Recently in IT Security Category

New PGP key

| No Comments | No TrackBacks

Due some weird problem with my old PGP key (gnupg couldn't verify signatures any more) I have created a new PGP Key.

As of today, please disregard the old key and only use my new one. You can find it here and the new fingerprint is appended to all my emails as well as stated here:

C2BF ED57 0057 FB92 C90A
D86F FAED 4C3B 4CB2 5115

The key has also been pushed to all the relevant key servers for your convenience.

Attacks on browser-based content sniffing

| No Comments | No TrackBacks

While working on a project I came across the very interesting topic of attacks abusing MIME sniffing in browsers. Obviously this isn't really new but I just didn't have any practical use for it, so I never dove into the details until now. For future reference I decided to write a comprehensive blog post about it here.

MIME Sniffing is a technique implemented by IE >= 4.0 allowing the browser to dynamically guess the content type of downloaded files. Basically the browser analyzes the magic bytes of any downloaded file and decides whether to trust the server's transmitted content type or use its own guess. What IE does is, if there is a mismatch between the content type of the server and the one defined by the magic bytes, then it uses its own content type guess. The problem arises once a website allows users to upload content which is then published on the web server. If an attacker manipulates the content in a way to be accepted by the web app and rendered as HTML by the browser, it is possible to inject code in e.g. an image file and make the victim execute it by viewing said image. For more details read heise online on the topic here3

Quick test for web applications
To quickly assess whether an application is vulnerable to this type of attack, check if the following criteria are fulfilled:

  1. The application allows uploads
  2. The application does no post-processing on the uploaded content
  3. The content is downloadable throught the application
  4. The content is not checked for MIME type mismatches

Try uploading the following PNG file which pretends to be a JPG (pay close attention when downloading the file, some browsers such as FF might append a .PNG at the end, remove this) to the site in question. If a subsequent download of the file returns the exact same file with a content type of JPEG, the app is vulnerable. Opening the file in IE will render an alert box on the screen.

For this to work, you need to direct the browser to the file itself, having it loaded from an image tag inside an HTML page e.g. is not enough

Sidenote: IE 8 is no longer vulnerable to the image based attack2.

The same attack also works in PDFs and other types of files. So if the app doesn't allow images but other content to be uploaded, it still needs to be evaluated if such attacks are possible.

How to protect your web app
There are several means of protecting you application from these type of attacks.

If dealing with images, use something like the Image Magick tools to resize or recompress the uploaded images prior to serving them. Any of these operations will remove the attack code5.

Microsoft also introduced several HTTP headers to disable content sniffing in IE 82:

To force the browser to trust the servers content type, use the following additional HTTP header:

X-Content-Type-Options: nosniff

Additionally, it is also a good idea to use Wikipedia's approach as a 2nd line of defense. Use a separate (sub)domain to host your user-uploaded content. With this approach you ensure, that none of the scripts that might potentially be included in the content, are executed in the context of your web application and therefore don't have access to session cookies, etc.

Background

For further background on this type of attack I recommend the paper1 by Barth et al of UCS Berkeley providing details of the inner workings of MIME sniffing.

Another interesting angle comes into play, once an attacker has control over the server itself. Jose Nazario over at arbor networks blog is describing a phishing attack also based on abusing the MIME sniffing4.

1 Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves by Barth et al. of UCS Berkeley

2 IE8 security, Part V IEBlog, Microsoft

3 Risky MIME sniffing in IE heise online

4 MIME sniffing and phishing arbor networks security blog

5 Watch out for new attack vectors based on buffer overflows in Image Magick, though.

Studie zu Web Application Firewalls veröffentlicht

| No Comments | No TrackBacks

Basierend auf meiner Diplomarbeit veröffentlicht die OPTIMAbit GmbH heute eine Studie über Web Application Firewall:

München, 09. Juli 2009. Die OPTIMAbit GmbH, Beratungsunternehmen mit Sitz in München und führender Experte zum Thema Anwendungssicherheit, hat eine Studie zu Web Application Firewalls (WAFs) veröffentlicht. Komplett unabhängig werden mehrere Hersteller von WAFs sowie deren Lösungen betrachtet und vorgestellt. Ziel soll es sein, Wissenslücken zu schließen und interessierten Unternehmen theoretisches Wissen und praktische Einblicke anhand von Beispielen zu geben.

Weitere Informationen direkt bei OPTIMAbit

WPA crack

| No Comments | No TrackBacks

In case someone has missed the news: There is a weakness discovered in the TKIP protocol rendering WPA protected WiFi networks vulnerable to individual packet decryption. Some details from the ars technica article:

With the Tews/Beck method, an attacker sniffs a packet, makes minor modifications to affect the checksum, and checks the results by sending the packet back to the access point. "It's not a key recovery attack," Tews said, "It just allows you to do the decryption of individual packets." This approach works only with short packets, but could allow ARP (Address Resolution Protocol) poisoning and possibly DNS (Domain Name Service) spoofing or poisoning.

To make a long story short, protect yourself by not using TKIP but switching to AES to encrypt keys.

On a side note: It seems that Apple's airport extreme uses TKIP in WPA/WPA2 mode and relies on AES in WPA2 only mode.

Vulnerabilities in Confluence

| No Comments | No TrackBacks

Working on a penetration test for a large insurance company in cooperation with OPTIMAbit I discovered several critical security issues in a professional WIKI product called Confluence that is sold by Atlassian to corporate customers.

The vendor offers an open ticket system to directly report security issues to development. Vendor response was very quick and a new release of the product fixing all reported vulnerabilities was issued within 1 month of reporting.

The reported vulnerabilities included several Cross Site Scripting and one critical privilege escalation issue. For further information please refer to Atlassian's security advisory.

I also want to thank Atlassian for giving proper credits for helping them solve these issues.

About this Archive

This page is an archive of recent entries in the IT Security category.

HowTo is the previous category.

news is the next category.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
homemade code GmbH
powered by homemade code GmbH ~ the application security experts!