Main Content

Exploiting Local Dev Envs

Table Of Contents

Running Locally

BeEF

  • Browser Exploitation Framework (BeEF)
  • Creates a browser botnet that can be controlled by a central server
  • "BeEF looks past the hardened network perimeter and examines exploitability within the context of the one open door: the web browser"
    • What security assumption does this exploit?
      • Our VPN protects our network from the public internet

How does BeEF work?

  1. Bob visits a page with malicious Javascript
    • Ex: Mallory's DOM XSS loaded evil.example.com:3000/hook.js
  2. hook.js interacts with Mallory's Command and Control (C&C) server
  3. Through the C&C server, Mallory launches attacks from the victim's browser
    • BeEF allows Mallory to…
      1. Find servers on the victim's local area network (LAN)
        • Including servers listening on localhost
      2. Make REST requests to these servers if CORS isn't strict
      3. Execute arbitrary Javascript payloads within the victim's browser

Demo: How To Find A Dev's ES Instance

  • Leverage BeEF Cross-Origin Scanner Module
  • Check for an Elasticsearch (ES) instance running locally with a permissive CORS policy
  • If ES has a permissive CORS policy, BeEF can
    • Send any type of REST request to the DEV ES instance
      • ES 5.6 Community Edition currently has no authentication built in
        • Includes clustering interface

Demo: Finding A Prod ES Instance

  • Scenario
    • Dev is on VPN
    • VPN contains a Prod ES instance
    • Prod ES instance doesn't allow CORS
      • Its "locked down" so BeEf attacks won't work
      • "Its safe because its on the VPN"
  • BeEF Port Scanner Module
    • Uses methods to avoid blocked ports or Same Origin Policy
      • If a server doesn't allow CORS, it can still see if it exists
      • Uses WebSockets, <img src=""> tags, etc.

Demo: Finding A Prod ES Instance (CONT.)

  • Future: Script to scan subnet for hosts
    • Port Scanner module currently scans 1 host at a time
  • For simplicity we'll scan prod.example.com:9201
    • Leverage DNS just for easier separation

Exfiltrating Data

  • Due to PROD ES CORS Policy, BeEF can't directly connect…
  • How could Mallory exfiltrate data while covering her tracks?
    • Have DEV ES join PROD ES as a cluster member?
    • Leverage Cross Cluster Search to query Prod ES without joining as a cluster member
      • No syncing of complete dataset

Demo: Searching The PROD Cluster

  • Pre-seeded with sensitive-data index with passwords
  • Leverage CORS Request Module

Assumption Recap

  • How did this all happen?
  • DOM XSS allowed Mallory to control the victim's browser
    • "Client-side XSS validation is a bad practice"
  • Permissive CORS policy within DEV environment
    • Allowed Mallory to establish a connection with a PROD ES instance
    • "The outside internet cant interact with a process listening on localhost"
  • Leveraging CE software with no authentication
    • Allowed Mallory to exfiltrate data out of production ES instance
    • "Our authentication is our VPN"

Mitigations

Knowledge Dependency Tree

Discussion

0 comments