Exploiting Unicode-enabled Software - Paper · 32nd Internationalization & Unicode Conference...
Transcript of Exploiting Unicode-enabled Software - Paper · 32nd Internationalization & Unicode Conference...
Exploiting Unicode-enabled
Software
Chris Weber
Casaba Security
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Overview
• Attacks and Exploits
• Root Causes
• Case Studies
• TR# 36 highlight
• TR# 39 highlight
• Demos
• Areas for further Testing
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Attacks and Exploits
• Visual Security
▫ Homograph attacks, bidi-spoofing, syntax-spoofing
• Bypassing security logic
▫ Decoding or converting a Unicode string after a security gate
▫ ometimes before
• Directory traversal
▫ Breaking out of a file system sandbox
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Attacks and Exploits (cont.)
• Controlling syntax
▫ E.g. HTML parsers and javascript interpreters
• Filter evasion
▫ Exploit delivery techniques
E.g., Cross-site scripting (buffer overflow of the Web)
• Code execution
▫ Game over, you‟re owned
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Root Causes
• Canonicalization▫ Interpreting non-shortest form (e.g .UTF-8 encoding
trickery)▫ Other decoding issues
• Absorption (over-consumption) ▫ Over-consuming invalid byte sequences or correcting
rather than failing When <41 C2 C3 B1 42> becomes <41 42>
• Character deletion and swallowing ▫ “deletion of noncharacters” (UTR-36)▫ <scr[U+FEFF]ipt> becomes <script>▫ Use replacement characters instead!
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Interpreting Syntax replacements▫ white space and line feeds E.g. when U+180E acts like U+0020
• Best-fit mappings▫ When σ becomes s▫ When ′ becomes ‘
• Buffer overruns▫ Incorrect assumptions about string sizes (chars vs. bytes)▫ Improper width calculations
• Timing issues▫ handling Unicode after security gates▫ Sometimes handling Unicode before a gate can be a
problem too! E.g. BOM handling
www.casabasecurity.com
Root Causes (cont.)
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
1) Issues with specification implementations.2) Issues with specification designs?
▫ Specs are carefully designed but not always perfect This could be a problem (and is): “When designing a markup language or data protocol,
the use of U+FEFF can be restricted to that of Byte Order Mark. In that case, any U+FEFF occurring in the middle of the file can be ignored, or treated as an error. ”
▫ HTML 4.01 Defines four whitespace characters and explicitly
leaves handling other characters up to implementer.
www.casabasecurity.com
Root Causes (high level)
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
TR 36 Highlight
• Covers many of the root causes we discussed
• Highlights:
▫ Unicode 5.1 updated for preventing over-consumption of ill-formed UTF-8
An ill-formed code unit subsequence cannot overlap with a minimal well-formed subsequence
▫ UTF-8 non-shortest form – never generate these and be careful interpreting
▫ Deletion of Noncharacters defined
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
TR 39 Highlight
• Convenient guidance for:
▫ General identifier
▫ IDN identifier acceptance
▫ Detecting the “confusables”
▫ Mixed-script detection
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Case Studies
• Who‟s up?
▫ Microsoft
▫ PostgresSQL
▫ Python
▫ Adobe
▫ Trolltech
▫ VMWare
www.casabasecurity.com
▫ PostgresSQL and MySQL
▫ Cisco
▫ ICU
▫ Apple and Mozilla
▫ Opera
▫ Web Ad network
▫ Social Networking
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Case Study: Microsoft IIS
• In 2000 and 2001 the Infamous IIS Unicode Path Traversal bug hit the Web
• CVE-2000-0884▫ Damage: Directory traversal▫ Exploit: Run commands and code on the server ▫ Root Cause: Canonicalization, Timing
• Attackers could run cmd.exe on the IIS server using their web browser! http://lookout.net/scripts/..%c0%af../winnt/system32/c
md.exe?/c+dir+c:\
• Then came double-decode http://lookout.net/scripts/..%255c../winnt/system32/cm
d.exe?/c+dir+c:\
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Case Study: PostgreSQL and PHP/MySQL
• In 2006 PostgreSQL and MySQL SQL Injection▫ Example of the delicate ecosystem
• CVE-2006-2314▫ not Unicode specifically, but Internationalization▫ Damage: Code execution▫ Exploit: Run commands and code on the server ▫ Root Cause: Absorption (over-consumption)
• For SQL injection to work, I need a tick (single quote) 0x27 to control the statement. ▫ I send a 0xbf27 (invalid multi-byte) and PHP‟s
addslashes() gives me a 0xbf5c27. The 0xbf5c is now a valid multi-byte, and my 0x27 gets through!
