Inter-protocol exploitation: Difference between revisions
Rescuing 2 sources and tagging 0 as dead.) #IABot (v2.0 |
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
(10 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
'''Inter-protocol exploitation''' is a class of [[Vulnerability (computing)|security vulnerabilities]] that takes advantage of interactions between two communication [[Protocol (computing)|protocols]],<ref>{{cite web|url=http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf|title=Inter-protocol Communication|date=Aug 2006|access-date=2013-02-22|archive-url=https://web.archive.org/web/20080511163007/http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf|archive-date=2008-05-11|url-status=dead}}</ref> for example the protocols used in the [[Internet]]. It is commonly discussed in the context of the [[Hypertext Transfer Protocol]] ([[HTTP]]).<ref>{{cite web|url=http://www.remote.org/jochen/sec/hfpa/index.html|title=HTML Form Protocol Attack}}</ref> This [[Exploit (computer security)|attack]] uses the potential of the two different protocols meaningfully communicating commands and data. |
'''Inter-protocol exploitation''' is a class of [[Vulnerability (computing)|security vulnerabilities]] that takes advantage of interactions between two communication [[Protocol (computing)|protocols]],<ref>{{cite web|url=http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf|title=Inter-protocol Communication|date=Aug 2006|access-date=2013-02-22|archive-url=https://web.archive.org/web/20080511163007/http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf|archive-date=2008-05-11|url-status=dead}}</ref> for example the protocols used in the [[Internet]]. It is commonly discussed in the context of the [[Hypertext Transfer Protocol]] ([[HTTP]]).<ref>{{cite web|url=http://www.remote.org/jochen/sec/hfpa/index.html|title=HTML Form Protocol Attack|access-date=2013-02-22|archive-date=2013-04-20|archive-url=https://web.archive.org/web/20130420143027/http://www.remote.org/jochen/sec/hfpa/index.html|url-status=dead}}</ref> This [[Exploit (computer security)|attack]] uses the potential of the two different protocols meaningfully communicating commands and data. |
||
It was popularized in 2007 and publicly described in research<ref>{{cite web|url=http://www.ngssoftware.com/Libraries/Documents/03_07_Inter-Protocol_Exploitation.sflb.ashx|title=Inter-protocol Exploitation|date=2007-03-05|access-date=2010-07-08|archive-url=https://web.archive.org/web/20101104040023/http://www.ngssoftware.com/Libraries/Documents/03_07_Inter-Protocol_Exploitation.sflb.ashx|archive-date=2010-11-04|url-status=dead}}</ref> of the same year. The general class of attacks that it refers to has been known since at least 1994 (see the Security Considerations section of RFC 1738). |
It was popularized in 2007 and publicly described in research<ref>{{cite web|url=http://www.ngssoftware.com/Libraries/Documents/03_07_Inter-Protocol_Exploitation.sflb.ashx|title=Inter-protocol Exploitation|date=2007-03-05|access-date=2010-07-08|archive-url=https://web.archive.org/web/20101104040023/http://www.ngssoftware.com/Libraries/Documents/03_07_Inter-Protocol_Exploitation.sflb.ashx|archive-date=2010-11-04|url-status=dead}}</ref> of the same year. The general class of attacks that it refers to has been known since at least 1994 (see the Security Considerations section of RFC 1738). |
||
[[Internet |
[[Internet Protocol]] implementations allow for the possibility of encapsulating [[Exploit (computer security)|exploit code]] to compromise a remote program that uses a different protocol. Inter-protocol exploitation can utilize inter-protocol communication to establish the preconditions for launching an inter-protocol exploit. For example, this process could negotiate the initial authentication communication for a vulnerability in password parsing. Inter-protocol exploitation is where one protocol attacks a service running a different protocol. This is a legacy problem because the specifications of the protocols did not take into consideration an attack of this type. |
||
==Technical details== |
==Technical details== |
||
The two protocols involved in the vulnerability are termed the carrier and target. The carrier [[Encapsulation (networking)|encapsulates]] the commands and/or data. The target protocol is used for communication to the intended victim service. Inter-protocol communication will be successful if the carrier [[Protocol (computing)|protocol]] can encapsulate the commands and/or data sufficiently to meaningfully communicate to the target [[Service (systems architecture)|service]]. |
