Aruba WAP OS Command Injection
01 Nov 2011OS command injection in RAP web interface.
During Black Hat USA 2011 in Las Vegas, I had the privilege to present my work in assessing and exploiting USB devices with low cost development hardware.
This step-by-step walkthrough of USB device assessment and exploitation from a application security professional’s point of view discusses USB analysis, protocol comprehension, and the creation of custom Arduino USB firmware to exploit architectural vulnerabilities of USB proximity sensor devices.
Hardware devices are continually relied upon to maintain a bridge between physical and virtual security. From access cards to OTP tokens, hardware devices receive limited review by application security professionals. They are often considered vastly more complex and difficult to assess than common web- and network-based applications.
In this talk I will cover a lightweight methodology to use when approaching the assessment of USB-based hardware devices. This will include the identification of trust boundaries and threat modeling, use case analysis though protocol analysis, as well as crafting a hardware device to exploit identified vulnerabilities. Not only will this methodology be described, it will be detailed through the assessment and exploitation of a hardware-based proximity sensor. Hardware-based proximity sensors attempt to enforce desktop security and lock a user’s desktop when the device has been removed from the vicinity of the computer. I will describe my experience and process for assessing a USB-based proximity sensor device and its eventual exploitation using components of the Arduino hardware architecture. I will describe the entire process not from the view of an electrical engineer, but from that of an application security professional with limited knowledge of current and voltage and a hobbyist’s budget.
So apparently the ability to send multipart/form-data file uploads via CSRF is a “thing”. See http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html and http://kuza55.blogspot.com/2008/02/csrf-ing-file-upload-fields.html.
Last year I stumbled upon the same issue as kuza55, a rather ridiculous injection flaw in Firefox 3. An input field’s name is not properly escaped for quotes and could be used to inject a filename parameter into the Content-Disposition of a multipart/form-data POST.
I just revisited this in Firefox 4 and discovered that they now attempt to escape quotes. A quote now becomes \" in an input field’s name. However, they failed Escaping 101 and do not escape backslashes. It is possible to craft an input field’s name that still escapes the name parameter and injects a filename into the Content-Disposition.
A name value of:
\"; name=param_name; filename=filename.ext;
will create the Content-Disposition of:
Content-Disposition: form-data; name="\\"; name=param_name; filename=filename.ext;"
In a quick Sinatra test app this post is still parsed as a valid file upload with a parameter name of param_name and a filename of filename.ext. I am guessing successful parsing of this request may vary depending on the web / application server.
I posted a jQuery POC for this CSRF at: https://gist.github.com/5d5615e3ea6a26f257de
FYI, looks like WebKit browsers URL encode quotes, sensibly preventing this type of injection. IE 8 still appears to still be susceptible to the initial quote injection.
Presented at Hacker Halted 2010 in Miami, this talk reviews automated web application scanners’ ability to identify common web application vulnerabilities and real-world deviations from base case vulnerabilities.