Bypass File Download Restrictions in Content Filters

Companies battle with users who download files from the Internet at work and then execute them. Unsuspicious files are often infected with malware. A common procedure to decrease the amount of infections is to block common bad file types (for example .exe, .scr or .zip), before the files can enter the internal network. The preconditions are that users are only able to communicate with the Internet through a HTTP proxy and the internal email server. A whitelist on the email- and web-content filter, which only allows .docx to go through, can greatly decrease the amount of malware infections. Attackers will have to use exploits (e.g. in the browser, a plugin or office exploits) to perform code execution on the clients.

Sadly, in the case of web content filters, they can all be circumvented. They usually work by looking for HTTP responses whose content types are not safe, for example “application/octet-stream”. Here an example of a typical file download:

cf-0

With HTML5, it is possible to create the file to download on-the-fly with JavaScript (by storing the binary as base64 encoded string). As no download request is generated when the download link is clicked, the content-filter can’t deny the download request. It is also possible to misuse Flash for the same purpose.

Example:

cf-1The initial request to retrive the page goes to a plain html file:

cf-2

The response is plain HTML (content type text/html) with javascript:

cf-3

The JavaScript code will extract the base64 encoded binary as a blob and provide a normal download dialog for the user.

There is no simple solution for this problem. Content filters may be able to catch certain pages which use this functionality, but this would break other pages like Google Docs.
The issue was identified at a discussion at the Compass Offsite Meeting 2013 in Berlin. The Proof-of-Concept code (as seen above) has been implemented first by Cyrill Bannwart and works for current versions of Chrome, Firefox and IE10.

Microsoft Security Bulletin MS13-067 – Critical

As part of today’s monthly patch day, Microsoft fixed an issue I reported in September 2012 around (ASP).NET and SharePoint.

The vulnerability opens a new type of attack surface on ASP.NET if a given precondition regarding the Viewstate field is met. The impact is at least a breach of data integrity on the server side resulting typically in a denial of service. Leveraging the flaw to achieve remote code execution cannot be excluded though. The default configuration settings of ASP.NET are safe and do not allow an exploitation of the flaw.

But before uncovering more technical details about the issue, we want to ensure everyone had enough time to patch their servers adequately. For this reason, we will withhold further details during a grace period agreed with Microsoft’s Security Response Center to ensure all involved parties have enough time to react. In the meantime, we encourage you to patch the relevant servers and ensure your web applications at least enforce the default protection of the Viewstate field.

RHUL Information Security Group (ISG) Weekend Conference

Each year, the world renowned Royal Holloway University of London (RHUL) Information Security Group (ISG) invites potential, current and past students to join the weekend conference and meet with well regarded security researchers and experts from academia, UK government and the industries. Part of the tradition is to to have dinner at the wonderfull and well-preserved Founder’s Building (1881).

royal_holloway_founders_building

I felt very honoured to be explicitely invited to present part of my MSc thesis results in such well regarded environment.

Colin Walter, Director of Distance Learning, ISG: “As our top project students this year, it is my great pleasure to invite you each to give a short presentation at the next annual summer school for students and alumni of the distance learning MSc in Information Security, to be held at Royal Holloway on Sat/Sun 7-8 September 2013.”

Conference topics included risk management and information security accreditation programs, e-crime and bot net behaviour, cloud encryption and key management aspects, various communication protocols analysis as well as latest developments in side channel attack resistance.

Certificate revocation checking

Keith Vella Licari, currently with Deloitte Malta, provided insights into its master thesis on certificate revocation checking protocols. He discovered shortcomings which demand for improvement in the way certificate checking is currently done.

CRL OCSP Lightweight OCSP
Can easily become large
and unwieldy
Ambiguous answer
(good|revoked|unknown)
Pre-produced responses
Timeliness (delay until next
update)
Only definitive answers are
digitally signed
Only definitive answers are
digitally signed
Scalability (self-inflicted
DDoS)
Optional protection against
replay attacks
No protection against
replay attacks
Table 1: Keith Vella Licari, Towards a reliable revocation status checking method, Main Issues
.

Table 1 provides an overview of the issues of the protocols subject to analysis. In order to provide improvement over the findings, Keith has formally proposed an alternative protocol (RSDP). He is currently asking for torough peer review of its proposal. I encourage readers, affiliated to either OWASP or hacking-lab.com to take on the challenge.

Defense by Nature

David Naccache, cryptographer and professor at the Université Panthéon-Assas in Paris and member of the École normale supérieure Computer Laboratory, presented current research focusing on improvement of resistance to side-channel attacks. The study aimed to improve resistance for communication between of-the-shelf controllers/CPUs and memory parts. The approach taken basically involves transmission of empirically identified “fake” values along with the data to camouflage the communication emission.

The concept lends it an idea from nature where animals which share a common predator mimic the look-a-like of a poisonous counter-part (Müllerian mimicry) to get away disregarded. Some would actually call that approach “Security by Obscurity”. However, applying the technique to emission channels basically allows masking the leaked information to appear to be something else. All under the assumption the attacker and the designed have comparable analytical capabilities in terms of probes sensitivity and measurement equipment sampling rate. Thus, the approach could allow for better resistance of standard electronic components on the price of some factors larger memory than really needed.

References

Slides and videos will be pusblished soon. Check http://www.isg.rhul.ac.uk/dl/weekendconference2013/sunday.html