Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 19: Pressable Slowloris Attack, GoDaddy CSRF, Decloak Tor Hidden Services via SSH, LizardSquad Hacks Malaysian Airlines, GHOST Vulnerability

Welcome to this week’s HackerKast everybody! This week Jeremiah and I were lucky enough to be shooting this episode beachside while at AppSecCali down in Santa Monica. Poor Robert was stuck at home but I was happy to pull a Jeremiah and have palm trees behind me just like he does while he is in Hawaii.

This week we started with a story near and dear to Robert’s heart about a Slowloris Denial of Service attack on Pressable. Near and dear since Robert is the father of this type of DoS attack. Pressable is a big WordPress provider – I know, I know, we just can’t leave WordPress alone can we Internet? Slowloris is pretty easy to defend against if you are trying to but a lot of default web servers, such as Apache, don’t enable such protections. This DoS attack lasted 4 or 5 days and caused Pressable to lose tons of customers. Robert talked about popular defenses in the video if you are interested in that. We also briefly mentioned a new tool called CapTipper that is a malicious HTTP traffic explorer which could be used to help dig into information if you are undergoing one of these attacks.

Next, I talked about a GoDaddy CSRF vulnerability that was disclosed which was pretty nasty not to mention scary to think about how long it might have been around. For those unfamiliar, CSRF is when an attacker can force a user’s browser to make requests on their behalf. This is particularly bad news for GoDaddy since an attacker would have been able to force an authenticated user to change their nameservers, auto-renew settings, and edit the dns zone file. This combination would be deadly in forcing a website to point towards malicious servers, or even turning off auto-renew to snipe domain names away from GoDaddy users. This was disclosed and fixed in 3 days which is VERY impressive considering the average time to fix for most companies is much longer than that.

We seem to be talking about Lizard Squad (Mafia? Crew?) lately and this time they went after Malaysian Airlines. They attacked the airline’s DNS servers and forced the page to redirect to a page that said “404 Plane Not Found.” We see these DNS server attacks more and more lately as it is seeming to be a bit of an easy target instead of going after the websites themselves.

Another topic this week near to Robert’s heart was a new way to identify Tor hidden services via SSH Fingerprints. What some researchers have done is scan the internet for open SSH services, grab the fingerprint off that and then compare the fingerprint to a Tor Hidden service and decloak the real IP address of the site. This technique could be used for other purposes such as websites behind Akamai or CloudFlare who don’t want their real IP public.

Last story we covered for this week is a new vulnerability called GHOST that seems like it could be serious but we haven’t had a lot of time to research it but had to mention. It has a name and is branded so it must be super serious, right? We’ll most likely do a follow up post about this but if you are interested in this vulnerability, it seems to be a glibc buffer overflow in DNS resolvers. More soon!

References:

Pressable Slowloris DoS Outage

Taking over Godaddy Account using CSRF

Malasian Airlines DNS Redirected (404 Plane Not Found)

Using SSH fingerprints to identify Tor hidden Services

GHOST Vulnerability – glibc buffer overflow in DNS resolver

Notable stories this week that didn’t make the cut:

Flash 0day in the wild

CapTipper – Malicious HTTP traffic explorer tool”

Nearly every US Arms Program Found Vulnerable to Cyber Attacks

China Cracks Down on VPN Services After Censorship System ‘Upgrade’

FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN

Oracle/Java vulnerabilities

Referrer Changes in W3C

Healthcare.gov Or 3rd Party Vendors may fun Afoul of new CFAA rules

Tags: Vulnerabilities, web application vulnerabilities, WordPress