Full Report
OK.. So as i mentioned before, I saw Robert Graham from Erratasec demo hamster live on stage and wondered if hamster was doing useful input/output sanitization.. If it wasn’t, he was setting himself up for a pop-up that read “owned on stage” or worse a re-direct to tubgirl.. He didnt get owned on stage, which suggested that either the crowd was really well behaved or the tool was doing some tidying up so i decided to wait till i got home to check..
Analysis Summary
# Tool/Technique: Hamster
## Overview
Hamster is a tool demonstrated by Robert Graham from Erratasec, likely designed for network sniffing or sidejacking, based on the context of cookie interaction and displayed information. The analysis checks for input/output sanitization vulnerabilities within the tool, specifically focusing on Cross-Site Scripting (XSS) vulnerabilities within its interface or displayed output.
## Technical Details
- Type: Tool
- Platform: Undefined (Implied desktop application or tool running locally, interacting with network traffic capture/display)
- Capabilities: Sniffing network traffic, displaying cookie information (specifically `gmailchat` cookie), and rendering user-provided data within its console/interface.
- First Seen: The discussion is based on a tool released around August 5th, 2007, and reviewed on August 15th, 2007.
## MITRE ATT&CK Mapping
The core vulnerability identified relates to the execution of arbitrary code based on improperly sanitized input received via network traffic (cookies).
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Not directly PowerShell, but illustrates command execution context)
- T1059.003 - Windows Command Shell (Implied local execution context)
- **T1059.005 - Visual Basic** (If the context implies system interaction via browser script execution environment)
- **TA0001 - Initial Access** (If the tool is used to compromise the primary user via sniffing/sidejacking)
- **TA0011 - Command and Control**: If the injected script leads to further C2 communication (e.g., redirecting to a Beef hook).
*(Note: Since Hamster is an analysis/demo tool, the mapping focuses on how its vulnerability would be exploited against the operator.)*
## Functionality
### Core Capabilities
- Displaying logged user IP addresses and associated cookie values (e.g., extracting usernames from `gmailchat` cookie).
- Processing sniffed cookie data, even if the flow direction is uncertain due to parsing flexibility.
### Advanced Features
- **Lack of Sanitization:** The tool fails to properly sanitize input, allowing for Cross-Site Scripting (XSS) when cookies containing JavaScript are rendered in the Hamster console/interface.
- **Cookie Value Manipulation:** Attackers can use tools like netcat to inject arbitrary values into cookies (e.g., `gmailchat`), which Hamster then parses and executes as part of its display logic.
- **Bypassing Delimiters:** Initial attempts to block payloads using `/` characters (like in `</script>`) by exploiting the email address parsing delimiter were bypassed using document manipulation functions like `document.write`.
- **Codec Utilization:** The successful exploitation leverages JavaScript encoding/decoding functions (`unescape`) to insert large, complex payloads containing necessary characters (`/` and `\`).
- **Local Context Execution:** Scripts execute in the "Local Intranet" zone context of the user running Hamster, implying high privileges relative to typical web browsing.
## Indicators of Compromise
The indicators are primarily related to the payload injected *into* the Hamster input stream, attempting to exploit the operator.
- File Hashes: N/A (Exploitation relies on crafted network traffic/cookies)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The successful execution could lead to redirects or connections to external malicious infrastructure (e.g., URLs used in redirection payloads like `www[.]sensepost[.]com` in the example, or C2 infrastructure associated with BEEF/Backframe).
- Behavioral Indicators: Execution of arbitrary JavaScript within the Hamster application process, especially functions like `document.write` or `unescape` when triggered by analyzing network traffic.
## Associated Threat Actors
The tool itself was developed and demonstrated by Robert Graham (Erratasec). Its exploitation scenario targets the *user* running the tool. This is most relevant to:
- Security Researchers/Penetration Testers (demonstrating tool flaws).
- Adversaries targeting security analysts or network operators utilizing this specific tool suite.
## Detection Methods
Detection focuses on identifying the crafted network payloads designed to exploit Hamster.
- **Signature-based detection:** Signatures for encoded JavaScript strings containing URL-encoded characters (which decode into `document.write` or `unescape` calls), specifically targeting the `gmailchat` cookie value format used by the attacker.
- **Behavioral monitoring:** Monitoring the Hamster application process for unusual child process creation or outbound network connections initiated immediately after processing cookies.
- **YARA rules:** Potentially YARA rules applied to captured network traffic streams focusing on the structure of the `gmailchat` cookie value containing encoded payloads.
## Mitigation Strategies
The primary mitigation strategy noted in the article is:
- **Application Hardening:** Implementing robust input/output sanitization for all data displayed or processed from network captures, especially user-controlled input like cookie values.
- **Use of NoScript:** The article explicitly suggests that users running this tool should consider enabling **NoScript** to prevent unauthorized script execution in the interface.
- **Principle of Least Privilege:** Running the tool in a highly restricted environment, although the "Local Intranet" execution context suggests the default security zone for the user might already grant significant access.
## Related Tools/Techniques
- **Sidejacking Tools:** Tools relying on capturing and reusing session cookies.
- **BEEF (Browser Exploitation Framework):** Mentioned as a target destination for the resulting XSS hook.
- **Backframe:** Mentioned as an alternative redirection/zombie tool destination.