This document discusses techniques for infecting websites through cache injection attacks. It describes how an attacker can compromise a website by injecting an iframe or JavaScript that redirects visitors to a controlled webpage. It provides examples using Memcached, an unauthenticated caching system, to overwrite cache values with malicious content like iFrames linking to infection kits. The document demonstrates password sniffing and manipulating cached price data as potential attacks. It notes that while no public infections using these techniques have been seen, caching systems like Memcached that listen publicly pose an attractive target for attackers.
4. How can I infect a web?
Or, how can I forward visitors to a controlled webpage?
Pág. 4
5. MPack
The attacker
compromises a Attacker
website and injects The malcode
an iFrame connects back
to the C&C
C&C
iFRAME
Infection kit Servidor Web legítimo
www.mydomain.com)
The visitor is
forwarded to an
infection kit
The visitor browses a
normal website (with User
a malicious iframe)
Pág. 5
14. A tener en cuenta
Which users do I want to infect?
Focus your efforts
Example: brazilian webpages
SEO and web ranking
Alexa Ranking
It’s not only about infection
Sometimes is only about web ranking
Spam comments in blogs
Playing with HTML entities(ex. <noscript>)
Pág. 14
Pág. 14
29. And how a web cache is
related?
Specifically: memcached
Pág. 29
30. ddddddasdfsdf
Cache
A component that transparently stores data so that future
requests for that data can be served faster. The data that is
stored within a cache might be values that have been
computed earlier or duplicates of original values that are
stored27%
elsewhere. (Wikipedia)
73%
Examples: CPU, Disk, DNS, ARP, etc.
Main security attack: poisoning
32. ddddddasdfsdf
Created on 2003 forLiveJournal
Associative array(hash table)
YouTube, Reddit, FaceBook,
Orange, Twitter, etc.
27% Memory-based
Keys (250b), Values (1MB)
73% Default port: 11211/tcp
No authentication
Some caches are on the Internet
Optional(not often used): SASL
33. ddddddasdfsdf
Telnet based commands
Commands
Set (flags timeout bytes)
Get
Stats
27%
Items
Cachedump
73%
34. ddddddasdfsdf
Sensepost analyzed the security issues back on 2010
They developed go-derper.rb
Identifcation
Storage of k keys and values
Regular expressiones
27%
It can overwrite existing keys and values
73%
Main problems
Which web app is using these data?
How can I find ‘interesting’ data?
47. ddddddasdfsdf
CacheT: an alternative to FTP-Toolz
and SQL Injection Kitz
go-derper.rb patch
Proof of concept
27%
Once you find some memcached
hosts(nmap) 73% entries
Dump of all their
Look for HTML data
Malicious injection
(iFrame/JavaScript)
Not published yet (only malicious
purposes)
48. ddddddasdfsdf
Protect your memcached from external access
Firewall
Listen only to localhost
We haven’t seen malicious infections using theses caches
But it’s a very attractive asset, because many of the large
27%
websites are using it
From the malicious point of view, it doesn’t mind if you don’t
73%
know which webapp is behind
It’s very easy to code a tool scanning for open memcached (or
similar caches) and then infect all of them
nmap + go-derper.rb