Cross Context Scripting attacks & exploitation
-
Upload
roberto-suggi-liverani -
Category
Technology
-
view
1.923 -
download
5
description
Transcript of Cross Context Scripting attacks & exploitation
1
CROSS CONTEXT SCRIPTING (XCS)ATTACKS & EXPLOITATION
From alert(‘xss’) to Meterpreter with a single click
Roberto Suggi LiveraniRuhr-Universität Bochum
HackPra 2012/2013
2
Who am I?
A guy who likes to find bugs
Speaker at various cons:DefCON, EUSecWest, HITB, OWASP
Twitter: @malerisch Research blog: blog.malerisch.net
3
Outline
Cross Context Scripting (XCS)
Past research
Recent discoveries
Further attack surface
4
Cross Context Scripting (XCS)
5
Some concepts Same origin policy (SOP)
Policy designed to govern interaction between different web sites○ Domain name○ Application protocol○ Port
W3C definitionAlthough the same-origin policy differs between
APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites
6
Cross Context Scripting (XCS)
XCS or Cross-zone scriptingCross Zone Scripting coined for IE
http://en.wikipedia.org/wiki/Cross-zone_scriptingXCS coined for Firefox and injection in chrome://
What is XCS?An XSS in a privileged browser zone An indirect Same-Origin Policy (SOP) bypass ?
Each browser has a trusted/privileged zone:FF - chrome://Chrome - chrome://Opera - opera://Maxthon - mx://Avant - browser://
7
8
XCS
Browser privileged/trusted zoneAccess to internal API interfaces:
○ BrowserBrowser settingsBookmarks, storage, etc.
○ OSFile system – I/O
Example○ Firefox model
Firefox addons can run privileged code
9
FF Addon Example - FireFTP
10
Google Chrome – Settings Page
11
Opera History
12
XCS exploitation XCS exploits are 100% reliable
No memory corruption
Trusted zoneAllows possible direct or indirect invokation of
special functions/objects
Challenge1st - find injection point in trusted zone2nd - make use of privileged functions/object to
achieve code execution
13
Past Research
14
Past research Pioneers
2005 - Mark Pilgrim - Greasemonkey bug2006 - Pdp & Michael Daw – publishing Sage xss2008 - Kuza55 & Stefano Di Paola – Attacking rich
internet applications – Tamper Data XSS demo My research
Opera XSS found in opera:history○ RCE exploit in opera:config (Kuza55 / Stefano Di
Paola / Aviv Raff)Firefox extensions research with Nick Freeman
○ Multiple RCE exploits released in FF extensions
15
Opera XSS history (1/3)
Opera XSS history – CVE 2008-4696 Metasploit - 'egypt', # msf module Step 1 - Injection in opera:history via the
fragment part
16
Opera XSS Exploit (2/3)
Step 2 - Force redirection to opera:history to trigger executionNote : SOP bypass
17
Opera XSS Exploit (3/3)
Step 3 – Execute exploit payload
18
DEMO http://www.youtube.com/watch?v=IFejbd03jls
19
Firefox extensions Firefox and extensions security model
Extension code is fully trusted by FirefoxNo security boundaries between extensionsExtensions vulnerabilities are platform
independentLack of security policies to allow/deny Firefox
access to internal API, XPCOM components, etc. After 3 years…
No much changeA vulnerable extension can still be used to
compromise a system
20
Cool Previews
Vulnerable version: 2.7.2 Injection point:
○ Add to stack function (right-click)
Exploit:Link with a data: uri + base64 encoded
payload○ <a
href=‘data:text/html,base64;payload’>A</a>
21
Remote Code Execution
Invoking cmd.exe
22
DEMO
http://www.youtube.com/watch?v=7dJPORacvXg
23
FireFTP
Vulnerable version: <1.1.4 Injection point:
Server’s welcome message
Exploit:Simple HTML and JavaScript payload
directly evaluated in chrome://
24
Feed Sidebar
Vulnerable version: 3.2 Injection point:
RSS feed
Exploit:Use of data: uri + base64 encoded payload
○ <iframe src="data:text/html;base64,base64encodedjavascript"></iframe>
