Open source software security

Mallory is More than a Proxy

25 August 2011

Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, however, reveals that Mallory offers functionality above and beyond traditional tools for packet inspection. Mallory looks like an exceptional tool that could be a valuable part of any software security assessor's toolkit. The ability of Mallory to pause, tamper, and play data makes it especially effective for monkeying with black box applications, but it also makes for a really fun tool!

Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, however, reveals that Mallory offers exceptional functionality above and beyond traditional tools for packet inspection. The presentation was framed as strategies for inspecting mobile applications, and Mallory's uses for this purpose were quite clear, but I felt that limiting Mallory to a discussion of mobile app assessment sold the product short.

Mallory solves a problem faced by many application security folks. At issue is the ability to manipulate traffic to and from an application. Several proxy tools exist for solving this issue when dealing with web applications, such as Paros, Burp, WebScarab, and Tamper Data. These applications all rely on the use of a browser as a client, however. The browser is configured to use the tools as a proxy so that the tools can intercept, inspect, and alter traffic between the browser and the web application server. Without a browser, replicating this functionality is extremely challenging.

Raj and Mike demonstrated several clever ways that you can use iptables to set up a transparent NAT proxy with a linux device. I was especially impressed when, confounded by the lack of a hard ethernet link to use as an upstream link they quickly tethered a smart phone to the demo laptop and continued with the presentation without a hiccup. The laptop cum router can then run packet captures on any device that connect to it as an access point (AP). This is all well and good, and this technique has been known to sniffer users for decades. The problem with this technique is that the observation is passive. That is, traffic can be observed, but it can't be changed on the fly as with the proxy tools for web app testing.

This is where Mallory comes in. Mallory sets up the AP and forwarding using scripts so that there is much less overhead for the user. Additionally it can interact with traffic in one of two demonstrated methods. The first involves scripts, which are programmatic instructions that can be used to observe and alter traffic on the fly. Mallory accepts outbound connections on a port of it's creation, then redirects traffic to that port using IP tables. This traffic is then inspected and forwarded off to it's destination. Because Mallory makes the final request to the target the return port is controlled by Mallory. Any return traffic is again inspected, then piped back to the client. This type of operation is familiar to anyone who has looked at Network Address Translation (NAT) techniques. However, the pass through is far from transparent. Instead, Mallory can pause communication while it changes packet contents, and then resume communications with new data. With modules you can do things like automatically increment or decrement values in packet bodies, do substitution, or implement other fuzzing techniques.

Manual manipulation was accomplished using a GUI. Like the main Mallory program the GUI is written in Python and implements Qt for display. I'm not sure why the folks at Intrepidus opted for Qt over Tcl/Tk, but in any case the licensing for the GUI is different from the licensing for the main Mallory code according to Raj. The main program is Python software foundation license 2, while the GUI carries a separate license with different terms, although I couldn't find any separate licenses in the download. The GUI is contained in the src/gui directory of the downloaded Mallory package.

The GUI will be familiar to anyone who has used a proxy tampering tool like WebScarab or TamperData. Packet captures appear in the left hand pane of the GUI and the right hand pane shows the contents in a text box. The packet flow is paused while the content is displayed, allowing the user to alter the packet contents before clicking a button to forward the packet along its merry way. There is an auto-forward button that continues to follow capture, but automatically forwards the packet without manipulation. This allows operators to observe a stream, then decide when to implement the capture and tamper function. The GUI also includes handy filtering functionality to zero in on traffic of interest. The demonstration of Mallory to perform mobile application assessment was absolutely stunning. Raj demonstrated how after setting up his mobile to use the Mallory AP as a wireless access point, he could start up a mobile application. Once the application was running the traffic it generated was clearly displayed in the Mallory GUI. Examining the packet bodies it was easy to see that the application was sending a username in clear text. Raj changed the username in the GUI then forwarded the packets along, which allowed him to spoof another user in the application. Both Raj and Mike pointed out that many mobile application developers mistakenly believe their network traffic will only be carried by cellular networks, which are difficult to tap and observe, and thus the developers fall victim to a false sense of security. With Mallory it is easy to spot these mistakes, and exploit them.

Mallory also includes amazing features that allow it to generate self signed certificates on the fly. This allows Mallory to man in the middle (MITM) SSL connections. The end user gets a warning about an invalid certificate, but if they accept it then Mallory automatically maintains two encrypted connections, one with the client and the other with the application server the client is attempting to connect to. The traffic between the two connections is unencrypted, however, allowing Mallory to observe the data and tamper with it. Although a feature does not currently exist to allow Mallory to attempt to degrade SSL connections that may be in the works. This would allow Mallory to intercept SSL connection attempts and try to renegotiate them to previous versions of SSL which are weaker and in some cases contain flaws. This functionality is often available in mobile application services to support older clients that don't have access to the latest SSL support.

Mallory contains similar functionality for intercepting SSH traffic, but this wasn't part of the demo and I haven't had time to look into it myself. Additional functionality is designed to be implemented as pieces of modular plug ins that can be applied to the code. There is a directory in the src for plugin_managers that I assume holds these additional pieces of software.

Mallory looks like an exceptional tool that could be a valuable part of any software security assessor's toolkit. The folks from Intrepidus Group did a presentation at this year's Black Hat on Mallory, and this was the second OWASP Philadelphia chapter meeting that featured presenters from Black Hat (another shameless plug for your local OWASP chapter!). Mallory is probably going to be one of those tools that takes a while to gain traction due to it's simplicity. Because most people will look at descriptions of Mallory as a proxy, and stop there, the full power of the tool may be overlooked. The ability of Mallory to pause, tamper, and play data makes it especially effective for monkeying with black box applications, but it also makes for a really fun tool! Thinking back to your first web application proxy tamper and the joy of changing POST data to values that weren't allowed by the client side JavaScript will evoke some of the same sentiments that you'll have playing with Mallory. I'm looking forward to the continued development of the project and to seeing what other great features might be worked in.