Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
End Points Malfeasance
Posted by: zeroknock
Date: March 22, 2007 04:21AM

Abstract:
This article shows the advancement in the flaws that occur in the end point technology ie client/server transactions.In this the emphasis laid on the HTTP/HTTPS for undertaking rogue issues which become the further base of attacking on the network or protocol infeasibility. The issue discussed are of much importance when ever network problems are concerned

I will jump into the issues inadvertently.
Premature Truncation Of Connection:
This is quiet an intersting problem occur in the end point communication.The end point communication here refers to the client server architecture.The premature truncation relates the unauthorised closing of the connection by the client even the closing alert has not been recieved by the server.This sets the connection in immature state because no final alert checks for closing connection is being undertaken by the client and it automatically closes it.As a result of this the case becomes of truncation of data ie an error state because of improper layout.

Attack Base:
A] The session has not been fully matured as a result the connection can be reused in certain way to initialise the same state of connection through server.

B] The attacker use this flaw in the sense because it becomes hard to understand whether the connection is closed by the attacker or server.

C] Due to this it becomes hard to find whether the data has been truncated by the server or attacker as anyone who has control over the machine will close the connection by issuing a rogue request and not waiting for the server alert.

The content length is always checked prior to the closing of connection by the server or by the client. This is clearly understated that if the connection is closed prematurely than the content length will get altered ie truncated to some extent.This is also a concern to some extent because the content can be manipulated with MITM attacks and the length can altered to perform the requisite work by the attackers. This issue isof great concern and have been exploited by the attackers to launch further third party attacks.

Dethroning Server's Identity
The dethroning of server identity certificate by the clients holds a crucial aspect.Actually it is possible by the client to ignore the server identity generically.what happen is that the connection is not completed fully and remain in the incomplete state which sets it for attack base.This is issue of concern because if the craft attacker owns a machine he can easily interpret the traffic and perform certain number of attacks such as MITM to ket the work done by exploiting the connection which is not fully closed. As a result of this advancement has occured in the MITM attacks. Underlined is the some of the attacks which occur through the MITM.

A] Domain Manipulation:
This is a technique used by the attackers to manipulate the domain acceptance paramter to let the illicit domain to get accepted.As we know the metacharacters play a generic role in acceptance of domain as parameters are set according to that.A wildcard (*) character is used to accept the domain starting with specific entity and others of same kind.

Ex:- *.meta.com , A*.meta.com The attacker can easily manipulate the parameters that further result rogue domain acceptance..

B] Certificates Error Generation:
This is a very specific way to accept the unauthorised connection when the certificate parameters are not as same that a client knows that is no match occurs.This is configuration problem because a error is generated if no match occurs and connection can or can not be terminated.The attacker uses this technique by removing check on the error acceptance as a result of which error prone connection or unauthorised connection get established and further attacks can be performed.

Data Blocks Encryption
This is prime importance when TLS security is concerned because what ever the data block is recieved from the client is encoded in a specific manner.If the encoding is not done correctly then after the decoding of message by the TLS server , this can be checked whether the message is formatted in right manner or not. This result in further attacks as it becomes possible to decrypt it because of rogue formatting.

Ex: The Attack discovered by : Daniel is a perfect example of this.
Structure of RSA Encrypted Secret Message
struct {
ProtocolVersion client_version;
opaque random[46];
} PreMasterSecret;

The attack takes advantage of the fact that by failing in different ways, a TLS server can be coerced into revealing whether a particular message, when decrypted, is properly PKCS#1 formatted or not.

Switching Between HTTP1.0 /HTTP1.1 /TLS
This is the new blend that has been undertaken for security parameter to upgrade the normal connection to get upgraded to secure tansport layout.This occur in the underlined way:- First of all options request is sent to server as:

Options * HTTP/1.1
Host : www.meta.com
Upgrade : TLS/1.0
Connection : Upgrade

The request is accpeted by server and the required switching is done then:

GET http:// HTTP/1.1
Host: www.meta.com
Upgrade: TLS/1.0
Connection: Upgrade

So in this the required request is processed by the server.Sometimes a server require a request code as:

HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade

But this structure is of great security concern because if possible the attacker can easily switch over secure and insecure layout during the course of endpoint checks.That means after undertaking parameters the attacker can easily play with the upgrade entity.So no doubt security enhancement has been done but malfeasance occur at same time too.

Tunnel Anatomy: The tunnel generation can not be considered to be as perfect solution for imparting security.This is very true in its context.The point of concern is authorisation.The presence of proxy in between source and destination makes the thing complex.The authorisation is very limited to a number of ports that means it not a distributed layout.The very basic port is 80.The proxy inclusion makes it very handy as well as point of concern.The data becomes opaque when travelling through the tunnel..The reverse connection to ports also become possible. So all in all this is playing in both aspects.

Conclusion: The aim is to inspect the way of malfeasance occur in the end point communication that makes it attack prone.The stress is laid on the understanding of these hidden tags in the realm of providing security.

Regards
==========================================
[MSG] http://www.metaeye.org
[MLABS] http://zeroknock.metaeye.org/mlabs
[BLOG] http://zeroknock.blogspot.com
==========================================
Premature Optimised
==========================================

Options: ReplyQuote
Re: End Points Malfeasance
Posted by: hackathology
Date: March 23, 2007 04:27AM

Nice theory and research work

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.