25
Sage Vulnerable Version: <=1.4.3
Injection point:RSS feed <description> and <link> tags
Exploit:Use of HTML encoded JavaScript payload
○ <description><script>dosomethingbad();<script></description>
Use of data: uri + base64 encoded payload○ <link>data:text/html;base64,payload</link>
26
InfoRSS
Vulnerable version: <= 1.1.4.2
Injection point:RSS feed <description> tag
Exploit:Use of data: uri + base64 encoded payload
○ <iframe src="data:text/html;base64,base64encodedjavascript"></iframe>
27
Yonoo Vulnerable Version: 6.1.1
Injection point:Drag & dropping a malicious image into the
preview window
Exploit:Use event handler e.g. onload
○ <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’>
28
Password stealing
29
Local File Disclosure
30
Compromising NoScript
Whitelisting malicious site
31
Reverse VNC using XHR
32
Recent Discoveries
33
Maxthon – case study Developed by: Maxthon International (China)
Architecture○ Supports Trident and Webkit layout engines○ Focus on performance and extra features
Some stats - according to Maxthon130 million usersUsers spread over 120 countries500,000,000 downloads in 2k10
34
Maxthon: XCS via location.hash
Status: UNPATCHED!
Maliciouspage.html – performs redirection
Injected payload executes in about:history
35
Maxthon: XCS via RSS
Status: UNPATCHED! Injection via <title>, <link>,
<description> tags
36
Exploitation issues
Maxthon major changesDOM Program object removed in latest
versions○ Cannot invoke exe directly anymore○ Can only read/write files via maxthon.io
Personal exploit challengeNo user interactionTargets: Windows XP and Windows 7
37
XCS Exploit – Windows XP Windows XP
Overwrite any exe which can be directly invoked via HTML/Javascript○ e.g. Outlook express (wab.exe)
Then use window.location=“ldap://blabla” Works perfectly!
38
XCS Exploit – Windows 7
In Windows 7 (universal approach)User is prompted using WinXP approachOverwrite registry hives?Touch registry?Dirty approach but effective:
○ Overwrite one of the exe when Java applet is rendered
○ jp2launcher.exe is a good candidateThen point to an iframe with a java applet =
WIN!
39
Metasploit modules https://
github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb
40
DEMO
Maxthon – about:history
http://www.youtube.com/watch?v=N-5BkgJX8sI
41
Demo
Maxthon XCS – RSS
http://www.youtube.com/watch?v=d-55asVLqNI
42
Maxthon: Trusted site over HTTP
Status: PATCHED i.maxthon.com
sets privileged DOM objects○ runtime○ maxthon
43
Exploit Leveraging XSS in a trusted “internet” page Design Issues
i.maxthon.com = trusted domain i.maxthon.com allows direct access to privileged APIs No control on resolution of IP address No use of SSL
MiTM Bug DNS poisoning
○ Force resolution of i.maxthon.com to a controlled IP address HTTP MiTM
○ i.maxthon.com served over HTTP – malicious proxy which alters page content
Other implications XSS in real i.maxthon.com site
44
DEMO – i.maxthon.com (DNS compromised)
http://www.youtube.com/watch?v=1IqZBS0O2Hs
45
Avant Browser
Avant Browser - Avant Force (China)Custom web browser application Designed to expand services provided by IE
Two versions: lite (only IE) & ultimate (IE, FF, Chrome)
More downloads than Chrome, IE and Opera in CNET
46
A bit about Avant (1/3)
Firefox wrapped version Arguments
passed to firefox.exe
Avant.exe - parent of firefox.exe
47
A bit about Avant (2/3) Interesting files
"C:\Program Files\Avant Browser\res" folder:
Observations home.tpl is rendered at browser:home rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed Such pages use privileged JavaScript function
window.AFRunCommand() Pages provided examples on how to call privileged functions and aided
exploitation
48
A bit about Avant (3/3) Testing AFRunCommand()
