hiding in plain sight: the danger of known vulnerabilities
DESCRIPTION
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.TRANSCRIPT
![Page 1: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/1.jpg)
© 2013 Imperva, Inc. All rights reserved.
Hiding in Plain Sight – The Danger of Known Vulnerabilities
Confidential 1
Tal Be’ery, Web Security Research Team Leader
![Page 2: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/2.jpg)
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Introduction • Zero-days Vs. Known vulnerabilities
§ The anatomy of a known vulnerability web attack: Attacking a specific victim • Theory • Test case analysis: A vulnerable ColdFusion application
§ The anatomy of a known vulnerability web attack: Mass attacks • Theory • Test case analysis: Abusing JBOSS
§ Summary & conclusion § Q&A
![Page 3: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/3.jpg)
© 2013 Imperva, Inc. All rights reserved.
HII Reports
Confidential 3
§ Hacker Intelligence Initiative (HII) is focused at understanding how attackers are operating in practice • A different approach from vulnerability research
§ Data set composition • ~60 real world applications • Anonymous proxies
§ More than 24 months of data § Powerful analysis system
• Combines analytic tools with drill down capabilities
![Page 4: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/4.jpg)
© 2013 Imperva, Inc. All rights reserved.
Tal Be’ery,Web Research Team Leader
§ Web Security Research Team Leader at Imperva
§ Holds MSc & BSc degree in CS/EE from TAU
§ 10+ years of experience in IS domain § Facebook “white hat” § Speaker at RSA, BlackHat, AusCERT § Columnist for securityweek.com § CISSP
4
![Page 5: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/5.jpg)
© 2013 Imperva, Inc. All rights reserved.
Introduction
Confidential 5
![Page 6: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/6.jpg)
© 2013 Imperva, Inc. All rights reserved.
The Known Knowns
Confidential 6
§ There are known knowns; these are things we know that we know.
§ There are known unknowns; that is to say, there are things that we now know we don't know.
§ But there are also unknown unknowns – there are things we do not know we don't know.
-- Donald Rumsfeld, U.S. Secretary of Defense, February 2002
![Page 7: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/7.jpg)
© 2013 Imperva, Inc. All rights reserved.
Security’s Knowns and Unknowns Defined
Confidential 7
§ Unknown Unkowns: Zero-Days A zero-day attack is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability (Wikipedia http://en.wikipedia.org/wiki/Zero-day_attack)
§ Known Knowns: Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)
![Page 8: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/8.jpg)
© 2013 Imperva, Inc. All rights reserved.
CVE: Managing Known Vulnerabilities
Confidential 8
§ Known vulnerabilities are assigned with a CVE (Common Vulnerabilities and Exposures) ID
§ “CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools”
(MITRE http://cve.mitre.org/about/index.html)
![Page 9: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/9.jpg)
© 2013 Imperva, Inc. All rights reserved.
“Hollywood Style”: Web Site Hacking
Confidential 9
Hacking 1. Identify Target 2. Research Vulnerability 3. Exploit
Single Site Attack
https://depot.gdnet.org/cms/gallery//25-iStock_000004333554Medium.jpg
![Page 10: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/10.jpg)
© 2013 Imperva, Inc. All rights reserved.
Reality Check: Research Does Not Scale!
Confidential 10
Hacking
1. Identify Target 2. Research Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Research Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Research Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Research Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Research Vulnerability 3. Exploit
Multiple Site Attacks
![Page 11: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/11.jpg)
© 2013 Imperva, Inc. All rights reserved.
Reality Check: Known Exploits Scale!
Confidential 11
Hacking
1. Identify Infrastructure 2. Find Existing Exploit 3. Exploit
Hacking
1. Identify Infrastructure 2. Find Existing Exploit 3. Exploit
Hacking
1. Identify Infrastructure 2. Find Existing Exploit 3. Exploit
Hacking
1. Identify Infrastructure 2. Find Existing Exploit 3. Exploit
Hacking
1. Identify Infrastructure 2. Find Existing Exploit 3. Exploit
Multiple Site Attacks
![Page 12: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/12.jpg)
© 2013 Imperva, Inc. All rights reserved.
Zero-Days Vs. Known Vulnerabilities
Confidential 12
§ Zero-Days get all the glory • Technically interesting • Give rise to some interesting theoretical
questions: How to defend the “unkown unkowns?”
