Smau Milano 2010 Igor Falcomatà

© Igor Falcomatà <ifalcomata@enforcer.it>, alcuni diritti riservati: http://creativecommons.org/licenses/by-sa/2.0/it/deed.it - Pagina 1
Esempi di intrusioni reali all'epoca del web 2.0 – SMAU 2010 – seminari AIPSI – 25 nov 09 – Milano
free advertising >free advertising >
http://creativecommons.org/licenses/by-sa/2.0/it/deed.ithttp://creativecommons.org/licenses/by-sa/2.0/it/deed.it
Client side attacks, covert channels, social
networks, .. - come cambiano gli attacchi e quanto
sono efficiaci le misure di sicurezza tradizionali
(firewall, IPS, IDS, DPS, PDS, ..)?
Esempi di intrusioni reali..Esempi di intrusioni reali..
relatore: Igor Falcomatàrelatore: Igor Falcomatà
SMAU 2010 – seminari AIPSI
25 ott 10 - Milano

about:about:
aka “koba”aka “koba”
• attività professionale:
•analisi delle vulnerabilità e
penetration testing
•security consulting
•formazione
• altro:
•sikurezza.org
•(Er|bz)lug
Relatore:Relatore:
Igor FalcomatàIgor Falcomatà
Chief Technical OfficerChief Technical Officer
ifalcomata@enforcer.itifalcomata@enforcer.it

One-Click-ExploitOne-Click-Exploit
(sperando che Ama*on non reclami i diritti)(sperando che Ama*on non reclami i diritti)

Just click to launch..Just click to launch..
..the good ole Internet Exploder....the good ole Internet Exploder..
(Click)

Meanwhile, back at the ranch..Meanwhile, back at the ranch..
..a cowboy sitting in the dark....a cowboy sitting in the dark..

Game OverGame Over
thnxs/credits: unknow +hdm@metasploit.comthnxs/credits: unknow +hdm@metasploit.com

utente remoto
desktop
ext. router
utente remoto
web server mail server db server
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Instant ReplayInstant Replay
0wn1ng the Enterprise 2.00wn1ng the Enterprise 2.0
Mr. Malicious 2.0

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attaccoVettore di attacco
3rd
party

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: link verso sito maliciousVettore di attacco: link verso sito malicious
3rd
party
• semplici:
•chat
•e-mail
•link su social network
• un po' meno semplici:
•MiTM / dns spoofing / ..
•malicious code in sito legittimo
•..

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: identificabile?Vettore di attacco: identificabile?
3rd
party
• semplici:
•chat
•e-mail
•link su social network
• un po' meno semplici:
•MiTM / dns spoofing / ..
•malicious code in sito legittimo
•..
• firewall: improbabile
• antivirus: improbabile
• IDS/IPS: improbabile
• DPS: N/A
• PDS: uh?

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: connessione http(s)Vettore di attacco: connessione http(s)
3rd
party
www.malicious.com

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: connessione http(s)Vettore di attacco: connessione http(s)
3rd
party
www.malicious.com
• NB:
•connessione verso l'esterno
•probabilmente in https
•sito malicious non catalogato
• oppure:
•modifica in-line del traffico da
un sito legittimo (vedi MiTM)

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
3rd
party
www.malicious.com
• NB:
•connessione verso l'esterno
•anche in https
•sito malicious non catalogato
• e anche:
•modifica del traffico in-line
• DPS: N/A
• PDS: uh?

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: exploitVettore di attacco: exploit
3rd
party
www.malicious.com

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: exploitVettore di attacco: exploit
3rd
party
www.malicious.com
• Microsoft IE mshtml.dll Use-After-Free
Arbitrary Code Execution (Aurora) :
•CVE: 2010-0249
•Microsoft Bullettin: MS10-002
•OSVDB: 61697
• NB:
•0 day vs google, adobe, ...
•ancora effettivo in molti casi..

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
http://osvdb.org/show/osvdb/61697http://osvdb.org/show/osvdb/61697
3rd
party
www.malicious.com
•CVE: 2010-0249
•OSVDB: 61697
• NB:

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
3rd
party
www.malicious.com
•CVE: 2010-0249
•OSVDB: 61697
• NB:
• antivirus: potrebbe
• IDS/IPS: dovrebbe (SSL?!)
• DPS: IE6 out of support :)
• PDS: uh?

