ActiveX application exploitation is one popular method. ActiveX applications are controlled via javascripts in the pages of the site user is visiting. Some of these applications don't sanitize the input to their functions. Attackers take advantage of this and serve the pages with javascript which sends the bad input the functions. I would categorize the type of attacks into following:
- Buffer overflow attacks: Sending long argument to the Activex functions via java script. This can result into taking control of machine by attacker.
- Remote Code Execution : Executing commands via command line tools. Some activex programs provide functions which can execute programs given to them via arguments.
- Overwriting some files: Using some vulnerable activex programs, attackers can overwrite any file content. Typically it is used by attackers to overwrite some system programs with their own executable.
- Setting and Getting Registry values.
- Information disclosure : Reading any arbitrary file contents via activex functions.
- DOM Manipulation of HTML page by embedded java script: Some DOM Manipulations result into browser crash while they are rendered or during cleanup or garbage collection process.
- Removal of child elements.
- Modification of child elements
- Assigning bad values to the elements.
- Creating circular references across parent and children.
Simple Pattern based detection does not work well to detect these kinds of attacks.
- Java script is a language by itself. Patterns can be hidden very easily either through encoders or by different ways of programming logic to generate string (or argument to the ActiveX function).
- Simple pattern based protection systems stop (alert) the traffic whenever CLSID and vulnerable method are present. That is, they don't check for the exploiting argument to the method. This could result into false positives.
- Simple pattern based protection systems assume that CLSID and vulnerable methods are present within same packet or together separated by few bytes such as 2K/4K etc.. This can be used by attackers to put these two strings far apart by introducing lot of dummy java script logic or DOM elements. This is one example and there are many ways to evade the detection by IPS devices. Another example is different scripts in the same HTML page exploiting the vulnerability. That is, one java script in beginning of HTML page storing some data in DOM tree and second Java script using this data to pass the bad argument to the vulnerable method.
One way I can think of is adoption of well known sandbox model to detect bad javascripts with less false positives and negatives. Sandbox mechanism typically involves executing javascript in a safe environment. Internal flow would be some thing like this:
- Using transparent proxies or WCCP or other mechanisms, collect the HTML data.
- Get hold of all Java scripts in the page. If the page is referring to JS file via include primitive, download those java script files too. If the script is referred in the HTTP Referer method, get that too.
- Concatenate all java scripts into one single entity (file/buffer) and pass it onto sandbox. It is also required to concatenate javascript in IPS rules (which catches the exploit) before passing onto the sandbox.
- Ensure the sandbox is created in virtual environment (Linux containers is fastest)
- Before running javascript, create the browser environment.
- If the javascript that was concatenated from IPS rule is executed and catches the condition that was put in the javascript, then it can be considered as hit and IPS can take action based on the severity of the rule. Actions include alerting the administrator or stopping the HTML page going to the Client.
What are security considerations the IPS devices need to worry about?
Malware developers are smart and they continue to evade the detection by intermediate security devices and even try to attack these protection systems.
- Always use Sandbox mechanism: If javascript that is being analysed is doing some mischief on system resources, only sandbox system would be affected, but not the rest of protection system.
- Time the amount of time the analysis is taking and if it exceeds some predefined time kill the analyzing process. Attackers can develop javascript that goes in continuous loop and can take awayall CPU cycles of protection system.
- Override some Javascript functions to get better control and get out in case of any issue found.
No comments:
Post a Comment