Undocumented Avant browser functionTry{}/Catch{} no outputBruteforce only option – passing a single parameter:
○ 60003 - window.external.HistoryUrls() - [used in exploit]○ 60011 - prompt for download○ 10021 - add to ad block specified site○ 3 - spawns an empty tab○ 10010 - reloads the page○ 10013 - search for keywords○ 10014 - pop up blocker○ 10016 - download a video (argument passed as URL)○ 10017 - add task for download scheduler○ 10025 - search keywords
49
Avant Browser – SOP Bypass
Status: UNPATCHED! Works if Firefox is set as the rendering
engine
50
Avant BeEF Module
https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history
51
DEMO – BeEF Module In Action
http://www.youtube.com/watch?v=I4LiSfTmuM0
52
Avant Browser – XCS in browser:home Status: UNPATCHED Injection via <title> HTML element
Cross Site Scripting Payload Rendered In browser:home Privileged Zone
53
DEMO – Avant Browser – XCS in browser:home via <title>
http://www.youtube.com/watch?v=cHHtsOpYGH4
54
Avant Browser – Stored XSS via RSS Injection via <title>, <link> and
<description> tags
55
DEMO – Avant Browser – RSS Stored XSS
http://www.youtube.com/watch?v=-mShxsspxy8
56
Further attack surface
57
Injection in bookmarks Attack based on:
Origin inheritance – injection using javascript: uri Input validation – injecting into bookmark trusted zone
Injection via bookmarks using javascript: Ancient bug reported in 2k5 by M. Krax User is lured into bookmarking a malicious javascript: URI + payload
User clicks on malicious bookmark Focus on standard web page – Impact: XSS Focus on privileged browser zone – Impact: XCS
Many ways to fool users: Security controls on status bar can be partially fooled JavaScript can be compressed and obfuscated
58
javascript: I invented the javascript: URL along with JavaScript in
1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:'hello, world', but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL.
—Brendan Eich
59
Firefox Case
Firefox 10.0.2 vulnerableMalicious bookmark clicked while using an
extension (from chrome://)Payload will execute in chrome://
Issue fixed in FF >11
60
Demo – Firefox XCS via bookmark
http://www.youtube.com/watch?v=gSuLV9RjhGQ
61
Opera
Opera 12.10javascript: can be bookmarkedOrigin inheritance - opera:config vulnerable
to XCS if javascript:// bookmarklet is triggered
Mail app handler can be set with a UNC path e.g. \\myremote\meterpreter.exe
62
Demo – Opera XCS via Bookmarks
http://www.youtube.com/watch?v=wWtLHi4Imr4
63
Maxthon - XCS in bookmarks
64
Demo – Maxthon XCS in bookmarks
http://www.youtube.com/watch?v=YR0RQz45t3M
65
Conclusions
More browser capability/functionalityincreased attack surface for XCS
Untrusted content - rendering optionsabout:blank
Security model for extensions/addonsSandbox
66
Questions?
Roberto Suggi Liverani - @malerisch
blog.malerisch.net
67
References
Blog – Roberto Suggi Liveranihttp://blog.malerisch.net/
Twitter account - @malerischhttps://twitter.com/malerisch
Security-Assessment.com Researchhttp://www.security-assessment.com/page/a
rchive.htm Nick Freeman – Publications
http://atta.cked.me/publications
68
References
Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scripting/cross_context_scripting_with_firefox.pdf
Opera - XCS in opera:historyhttp://malerisch.net/docs/advisories/opera_stored_cross_site_scripting.html
Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpreviews_chrome_privileged_code_injection.html
69
References
Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatescanner_chrome_privileged_code_injection.html
Exploiting XCS in Firefox - http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf
HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf