Shmoocon V: The Middler

There were a few talks focusing on specific tools. The only one I attended was given by Jay Beale and a couple of the folks from InGuardians about the Middler. The Middler is apparently a proxy on steroids that provides the ability to inject content, usually JavaScript, into pages that pass through it.

The Middler was announced back at Defcon 16 but I think Shmoocon was the first time anyone outside of the developers have seen this code running. They were literally coding the Middler right up until the talk. One of the developers even cracked about how Middler was so aggressive, it was hooking its own calls to the services it uses, in essence man-in-the-middle attacking itself.

The Middler is also notable as Beale’s first foray into this kind of attack tool. He is most known for Bastille Linux, a set of tools for hardening GNU/Linux. The rest of his work follows in that vein, supporting defenders in their efforts to harden systems and software.

At Defcon, the Middler was discussed as a means of hijacking session cookies. The coverage from that talk suggested permanently enabling SSL as an effective defensive. The Middler in reality is so capable that as long as an attacker can gain access to a single clear text page, they can inject enough JavaScript to effectively run an AJAX based key logger in the background when the user is using an SSL protected page. They demonstrated this technique live and while it took a bit of squinting to see the results in the log spew they were projecting, it is credible.

The Middler is written in Python for purposes and as a consequence is quite portable. The first release, made available right after the talk, is able to run on Linux and OS X out of the box. They assured the audience that the work to bring it to other platforms is pretty straightforward and low level, the bulk of the Middler code should run fine once packet data is correctly flowing into it. Another reason for implementing it in Python is to make extending it as accessible as possible. It supports plugins thought I am not clear on whether those also need to be written in Python but I suspect that to be the case.

Most of what the actual injection code does is match patterns in the incoming pages. They started with regular expression matching but for throughput a lot of the initial actions just use string matching. It sounds like plugins will be pretty flexible really only limited by the time and ability of people to implement new rules and actions.

Exploiting web applications was another recurring theme throughout this Shmoocon. I am reminded of Billy Hoffman’s discussions from two years ago, around JavaScript attacks, in particular using services like Google Translate for proxy style attacks. The Middler shows how fast these attacks have grown in sophistication. The common thread shows just how quickly attackers are switching to the low hanging fruit of web applications that unfortunately seem to be lagging considerably behind the state of the industry for defense.

Technorati Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *