There are probably very few system administrators who haven't at least
contemplated some kind of retribution against attackers. Some may have
envisioned something physical—perhaps involving red hot pokers—but it's likely that the majority considered
extracting a payback via the same route they were attacked: the internet.
A French company has taken that idea to its logical extreme by presenting
thirteen "zero-day" exploits against tools
used by attackers at the SyScan security conference,
which was recently held in Singapore.
Many attackers use various
applications—exploit packs and toolkits—that they install on the web
sites they have
compromised. These applications launch attacks against the web browsers of
site visitors by probing for vulnerabilities, often in plugins like PDF or
Java, and using those it finds to compromise the visitor's machine.
investigated several of these applications and found exploitable
vulnerabilities in half a dozen of them. Unlike what it might have done for
more benign applications, TEHTRI released the information at the conference
with no warning to the projects and, not surprisingly, those who usually
clamor for "responsible disclosure" were rather mute.
These exploit toolkits typically have two components: the payload delivery
mechanism and an administrative interface. Payload delivery runs on the
compromised web site, looks at the browser to try to find vulnerabilities, and
then delivers the appropriate exploit. The web-based administrative
interface often aggregates information from multiple compromised web sites and
allows the attacker to see what browsers were successfully attacked, which
vulnerabilities were used, where
the user came from, and so on—essentially a web analytics tool for
malware purveyors. TEHTRI found vulnerabilities in both of these components,
which could lead to administrative interface defacement, attack management
database destruction, authentication cookie disclosure, disclosure of
attackers' IP addresses, and more.
The kinds of vulnerabilities that were found read like a laundry list of
the most common web application flaws: cross-site scripting, SQL injection,
cross-site request forgery, remote file disclosure, authentication bypass,
and so on. Even those who exploit web application flaws for a
"living"—exploit packs typically cost $500-1000 or more—seem
to be unable or unwilling to write code that avoids those same flaws.
It is rather ironic that the victims of these web
attacks can turn around and use the same techniques to attack the attacker.
As TEHTRI and others point out, though, it may well be illegal to turn the
tables on the attackers, no matter how satisfying—and
reasonable—the idea seems. Self-defense is likely not a defense
against computer crime statutes, at least in many jurisdictions. The
administrative interfaces typically run on systems under the control of the
attacker, but not necessarily a host that is "owned" (in the legal sense)
by them. It is probable that an unsuspecting victim's server has been
compromised to the extent that the web interface could be installed, which
makes an attack against it even riskier.
While some specifics were given at the SyScan talk, TEHTRI is keeping the
details of these vulnerabilities (and others that it hints about) to itself
for now. There is another SyScan conference in early July (in Hangzhou, China)
Laurent Oudot is once again presenting on this topic so, in order to
keep up the interest in the talk, "it has been decided that we would not disclose the whole content of our
findings before this upcoming event", he said. As with much
security research, TEHTRI clearly sees these vulnerabilities as a marketing
tool, and is, unfortunately in some ways, treating them as such. On the
other hand, it's hard to feel much in the way of sympathy for the
developers or users of the tools, so disclosure of the flaws, and how to
exploit them, is not a particularly high priority.
Given that there aren't enough details, yet, to actually strike back against
attackers using these exploit toolkits, there is some time to consider the
ramifications of "defensive attacks". Computer crime statutes are
typically written rather loosely, such that any access other than what the
site owner wants can be considered a violation. As various folks
have found out, intent means very
little when it comes to computer "crime". In addition, judges and lawyers
are not terribly savvy about these technical issues, which makes
it that much harder for "white hats" to defend themselves. All of that
makes it extremely risky for anyone to use these exploits (or other
offensive methods) against attackers.
One way to use the vulnerabilities that TEHTRI has found
would be by, or in conjunction with, law enforcement. Exploiting some
of those holes could lead to other systems under the control of the attacker,
potentially including a host that can be associated with a specific
individual or group. That could lead to prosecution, and possibly
larger network of attackers. Unfortunately, except for high-profile
attacks, there seem to be few resources available to track down and
prosecute these crimes.
In the end, the lasting legacy of these vulnerabilities is likely to be
their amusement value. It's probably too risky for "white hats" to use them,
and those who could use them without fear of prosecution (e.g. police)
don't have enough time, money, or interest to do so. That's sad in many
ways, and disappointing to system administrators who would like to extract
a small measure of retribution, but it's also hard to see it changing
to post comments)