Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/12/2018
01:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Hack Weaponizes the Web Cache

Researcher exploits design flaws in Web caching to take control of popular websites, frameworks - and the Mozilla Firefox browser infrastructure.

A newly discovered attack forces Web cache servers to deliver malicious content to website visitors – and also exposes a major security hole in Mozilla's Firefox browser infrastructure.

James Kettle, head of research at PortSwigger Web Security, exploited security weaknesses in the design of website infrastructure to hack the Web caches of major sites and platforms: a US government agency, a popular cloud platform provider, a hosting platform provider, a software product, a video game, an investment firm's investor information, and some online stores.

"It's sort of a design flaw in the way caching and websites work," Kettle says of the security issues. "It's not specific to any given technology or any given cache."

In his research, Kettle also stumbled on a flaw in an API used in Firefox's infrastructure that allowed him to take partial control of tens of millions of browsers using his cache-attack method. "I call it a low-fat botnet because I didn't have complete control over Firefox, but I had a bit of control," he says.

Kettle is holding back much of the secret sauce of the Web-caching hack as well as his Web targets until his Black Hat USA talk in August. But he does say that with his attack, he can force a cache into behaving in an unsavory way without directly targeting it.

It basically works like this: Kettle sends a request to the website with his payload. "The website then replies with something potentially dangerous ... and the cache takes that, so then anyone who visits after that gets hit by the exploit," he says.

Web caches sit in front of websites and serve up stored content rather than all of the delivery coming via the live website. Kettle says the complexity of those caches and content-delivery networks built around many of today's Web applications can actually leave them open to abuse.

Previous research in Web cache security has encompassed injecting headers, or tricking the cache into saving and sharing sensitive data, Kettle says. His attack differs because it forces the cache to serve up exploits to website visitors, he notes.

An attacker could use it to plant malware that steals passwords or payment-card information from a website when visitors came to the site. The attack could also be employed to deface a website or redirect a visitor to a malicious site.

Firefox Botnet
With Firefox, Kettle employed his cache-poisoning attack against the infrastructure behind the browser that checks for and sends application and plug-in updates as well as URLs of dangerous websites to block, for example. "I found by accident ... that I was able to use cache poisoning to effectively input" some limited commands to Firefox browser users worldwide, he says. "If you opened Firefox, I got control of it."  

Mozilla fixed the flaw within 24 hours of his reporting it, in a Jan. 25 update.

When Firefox starts up, it sends a request to the Mozilla infrastructure for updates and other information. "By using cache poisoning, I could control the response to that message," Kettle says. That could allow an attacker to install certain extensions and corral Firefox browsers into a botnet to wage distributed denial-of-service (DDoS) attacks, for example.

Kettle says abusing the Firefox flaw alone would be less useful to an attacker than chaining an attack with another exploit and gaining full control of the browsers.

As of this posting, Mozilla had not responded to a request for comment on Kettle's research.

At Black Hat Kettle plans to release the open-source utility he created for his research, an adapted Burp Suite tool that scans Web infrastructures for cache-poisoning weaknesses, he says.

Related Content:

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .