Researchers at Boston University attack method
(CVE-2019-11728), scan IP addresses and open network ports on the user's internal network, fenced off from the external network by a firewall, or on the current system (localhost). The attack can be carried out by opening a specially designed page in the browser. The proposed technique is based on the use of the HTTP header (HTTP Alternate Services, ). The problem manifests itself in Firefox, Chrome and browsers based on their engines, including Tor Browser and Brave.
The Alt-Svc header allows the server to determine an alternate way to access the site and instruct the browser to redirect the request to a new host, for example, for load balancing. It is also possible to specify a network port for forwarding, for example, 'Alt-Svc: http/1.1="other.example.com:443";ma=200' instructs the client to connect to the host other.example.org using network port 443 and the HTTP / 1.1 protocol to receive the requested page. The "ma" parameter specifies the maximum duration of the redirect. In addition to HTTP/1.1, HTTP/2-over-TLS (h2), HTTP/2-over plain text (h2c), SPDY(spdy) and QUIC (quic) using UDP are supported as protocols.
To scan addresses, the attacker's site can sequentially enumerate the internal network addresses and network ports of interest, using the delay between repeated requests as a sign.
If the redirected resource is unavailable, the browser instantly receives an RST packet in response and immediately marks the alternative service as unavailable and resets the redirect lifetime specified in the request.
If the network port is open, it takes longer to complete the connection (an attempt will be made to establish a connection with the appropriate packet exchange) and the browser will not respond immediately.
To obtain information about the check, the attacker can then immediately redirect the user to the second page, which in the Alt-Svc header will refer to the attacker's running host. If the client browser sends a request to this page, then we can assume that the first Alt-Svc request redirect has been reset and the host and port being checked are not available. If there is no request, then the data on the first redirect has not yet expired and the connection has been established.
This method allows, among other things, to check network ports blacklisted by the browser, such as ports of mail servers. A working attack was prepared using iframe substitution in the victim's traffic and using Alt-Svc for HTTP / 2 protocol for Firefox and QUIC to scan UDP ports in Chrome. In Tor Browser, the attack cannot be applied in the context of the internal network and localhost, but is suitable for organizing covert scanning of external hosts through the Tor exit node. Problem with port scanning already in Firefox 68.
The Alt-Svc header can also be used:
- When organizing DDoS attacks. For example, for TLS, a redirect can provide a 60x amplification level, since the client's initial request is 500 bytes, the response with a certificate is about 30 KB. By generating such requests in a cycle on a set of client systems, it is possible to exhaust the network resources available to the server;
- To bypass anti-phishing and anti-malware mechanisms provided by services such as Safe Browsing (redirecting to a malicious host does not result in a warning);
- To organize tracking of the user's movement. The essence of the method is in the substitution of an iframe that refers in Alt-Svc to an external handler for tracking movement, the call of which is carried out regardless of the inclusion of means to protect against trackers. It is also possible to track at the level of providers through the use of a unique identifier in Alt-Svc (random IP:port as an identifier) ββwith its subsequent analysis in transit traffic;
- To retrieve information about the history of movements. By substituting an iframe with a request for a picture from a given site using Alt-Svc on its page, and analyzing the state of Alt-Svc in the traffic, an attacker, having the ability to analyze transit traffic, can conclude that the user has previously visited the specified site;
- Noise in the logs of intrusion detection systems. Through Alt-Svc, you can trigger a wave of requests to malicious systems on behalf of the user and create the appearance of false attacks to hide information about the real attack in the general volume.
Source: opennet.ru