The two protocols involved in the vulnerability are termed the carrier and target. The carrier [[Encapsulation (networking)|encapsulates]] the commands and/or data. The target protocol is used for communication to the intended victim service. Inter-protocol communication will be successful if the carrier [[Protocol (computing)|protocol]] can encapsulate the commands and/or data sufficiently to meaningfully communicate to the target [[Service (systems architecture)|service]].<ref name=worms>{{cite news |last1=Biancuzzi |first1=Federico |title=Worms 2.0! |url=https://www.theregister.com/2007/06/27/wade_alcorn_metasploit_interview/ |access-date=23 August 2022 |work=www.theregister.com |date=27 June 2007 |language=en}}</ref> |
||
Two preconditions need to be met for successful communication across protocols: encapsulation and error tolerance. The carrier protocol must encapsulate the data and commands in a manner that the target protocol can understand. It is highly likely that the resulting [[data stream]] with induce [[parsing]] errors in the target protocol. |
Two preconditions need to be met for successful communication across protocols: encapsulation and error tolerance. The carrier protocol must encapsulate the data and commands in a manner that the target protocol can understand. It is highly likely that the resulting [[data stream]] with induce [[parsing]] errors in the target protocol. |
||
Line 13: | Line 13: | ||
==Current implications== |
==Current implications== |
||
One of the major points of concern is the potential for this attack vector to reach through [[Firewall (computing)|firewalls]] and [[Demilitarized zone (computing)|DMZ]]s. Inter-protocol exploits can be transmitted over [[HTTP]] and launched from [[web browsers]] on an internal [[subnetwork|subnet]]. An important point is the web browser is not exploited through any conventional means. |
One of the major points of concern is the potential for this attack vector to reach through [[Firewall (computing)|firewalls]] and [[Demilitarized zone (computing)|DMZ]]s. Inter-protocol exploits can be transmitted over [[HTTP]] and launched from [[web browsers]] on an internal [[subnetwork|subnet]]. An important point is the web browser is not exploited through any conventional means.<ref name="worms"></ref> |
||
==Example== |
==Example== |
||
JavaScript delivered over HTTP and communicating over the IRC protocol. |
JavaScript delivered over HTTP and communicating over the IRC protocol. |
||
< |
<syntaxhighlight lang="javascript"> |
||
var form = document.createElement('form'); |
var form = document.createElement('form'); |
||
form.setAttribute('method', 'post'); |
form.setAttribute('method', 'post'); |
||
Line 29: | Line 29: | ||
document.body.appendChild(form); |
document.body.appendChild(form); |
||
form.submit(); |
form.submit(); |
||
</syntaxhighlight> |
|||
Known examples of the vulnerability were also demonstrated on files constructed to be valid [[HTML]] code and [[BMP file format|BMP]] image at the same time.<ref>{{Cite web|title = Marco Ramilli's Blog: Hacking through images|url = http://marcoramilli.blogspot.co.uk/2013/10/hacking-through-images.html|website = marcoramilli.blogspot.co.uk|accessdate = 2015-05-13}}</ref><ref>{{Cite book|chapter = Signing the document content is not enough: A new attack to digital signature|date = August 2008|pages = 520–525|doi = 10.1109/ICADIWT.2008.4664402|first1 = F.|last1 = Buccafurri|first2 = G.|last2 = Caminiti|first3 = G.|last3 = Lax|title = 2008 First International Conference on the Applications of Digital Information and Web Technologies (ICADIWT)|isbn = 978-1-4244-2623-2| s2cid=14070590 }}</ref><ref>{{Cite web|url = http://www.softcomputing.net/jias/buccafurri.pdf|website = www.softcomputing.net|accessdate = 2015-05-13|title = The Dalì Attack on Digital Signature}}</ref> |
|||
==References== |
==References== |
||
{{reflist}} |
{{reflist}} |
||
==External links== |
|||
* https://www.theregister.co.uk/2007/06/27/wade_alcorn_metasploit_interview/ |
|||
*Marco Ramilli Blog post which explains the [https://marcoramilli.blogspot.com/2013/10/hacking-through-images.html Hacking through images technique]. |
|||
[[Category:Computer security]] |
|||
[[Category:Computer network security]] |
[[Category:Computer network security]] |
||
[[Category:Computer security exploits]] |
|||
[[Category:Injection exploits]] |
[[Category:Injection exploits]] |
Latest revision as of 20:54, 8 September 2024
Inter-protocol exploitation is a class of security vulnerabilities that takes advantage of interactions between two communication protocols,[1] for example the protocols used in the Internet. It is commonly discussed in the context of the Hypertext Transfer Protocol (HTTP).[2] This attack uses the potential of the two different protocols meaningfully communicating commands and data.
