 2020 BILINGUAL COORDINATORS NETWORK (BCN) UPDATES FEDERAL PROGRAM MONITORING T

August 28, 2020 BILINGUAL COORDINATORS NETWORK (BCN) UPDATES FEDERAL PROGRAM MONITORING T

LANGUAGE EDUCATION NETWORK August 28, 2020 BILINGUAL COORDINATORS NETWORK (BCN) UPDATES FEDERAL PROGRAM MONITORING T echnical Assistance CDE ENGLISH LEARNER SERVICES DURING COVID 19 &amp; RESOURCES Frequently Asked Questions (FAQ)

659 views • 26 slides

More recommend