§ But known vulnerabilities are doing a lot of the damage • Provide hackers with a very cost-
effective method to exploit applications
http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
![Page 13: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/13.jpg)
© 2013 Imperva, Inc. All rights reserved.
Vulnerability Lifecycle in Reality
Confidential 13
![Page 14: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/14.jpg)
© 2013 Imperva, Inc. All rights reserved.
Why is Known Vulnerability Exploitation so Successful?
Confidential 14
§ Applications are based mostly on 3rd party code § Web applications are no different
• HTTP Server, Application Server, Plugins, Libraries, etc.
§ Code re-use equals vulnerability re-use § Exploits’ code is available for known vulnerabilities
![Page 15: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/15.jpg)
© 2013 Imperva, Inc. All rights reserved. 15
3rd Party Code Provides a Rich Attack Surface
According to Veracode: • Up to 70% of internally developed code originates outside of the
development team • 28% of assessed applications are identified as created by a 3rd
party
Confidential
![Page 16: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/16.jpg)
© 2013 Imperva, Inc. All rights reserved.
Known Vulnerabilities Disclosure Increases
Confidential 16
§ CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014.
![Page 17: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/17.jpg)
© 2013 Imperva, Inc. All rights reserved.
Exploits Are Publicly Available
Confidential 17
§ Exploit-DB: http://www.exploit-db.com/
![Page 18: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/18.jpg)
© 2013 Imperva, Inc. All rights reserved. 18
OWASP Top 10 – 2013 Update
New, A9 - Using Known Vulnerable Components
Confidential
![Page 19: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/19.jpg)
© 2013 Imperva, Inc. All rights reserved.
The Anatomy of a Known Vulnerability Web attack
Confidential 19
Attacking a Specific Victim
![Page 20: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/20.jpg)
© 2013 Imperva, Inc. All rights reserved.
Attacking a Specific Application: Theory
Confidential 20
§ Step 1: Fingerprinting of the victim application to discover third party components and infrastructure
§ Step 2: For the discovered components, find known vulnerabilities and exploits that gives the hacker the desired access level
§ Step 3: Apply the exploit to the victim’s application
![Page 21: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/21.jpg)
© 2013 Imperva, Inc. All rights reserved.
The Art of Fingerprinting
Confidential 21
Identify a fingerprint in victim application
A fingerprint can be
• Image
• URL
• Content
• Object Reference
• Response to a query
• Etc.
![Page 22: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/22.jpg)
© 2013 Imperva, Inc. All rights reserved.
Fingerprinting Example 1: Content Based
Confidential 22
The code will usually contain fingerprints of the infrastructure in use.
![Page 23: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/23.jpg)
© 2013 Imperva, Inc. All rights reserved.
Fingerprinting Example 2: URL Based
Confidential 23
An administrator interface may be front facing, allowing detection and login attempts.
![Page 24: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/24.jpg)
© 2013 Imperva, Inc. All rights reserved.
Test Case: corporatecaronline.com Hack
Confidential 24
http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/
![Page 25: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/25.jpg)
© 2013 Imperva, Inc. All rights reserved.
Fingerprinting corporatecaronline.com
Confidential 25
§ The application is using CFM files
§ What’s a CFM file?
![Page 26: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/26.jpg)
© 2013 Imperva, Inc. All rights reserved.
Known Vulnerability for ColdFusion
Confidential 26
§ CVE-2013-0632
§ Reported on January 2013 § A “perfect 10” risk score
![Page 27: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/27.jpg)
© 2013 Imperva, Inc. All rights reserved.
Public Exploit for CVE-2013-0632
Confidential 27
http://downloads.securityfocus.com/vulnerabilities/exploits/57164.rb
![Page 28: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/28.jpg)
© 2013 Imperva, Inc. All rights reserved.
ColdFusion Attacks in the Wild
Confidential 28
§ Data collected on October 2013 § More than 4,000 attacks § Attacking various resources within the CFIDE directory
![Page 29: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/29.jpg)
© 2013 Imperva, Inc. All rights reserved.
The Anatomy of a Known Vulnerability Web attack
Confidential 29
Mass Hacking
![Page 30: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/30.jpg)
© 2013 Imperva, Inc. All rights reserved.