It was popularized in 2007 and publicly described in research[3] of the same year. The general class of attacks that it refers to has been known since at least 1994 (see the Security Considerations section of RFC 1738).
Internet Protocol implementations allow for the possibility of encapsulating exploit code to compromise a remote program that uses a different protocol. Inter-protocol exploitation can utilize inter-protocol communication to establish the preconditions for launching an inter-protocol exploit. For example, this process could negotiate the initial authentication communication for a vulnerability in password parsing. Inter-protocol exploitation is where one protocol attacks a service running a different protocol. This is a legacy problem because the specifications of the protocols did not take into consideration an attack of this type.
Technical details
[edit]The two protocols involved in the vulnerability are termed the carrier and target. The carrier encapsulates the commands and/or data. The target protocol is used for communication to the intended victim service. Inter-protocol communication will be successful if the carrier protocol can encapsulate the commands and/or data sufficiently to meaningfully communicate to the target service.[4]
Two preconditions need to be met for successful communication across protocols: encapsulation and error tolerance. The carrier protocol must encapsulate the data and commands in a manner that the target protocol can understand. It is highly likely that the resulting data stream with induce parsing errors in the target protocol.
The target protocol be must be sufficiently forgiving of errors. During the inter-protocol connection it is likely that a percentage of the communication will be invalid and cause errors. To meet this precondition, the target protocol implementation must continue processing despite these errors.
Current implications
[edit]One of the major points of concern is the potential for this attack vector to reach through firewalls and DMZs. Inter-protocol exploits can be transmitted over HTTP and launched from web browsers on an internal subnet. An important point is the web browser is not exploited through any conventional means.[4]
Example
[edit]JavaScript delivered over HTTP and communicating over the IRC protocol.
var form = document.createElement('form');
form.setAttribute('method', 'post');
form.setAttribute('action', 'http://irc.example.net:6667');
form.setAttribute('enctype', 'multipart/form-data');
var textarea = document.createElement('textarea');
textarea.innerText = "USER A B C D \nNICK turtle\nJOIN #hack\nPRIVMSG #hackers: I like turtles\n";
form.appendChild(textarea);
document.body.appendChild(form);
form.submit();
Known examples of the vulnerability were also demonstrated on files constructed to be valid HTML code and BMP image at the same time.[5][6][7]
References
[edit]- ^ "Inter-protocol Communication" (PDF). Aug 2006. Archived from the original (PDF) on 2008-05-11. Retrieved 2013-02-22.
- ^ "HTML Form Protocol Attack". Archived from the original on 2013-04-20. Retrieved 2013-02-22.
- ^ "Inter-protocol Exploitation". 2007-03-05. Archived from the original on 2010-11-04. Retrieved 2010-07-08.
- ^ a b Biancuzzi, Federico (27 June 2007). "Worms 2.0!". www.theregister.com. Retrieved 23 August 2022.
- ^ "Marco Ramilli's Blog: Hacking through images". marcoramilli.blogspot.co.uk. Retrieved 2015-05-13.
- ^ Buccafurri, F.; Caminiti, G.; Lax, G. (August 2008). "Signing the document content is not enough: A new attack to digital signature". 2008 First International Conference on the Applications of Digital Information and Web Technologies (ICADIWT). pp. 520–525. doi:10.1109/ICADIWT.2008.4664402. ISBN 978-1-4244-2623-2. S2CID 14070590.
- ^ "The Dalì Attack on Digital Signature" (PDF). www.softcomputing.net. Retrieved 2015-05-13.