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=21http://www.sans.org/newsletters/newsbites/newsbites.php?vol=12&issue=21
3rd
party
www.malicious.com
•CVE: 2010-0249
•OSVDB: 61697
• NB:
• antivirus: potrebbe
• IDS/IPS: dovrebbe (SSL?!)
• DPS: IE6 out of support :)
• PDS: uh?

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
Vettore di attacco: covert channelVettore di attacco: covert channel
3rd
party

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
3rd
party
• praticamente qualsiasi tipo di
traffico:
•dns
•http(s)
•chat (msn, irc, skype, ..)
•piccione viaggiatore? (rfc1149)
•..

utente remoto
desktop
ext. router
utente remoto
file server
dep. server
desktop
dep. server
desktopdesktop
desktop
firewall
access point
wifi user
wifi user
VPN gw
Mr. Malicious 2.0
3rd
party
• praticamente qualsiasi tipo di
traffico:
•dns
•http(s)
•chat (msn, irc, skype, ..)
•piccione viaggiatore? (rfc1149)
•..
• DPS: N/A
• PDS: uh?

Solo IE6?Solo IE6?
http://secunia.com/advisories/http://secunia.com/advisories/

Complessità dell'attacco?Complessità dell'attacco?
YEAH, piece of cake!YEAH, piece of cake!

Per i più pigri..Per i più pigri..
http://www.secmaniac.com/download/http://www.secmaniac.com/download/

Bonus Track #1Bonus Track #1
Adobe CoolType SING Table "uniqueName" Stack b0f (CVE-2010-2883)Adobe CoolType SING Table "uniqueName" Stack b0f (CVE-2010-2883)

Il file (scansione a/v) viene identificato..Il file (scansione a/v) viene identificato..

ma NON quando aperto tramite plug-in IE..ma NON quando aperto tramite plug-in IE..

Custom backdoor.. (meterpreter payload)Custom backdoor.. (meterpreter payload)

Custom backdoor.. (reverse tcp payload)Custom backdoor.. (reverse tcp payload)

in conclusione..in conclusione..
(come mitigare il rischio)(come mitigare il rischio)
• least privilege
•user != administrator
•sandboxing (chrome, adobe?, ..)
•non c'è/non si rompe..
• patch management
•win/distro update
•3rd
party sofware?
•patch assessment..
• (H)IPS/end point security/..

qualche link..qualche link..
Metasploit, SET, Fast-Track & Co.:Metasploit, SET, Fast-Track & Co.:
http://www.metasploit.com/
http://www.offensive-security.com/metasploit-unleashed/Client_Side_Attacks
http://www.offensive-security.com/metasploit-unleashed/Client_Side_Exploits
http://www.offensive-security.com/metasploit-unleashed/Mass_Client_Attack
http://blog.0x0e.org/2010/10/17/364/
http://flexi-train.blogspot.com/2010/05/client-side-attack-by-using-evil-pdf.html
http://www.darkreading.com/blog/archives/2009/09/anatomy_of_a_cl.html
http://www.secmaniac.com/download/
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3869906/Automat
e-Pen-Testing-with-Fast-Track-Client-Side-Attacks.htm
http://exploit.co.il/hacking/client-side-attack-using-evil-java-applets/
http://www.freedomcoder.com.ar/2010/07/09/client-side-penetration-testing-with-
esearchy-emaily

free advertising >free advertising >
http://creativecommons.org/licenses/by-sa/2.0/it/deed.ithttp://creativecommons.org/licenses/by-sa/2.0/it/deed.it
SMAU 2010 – seminari AIPSI
25 ott 10 - Milano
Carenata o 5 porte?
Basta che sia 2.0 ..
(Domande?)(Domande?)

Smau Milano 2010 Igor Falcomatà

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (7)

Semelhante a Smau Milano 2010 Igor Falcomatà

Semelhante a Smau Milano 2010 Igor Falcomatà (20)

Mais de SMAU

Mais de SMAU (20)

Smau Milano 2010 Igor Falcomatà