Internet Client Vulnerabilities

Of the numerous techniques to exploit internet end users.
- Software exploits are the most the despicable.
- This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

ActiveX

Microsoft ActiveX
- Microsoft answer to Java
- First real attempt a a model for portable, remotely consumable software applications
- ActiveX applications or controls
- Can be written to perform specific functions
- Such as displaying a movie or sound file
- Can be embedded in a web page to provide this functionality
  - Example
  - Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
  - Usually the .ocx file extension
- When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
- First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
- If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.
- If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.
- Optionally, it verifies the origin of the code using Authenticode and then executes that code
  - Controls are downloaded to the location specified by the Registry string value
- (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache
- Default in XP is %systemroot%\Downloaded Program Files

ActiveX Security Model

Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine.
The thing that stands in the way is the Microsoft’s Authentication paradigm.
Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)
- Example of how ActiveX could be used to for malicious activity
- 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
- Called Internet Exploder
- Safe for Scripting
- Was the next significant security challenge
- The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
- Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
- Eyedog has the ability to query the Registry and gather machine characteristics

ActiveX Abuse Countermeasures

From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system.
Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

Java

Created by Sun Micro Systems.
Was created primarily to enable portable, remotely consumable software applications.
Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.
- Vulnerabilities Found.
- November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets.
- The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

Java Countermeasures

Restrict Java trough the use of Microsoft Internet Explorer security zones.
Non-IE consult documentation on how to restrict.

JavaScript and Active Scripting

Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape.
Blend of Perl- like ease-of-use with c/c++ like power.
- Made it popular.
- Also makes it attractive to hackers.
- Makes it easy to fool the user into entering sensitive information.
- Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting.
- Security issues not caused by technology, but by the abuse of power and accessibility they give you.

JavaScript Countermeasures

Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

Cookies

Underlies the World Wide Web, allows for tracking things from one visit to another.
Cookies, or special tokens contained with in HTTP requests and responses, that allow websites to remember who you are from visit to visit.
Attackers who get their hands on your cookies might be able to spoof your online identity or glean sensitive information.
The brute-force way to hijack cookies is to sniff them off the network and then replay them to the server.

Cookie Abuse Countermeasures

Get a tool to manage cookies.
IE’s cookie screening feature.
Use SSL.
Disable cookies.

Cross-Site Scripting (xss)

XXS typically results from a web application that takes input from one user and displays it to another user.
- Example.
- The server at evil.org is a rogue server set up by the hacker to capture the unsuspecting user input. (in this case it is set to after a little while to pop up and say the session has ended and to enter your password to continue.

SSL Attacks

Based on public-key cryptography.
SSL is a security implementation, and as such it is open to interpretation by those who implement it.
IMPLEMENTATION flaws can reduce the security of any specification to zero.

SSL Countermeasures

Keep your Internet Client software fully updates and patched.
Verify the SSL certificate.

E-mail Hacking

Single most effective avenue into the computing space of the internet user.
Becomes a very powerful attack when embedded with ActiveX, JavaScript and is extended with its own powerful capabilities, such as file attachments.

File Attachments

One of the most convenient features of e-mail is the ability to attach files.
This can be used to deliver executable payloads directly to a end users desktop.
Greatest single vector of attack since the beginning.
Disguising executables as MP3’s or other file types.

MIME

Underlying e-mail attachments also played a significant role in the history of client hacking.
Multipart Internet Mail Extensions (MIME)is the standard for attaching files to e-mail messages by breaking them in to manageable chunks and Base64-encoding.

E-mail Hacking Countermeasures

Keep our software up to date.
Don’t open e-mail from people you don’t know or a chain forward.
Disable ActiveX and JavaScript for e-mail.

General Microsoft Client-Side Countermeasures

Deploy a personal firewall.
Keep up to date on all software patches.
Run antivirus software.
Run with least privilege.
Administrators should run the mentioned software at choke points.
Read e-mail in plain text.
Configure office productivity programs as securely as possible.
Don’t be gullible.
Keep your computing devices physically secure.

Malware

Includes.
- Viruses.
- Worms.
- Rootkits and backdoors.
- Bots and zombies.
- Trojan horses.

Countermeasures

Always back up your system before you have any problems.
Clean it up with the appropriate tools.
- Meaning anti-virus.
The book recommends.
- McAfee.
- Symantec.
- Computer Associates.
- Panda.
- Microsoft.
I recommend.
- Kaspersky.
- Web Root (SpySweeper with antivirus).
- Computer Associates.

Quiz

1 What was Microsoft's answer to Java? ActiveX

2 Who created JavaScript? Netscape

3 What is the protocol over which the majority of e-commerce transactions occur? SSL

4 5 What are 3 of the General Microsoft Client-Side Countermeasures?

Deploy a personal firewall
Keep up to date on all software patches
Run antivirus software
Run with least privilege
Administrators should run the mentioned software at choke points
Read e-mail in plain text
Configure office productivity programs as securely as possible
Don’t be gullible
Keep your computing devices physically secure

Back to Cptr427Winter2010

HackingExposedChapter12