Off-Path Attacking the Web
Yossi Gilad and Amir Herzberg
Computer Science Department, Bar Ilan University
Oscar: the Off-Path Attacker
Bob,
I leave you!
Alice
4.4.4
1.1.1
6.6.6
2.2.2
Bob,
I love you!
Alice
5.5.5
3.3.3
Why Off-Path Attacks?

Why not MitM (Eavesdropper)?


Can Oscar spoof IP packets?



Harder: physical access or control router
Often not: most ISPs ingress-filter
But enough ISPs don’t (18%-22%)
What of challenge-response Defense?


Correct use of challenge-response suffices
But: Often, challenge-response used incorrectly


Since used for other purposes, e.g., in TCP for
SEQ/ACK
This work: Off-Path TCP Injection

Allows XSS, phishing and more…
Related Work

Predictable ISNs: Morris85, Mitnick95,
Zalewski01,05


`PoC’ for Windows clients: klm07


Address-based client authentication
vulnerable [Bellovin89]
We improve (FW, efficiency), extend to
exploit
QianMao12, QMXie12: (limited) malware


QM12: Also assumes seq#-checking-fw
Does not work for Windows clients
Attack Scenario and Goal
1.
2.
3.
4.
Alice surfs to Oscar’s site
Alice’s browser runs Oscar’s script (puppet)
Puppet sends HTTP requests to Bob
Oscar injects response into the connection
between Alice and Bob (est. by the puppet)
3. Script opens (hidden) frame of Bob.com
Internet
1. Surf to
Oscar.com
4. Inject (e.g., script)
as content from Bob
2. Send page
with script
Attack Goal and Scenario

Alice’s browser assigns Oscar’s spoofed
response with context of `Bob’



Can contain script: cross site scripting (XSS)
Request objects: cross site request forgery (CSRF)
Spoof a web-page, response may be cached
What Do We Need? Grocery List

Task #1: identify the `victim-connection’
between Alice and Bob


Task #2: learn sequence numbers


Spoofed data needs to correspond with a real
connection
TCP discards packets with invalid seq #
Task #3: exploit


Send (spoofed) data in correct HTTP context
Browser assigns data the credentials of server (Bob)
Attack and Talk Overview




Learn connection identifiers (IPs:ports)
Learn server’s sequence number
Learn client’s sequence number
Exploit(s):




XSS
CSRF
Phishing
Conclusions
Identify Victim-Connection

A TCP connection has four Identifiers:


<ServerIP:port, ClientIP:port>
Puppet opens connection to Bob (server)


ServerIP:port selected by puppet (attacker)
Client IP: known from client connection to Oscar

Client port: sequentially assigned…

Not sequential? See [GH PETS’12]
[Windows]
Finding Server Sequence Number

TCP sequence numbers are 32-bits


Need to learn the sequence #. How?


that’s too long to guess
Use TCP responses to probe packets
Empty-ACK packets provide useful response:

If seq# out of WIN: send ACK


to re-sync
If seq# is in WIN: no response

to avoid `ACK storm’
Finding Server Sequence Number

How to detect if response is sent?


IP-ID: 16 bit identifier in IP header




Use IP-ID side channel
Used to correctly reconstruct packet from
fragments
In Windows: implemented as a global-counter
One connection (to Oscar) leaks info about
another!
Old trick: NMAP’s idle-scan, Bellovin
machine-count,…
Finding Server Sequence Number
Puppet opens connection to server
Oscar sends query-probe-query:
1.
2.
Query: unordered 1-byte packets  ACK (ipid)
Probe (srcIP = server): empty-ACK with seq# =i∙w
1.
2.


w is estimate of WIN size
Found  binary search finds exact seq#
Attack and Talk Overview




Learn connection identifiers (IPs:ports)
Learn server’s sequence number
Learn client’s sequence number
Exploit(s):




XSS
CSRF
Phishing
Conclusions
Finding Client Sequence Number

Already know server seq# (and IPs, ports)



This should have been enough to inject (according
to TCP spec)
But Windows implementations (as of XP SP2)
also validate the ack number of packets
The valid ack# is the client’s seq#
Finding Client Sequence Number

To find client seq#: send pkt w/ data



For Windows clients:




With server’s IP:port, correct seq#
TCP’s handling depends on ack#
Silently discards pkt
with `old` ack number
Otherwise: send ACK
Leaks: ack#>UNA
Binary search…
Windows:
silently discard
RFC: Process
(often, ack)
UnAcked
Process
Discard and send
duplicate Ack
Next
Attack and Talk Overview




Learn connection identifiers (IPs:ports)
Learn server’s sequence number
Learn client’s sequence number
Exploit(s):




XSS
CSRF
Phishing
Conclusions
Exploiting Injections: XSS, CSRF

Cross Site Scripting (XSS): cause browser
to run MalScript in context of victim.com



Typical XSS: exploit bug in site or browser
Off-path-injected XSS: no need for vulnerable
site/browser!
Script can post fake HTTP requests (CSRF)
Exploiting Injections: XSS, CSRF

Cross Site Scripting (XSS): cause browser
to run MalScript in context of victim.com


Typical XSS: exploit bug in site or browser
Off-path-injected XSS: no need for vulnerable
site/browser!
XSS Exploit: Results



Top 1024 sites, 10Mb win clients, 1Mb Oscar
Average 32 pkts/s `noise`
Immune sites: mostly SSL or non-persistent
Phishing by Injection

Off-path XSS, CSRF may fail:



Alternative: phish / deface !


Change contents: steal PWDs, push malware…
Cache spoofed page


To collect user-entered data, e.g., passwords
Esp. if site uses SSL for passwords
at local browser or network proxy
User receives the spoofed page when
he/she expects real page
Phishing by Injection

Off-path XSS, CSRF may fail:



To collect user-entered data, e.g., passwords
Esp. if site uses SSL for passwords
Alternative: phish / deface !

Change contents: steal PWDs, push malware…
Conclusions

TCP may not be secure against off-path
attackers!


Use `real’ security: SSL/TLS, IPsec, etc
Attacks may be improved, abused further…
Thank You!


Special thank you to CPIIS for supporting
my research
Questions?