RE: alternate (new?) web app exploitation angle--too much coffee version

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com] 

> is this basically a combo of Wifi-Hijack with XSS involved? 
> Just making sure Im reading you right.

Yes-no. My post is way too long for readability, isn't it? :(

You don't have to hi-jack anything; you are just beating the webserver
to the punch in responding to the client.

I tried to be humorous below but definitely did not succeed.

airpwn makes injection with unencrypted sessions trivial (constructing
the response and submitting to the client in a timely fashion may
not be trivial, but the act of injection is); any attacks against wi-fi
encryption itself are separate.

The real goal for me here is breaking the SSL session to get at
the good stuff. The best thing I can do so far is assume a get verb
(on behalf of the client) and respond with a valid (non-SSL) construct
of a login page for a client to re-post their login data. Assumption
that the client is thinking something broke and they have to login again.

Problems I run into are (a) browser pop-up and (b) postable forms
that only allow SSL connection and don't re-direct on the assumption
the login page is also SSL-only.

Arian

> On Friday, October 1, 2004, at 10:52  AM, Evans, Arian wrote:
>
> > Arian Security Advisory 01.10.04
> >
> > I. VENDOR: I'm not very smart, but I stumbled onto something
> > new to me this week.
> >
> > II. <DISCLAIMER> Hopefully I'm not a total idiot and everyone's
> > already thought of this/done this and it's a completely banal
> > post simply missing a "Secrets of the XSS Injection Masters"
> > PDF linking to my super-XSS-injection defender box.
> > </disclaimer>
> >
> > III. DESCRIPTION: Rainy Friday Script/Command injection fun:
> >
> > airpwn + app you're testing + $client.wireless.hotspot
> >
> > IV. ANALYSIS: It's slick, it's simple, and it scales nicely =)
> > Something useful did come out of Defcon 12...
> >
> > Now most of the juicy bits you want are probably wrapped
> > in an SSL tunnel which you won't be getting here, unless
> > you 'break' the session...read on, I am still figuring out ways
> > to break and restart the SSL session. So this attack is more
> > of novelty value but nice quick way to demonstrate arbitrary
> > script execution on dozens of clients in parallel.
> >
> > Or exploitation of the client's app. Or fill a bored Saturday
> > in the excitingly cosmopolitan Kansas City.
> >
> > V. PROOF of CONCEPT:--grab a response from the webapp.
> >
> > Rebuild it. Respond it to the clients. Force them to re-enter
> > their input, click on submit.... or send them a link, or or or
> >
> > Obviously you could send the client a bomb directly with
> > this, but perhaps you want something out of their session
> > so now you brute-force break their session by sending a new
> > login page and made them log back in with your XSS. You
> > get session cookie/parameter and credentials, the Britney
> > pics, a good laugh, etc.
> >
> > VI. WORKAROUND: CAT5/6.
> >
> > VII. BACKGROUND: Some smart CS student tried messing
> > with people (me) at a hotspot next to a local university and it
> > switched me into <evil> mode and resulted in something a lot
> > more interesting than this XSS. CS major got the smackdown
> > from the GED.
> >
> > VIII. DISCLOSURE TIMELINE: </evil>
> >
> > Think of a recent related Windows exploit and your lights
> > should go on quicker than mine did at something else you
> > can do with this approach. Look for another post this weekend
> > from a non-work account to BT and FD lists; if BT mod-
> > -bounces I'll post to pen.
> >
> > IX. VENDOR RESPONSE: Can't decide if this is pen or web.
> >
> > Use your powers for good. If you see me in KC this weekend
> > with a laptop that says "PLEASE WAKE ME FOR MEALS"
> > on the lid, turn off your 802.11b and find a landline. :)
> >
> > Arian Evans
> > Sr. Security Engineer
> > FishNet Security
> >
> > KC Office:  816.421.6611
> > Direct: 816.701.2045
> > Toll Free:  888.732.9406
> > Fax:  816.474.0394
> >
> > http://www.fishnetsecurity.com
> >
> >
> >
> >
> >
> >
> > The information transmitted in this e-mail is intended only for the 
> > addressee and may contain confidential and/or privileged material.
> > Any interception, review, retransmission, dissemination, or 
> other use 
> > of, or taking of any action upon this information by persons or 
> > entities
> > other than the intended recipient is prohibited by law and 
> may subject 
> > them to criminal or civil liability. If you received this > 
> communication
> > in error, please contact us immediately at 816.421.6611, and delete 
> > the communication from any computer or network system.