Mass Hacking: Theory
Confidential 30
§ Step 1: Find a public exploit in an infrastructure • Infrastructure is relevant to many application • Exploit is “powerful”: usually full server takeover
§ Step 2: Create a search query to identify vulnerable applications in the web • Often named “Google Dorks”
§ Step 3: Apply the exploit to all of the vulnerable applications
![Page 31: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/31.jpg)
© 2013 Imperva, Inc. All rights reserved.
Mass Hacking - Finding a Vulnerability
Confidential 31
Source: www.exploit-db.com
Find a vulnerability in an infrastructure
Public vulnerability databases contain thousands of web related exploits
![Page 32: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/32.jpg)
© 2013 Imperva, Inc. All rights reserved.
Google Dork for the Masses
Confidential 32
§ Query: inurl:(wp-config.conf | wp-config.txt) ext:(conf | txt | config) § Results: 144,000
![Page 33: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/33.jpg)
© 2013 Imperva, Inc. All rights reserved.
Test Case: JBoss Based Hack
Confidential 33
§ An open source application server
http://www.jboss.org/jbossas
![Page 34: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/34.jpg)
© 2013 Imperva, Inc. All rights reserved.
Known Vulnerability for JBoss
Confidential 34
§ Presented during the OWASP Bay Area Chapter Meeting in November 2011
http://www.matasano.com/research/OWASP3011_Luca.pdf
![Page 35: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/35.jpg)
© 2013 Imperva, Inc. All rights reserved.
Exploit for the Known Vulnerability
Confidential 35
§ Exploit was publicly published on September 2013
http://www.exploit-db.com/exploits/28713/
![Page 36: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/36.jpg)
© 2013 Imperva, Inc. All rights reserved.
Google Dorking for Vulnerable JBoss
Confidential 36
§ In 2011: 7,370 results
§ In 2013: 23,100 results
![Page 37: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/37.jpg)
© 2013 Imperva, Inc. All rights reserved.
Hackers Apply the Attack
Confidential 37
§ Many websites report on being hit by the attack resulting with “pwn.jsp” web shell deployed on the server
§ Allows the attacker to execute arbitrary OS commands
![Page 38: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/38.jpg)
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusion
Confidential 38
![Page 39: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/39.jpg)
© 2013 Imperva, Inc. All rights reserved.
Vendor’s Patches Are Not Enough (1)
Confidential 39
§ Security does not necessarily know all components § Security does not necessarily know all vulnerabilities for
components • Not everything is reported as CVE
§ Vendor patches may not be available • System reached End of Support (EoS) • Open source product with no SLA
![Page 40: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/40.jpg)
© 2013 Imperva, Inc. All rights reserved.
Vendor’s Patches Are Not Enough (2)
Confidential 40
§ Patch installation requires testing before deploying • Patch may be problematic • Patch may break custom functionality
![Page 41: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/41.jpg)
© 2013 Imperva, Inc. All rights reserved.
When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: § Implement policies both on the legal and technical
aspects to control data access and data usage § Require third party applications to accept your security
policies and put proper controls in place § Monitor the enforcement of these policies
Recommendations
41 Confidential 41
![Page 42: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/42.jpg)
© 2013 Imperva, Inc. All rights reserved.
§ Assume third-party code – coming from partners, vendors, or mergers and acquisitions – contains serious vulnerabilities
§ Pen test before deployment to identify these issues § Deploy the application behind a WAF to
• Virtually patch pen test findings • Mitigate new risks (unknown on the pen test time)
• Mitigate issues the pen tester missed • Use cloud WAF for remotely hosted applications
§ Apply vendor patches, when possible § Virtually patch newly discovered CVEs
Technical Recommendations
42 Confidential 42
![Page 43: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/43.jpg)
© 2013 Imperva, Inc. All rights reserved.
§ Virtually patch newly discovered CVEs
§ Requires a robust security update service • Timely: Attackers are very quick to on board newly
discovered exploit into their hacking code • Coverage: Cover all relevant vulnerabilities in the relevant
domain • Accurate: Tested for false positives
• Secured by default : § Automatically loaded into the protecting system
§ No need to reboot
Virtual Patching Check List
43 Confidential 43
![Page 44: Hiding in Plain Sight: The Danger of Known Vulnerabilities](https://reader034.vdocument.in/reader034/viewer/2022042700/554dd97eb4c905d10e8b4f84/html5/thumbnails/44.jpg)
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
44 Confidential