Smau Milano 2010 Igor Falcomatà

© Igor Falcomatà <[email protected]>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 1

Esempi di intrusioni reali all'epoca del web 2.0 – SMAU 2010 – seminari AIPSI – 25 nov 09 – Milano

free advertising >free advertising >

http://creativecommons.org/licenses/by-sa/2.0/it/deed.ithttp://creativecommons.org/licenses/by-sa/2.0/it/deed.it

Client side attacks, covert channels, social networks, .. - come cambiano gli attacchi e quanto

sono efficiaci le misure di sicurezza tradizionali (firewall, IPS, IDS, DPS, PDS, ..)?

Esempi di intrusioni reali..Esempi di intrusioni reali..relatore: Igor Falcomatàrelatore: Igor Falcomatà

SMAU 2010 – seminari AIPSI25 ott 10 - Milano



about:about:aka “koba”aka “koba”

•attività professionale:•analisi delle vulnerabilità e penetration testing

•security consulting•formazione

•altro:•sikurezza.org•(Er|bz)lug

Relatore:Relatore:

Igor FalcomatàIgor FalcomatàChief Technical OfficerChief Technical [email protected]@enforcer.it



One-Click-ExploitOne-Click-Exploit(sperando che Ama*on non reclami i diritti)(sperando che Ama*on non reclami i diritti)



Just click to launch..Just click to launch....the good ole Internet Exploder....the good ole Internet Exploder..

(Click)



Meanwhile, back at the ranch..Meanwhile, back at the ranch....a cowboy sitting in the dark....a cowboy sitting in the dark..



Game OverGame Overthnxs/credits: unknow [email protected]/credits: unknow [email protected]



utente remoto

desktop

ext. router

utente remoto

web server mail server db server

file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Instant ReplayInstant Replay0wn1ng the Enterprise 2.00wn1ng the Enterprise 2.0

Mr. Malicious 2.0



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attaccoVettore di attacco

3rd party



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: link verso sito maliciousVettore di attacco: link verso sito malicious

3rd party

• semplici:•chat•e-mail•link su social network

• un po' meno semplici:•MiTM / dns spoofing / ..•malicious code in sito legittimo•..



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: identificabile?Vettore di attacco: identificabile?

3rd party

• semplici:•chat•e-mail•link su social network

• un po' meno semplici:•MiTM / dns spoofing / ..•malicious code in sito legittimo•..

• firewall: improbabile

• antivirus: improbabile

• IDS/IPS: improbabile

• DPS: N/A

• PDS: uh?



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: connessione http(s)Vettore di attacco: connessione http(s)

3rd party

www.malicious.com

http://www.malicious.com/



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: connessione http(s)Vettore di attacco: connessione http(s)

3rd party

www.malicious.com

•NB:•connessione verso l'esterno•probabilmente in https•sito malicious non catalogato

• oppure:•modifica in-line del traffico da un sito legittimo (vedi MiTM)




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0


3rd party

www.malicious.com

•NB:•connessione verso l'esterno•anche in https•sito malicious non catalogato

• e anche:•modifica del traffico in-line




• DPS: N/A

• PDS: uh?




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: exploitVettore di attacco: exploit

3rd party

www.malicious.com




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: exploitVettore di attacco: exploit

3rd party

www.malicious.com

•Microsoft IE mshtml.dll Use-After-Free Arbitrary Code Execution (Aurora) :

•CVE: 2010-0249•Microsoft Bullettin: MS10-002•OSVDB: 61697

•NB:•0 day vs google, adobe, ...•ancora effettivo in molti casi..




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant Replayhttp://osvdb.org/show/osvdb/61697http://osvdb.org/show/osvdb/61697

3rd party

www.malicious.com







utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0


3rd party

www.malicious.com





• antivirus: potrebbe

• IDS/IPS: dovrebbe (SSL?!)

• DPS: IE6 out of support :)

• PDS: uh?




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant Replayhttp://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=21http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=21

3rd party

www.malicious.com





• antivirus: potrebbe

• IDS/IPS: dovrebbe (SSL?!)

• DPS: IE6 out of support :)

• PDS: uh?




utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0

Instant ReplayInstant ReplayVettore di attacco: covert channelVettore di attacco: covert channel

3rd party



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0


3rd party

• praticamente qualsiasi tipo di traffico:•dns•http(s)•chat (msn, irc, skype, ..)•piccione viaggiatore? (rfc1149)•..



utente remoto

desktop

ext. router

utente remoto


file server

dep. server

desktop

dep. server

desktopdesktop

desktop

firewall

access point

wifi userwifi user

VPN gw

Mr. Malicious 2.0


3rd party

• praticamente qualsiasi tipo di traffico:•dns•http(s)•chat (msn, irc, skype, ..)•piccione viaggiatore? (rfc1149)•..




• DPS: N/A

• PDS: uh?



Solo IE6?Solo IE6?http://secunia.com/advisories/http://secunia.com/advisories/



Complessità dell'attacco?Complessità dell'attacco?YEAH, piece of cake!YEAH, piece of cake!



Per i più pigri..Per i più pigri..http://www.secmaniac.com/download/http://www.secmaniac.com/download/



Bonus Track #1Bonus Track #1Adobe CoolType SING Table "uniqueName" Stack b0f (CVE-2010-2883)Adobe CoolType SING Table "uniqueName" Stack b0f (CVE-2010-2883)



Bonus Track #1Bonus Track #1Il file (scansione a/v) viene identificato..Il file (scansione a/v) viene identificato..



Bonus Track #1Bonus Track #1ma NON quando aperto tramite plug-in IE..ma NON quando aperto tramite plug-in IE..



Bonus Track #2Bonus Track #2Custom backdoor.. (meterpreter payload)Custom backdoor.. (meterpreter payload)



Bonus Track #2Bonus Track #2Custom backdoor.. (reverse tcp payload)Custom backdoor.. (reverse tcp payload)



in conclusione..in conclusione..(come mitigare il rischio)(come mitigare il rischio)

• least privilege•user != administrator•sandboxing (chrome, adobe?, ..)•non c'è/non si rompe..

•patch management•win/distro update•3rd party sofware?•patch assessment..

• (H)IPS/end point security/..



qualche link..qualche link..Metasploit, SET, Fast-Track & Co.:Metasploit, SET, Fast-Track & Co.:

http://www.metasploit.com/

http://www.offensive-security.com/metasploit-unleashed/Client_Side_Attacks

http://www.offensive-security.com/metasploit-unleashed/Client_Side_Exploits

http://www.offensive-security.com/metasploit-unleashed/Mass_Client_Attack

http://blog.0x0e.org/2010/10/17/364/

http://flexi-train.blogspot.com/2010/05/client-side-attack-by-using-evil-pdf.html http://www.darkreading.com/blog/archives/2009/09/anatomy_of_a_cl.html

http://www.secmaniac.com/download/

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3869906/Automate-Pen-Testing-with-Fast-Track-Client-Side-Attacks.htm

http://exploit.co.il/hacking/client-side-attack-using-evil-java-applets/

http://www.freedomcoder.com.ar/2010/07/09/client-side-penetration-testing-with-esearchy-emaily



free advertising >free advertising >

http://creativecommons.org/licenses/by-sa/2.0/it/deed.ithttp://creativecommons.org/licenses/by-sa/2.0/it/deed.it

SMAU 2010 – seminari AIPSI25 ott 10 - Milano

Carenata o 5 porte?Basta che sia 2.0 ..

(Domande?)(Domande?)

Smau Milano 2010 Igor Falcomatà

Technology

Transcript of Smau Milano 2010 Igor Falcomatà