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• In 2006 a Repr() function buffer overrun• CVE-2006-4980
▫ Damage: Code execution▫ Exploit: Leverage a flaw in UCS-4 handling to
execute code on the box▫ Root Cause: Buffer overrun
• Only affected a minority of *nix Unicode UTF-32 Python builds (majority would be UTF-16)▫ Trying to stuff 10 bytes into a 6 byte buffer▫ Expecting \uffff but getting \u0010ffff
www.casabasecurity.com
Case Study: Python
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Heap overrun in in Perl-Compatible Regular Expression (PCRE) library ▫ Affected many products, not just Adobe
• CVE-2007-4768 ▫ Damage: Code execution▫ Exploit: Leverage a heap overrun to run arbitrary
code on a client‟s computer.▫ Root Cause: Buffer overrun
• Vulnerabilities could be exploited through content from a remote location via the user‟s web browser, email client, or other applications that include or reference the Flash Player.
www.casabasecurity.com
Case Study: Adobe Flash
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• In 2007 a QUtf8Decoder::toUnicode() off-by-one error
• CVE-2007-4137▫ Damage: Code execution▫ Exploit: Leverage a flaw in QUtf8Decoder::toUnicode function to execute code on the box
▫ Root Cause: Buffer overrun
• QT3 was exploitable, a popular cross-platform application framework.
www.casabasecurity.com
Case Study: Trolltech Qt
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Case Study: VMWare
• In 2007 VMWare issue identified by CORE Security
• CVE-2007-1744
▫ Damage: Directory traversal
▫ Exploit: Traverse out of the sandbox of the guest OS into the host OS
▫ Root Cause: Canonicalization, Timing
• MultiByteToWideChar() choices
▫ Ill-formed UTF-8 %c0%2e%c0%2e
▫ When MB_ERR_INVALID_CHARS flag not set, you wind up with %2e%2e or ..
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
Case Study: Cisco
• In 2007 Cisco IPS evasion
• CVE-2007-2688
▫ Damage: Filter evasion
▫ Exploit: Bypass the intrusion prevention system‟s protection by leveraging full-width character forms
▫ Root Cause: Canonicalization
• Not the first time encodings have been used to bypass filters!
▫ Step back to 2001 when \uNNNN and %uNNNNnotation was used to bypass filters
www.casabasecurity.com
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• In 2008 ICU Library▫ Not a flaw in ICU specifically, but a problem for consumers!
• CVE-2008-1036▫ Damage: Filter evasion▫ Exploit: Character decoding issues can compromise
content-filtering logic▫ Root Cause: Character deletion
• ICU Library leveraged by many software vendors including Google, Apple, IBM, and more
• Dropping invalid character sequences can lead to problems!
• Answer: Replace with a fallback character (refer to TR 36)
www.casabasecurity.com
Case Study: ICU Library
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• In 2008 Safari and Firefox BOM consumption▫ Damage: Filter evasion, code execution▫ Exploit: Bypass filtering logic with specially
crafted strings to leverage cross-site scripting▫ Root Cause: Character swallowing
<a href=“java[U+FEFF]script:alert(‘XSS’)>
• Even nastier:
<a h[U+FEFF]ref=“java[U+FEFF]script:al[U+FEFF]ert(‘XSS’)>
www.casabasecurity.com
Case Study: Apple and Mozilla
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Opera browser• In 2008 Opera White-space interpretation
▫ Damage: Filter evasion, controlling syntax, code execution▫ Exploit: Bypass filtering logic with specially crafted strings to leverage cross-site
scripting▫ Root Cause: Interpreting syntax replacements▫ A problem with HTML 4.0 spec?
<a href=#[U+180E]onclick=alert()>
• This list includes many of the Unicode characters with the white_spaceproperty:
U+2002 to U+200AU+205FU+3000U+180E Mongolian Vowel SeparatorU+1680 Ogham Space Mark
www.casabasecurity.com
Case Study: Opera
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• A popular advertising network in 2008▫ Damage: Visual security, filter evasion▫ Exploit: Fooling a system that tried to prevent certain
words from being used - such as trademarks and profanity.
▫ Root Cause: best-fit mappings
• If the word “Unicode” was considered a protected trademark which should be restricted in ads: Try “Uniсode”
Where “с” = Cyrillic small letter ES (U+0441) Result – you bypass the filter, glyphs look identical.
www.casabasecurity.com
Case Study: Web Ad network
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• A popular social networking site in 2008
• Implemented pretty complex filtering logic to prevent XSS
▫ Damage: Filter evasion, code execution
▫ Exploit: Bypass filtering logic with best-fit mappings to leverage cross-site scripting
▫ Root Cause: best-fit mappings
• -moz-binding() was not allowed, but….
▫ [U+ff4d]oz-binding() would best-fit map!
www.casabasecurity.com
Case Study: Social Networking
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
.Net runtime will marshall a string as LPStr to a p/invoke function
How can we best-fit the < character?• 0x2329 0x3c ;Left-Pointing Angle Bracket• 0x3008 0x3c ;Left Angle Bracket
How can we best-fit the s character• 0xff1c 0x3c ;Fullwidth Less-Than Sign• 0x015b 0x73 ;Latin Small Letter S With Acute• 0x015d 0x73 ;Latin Small Letter S With Circumflex
To deal with this, specify a LPWStr type instead of LPStr[MarshalAs(UnmanagedType.LPWStr)]
www.casabasecurity.com
Demo – Windows best-fit p/Invoke
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Get a dir listing of the IIS server through your browser
http://lookout.net/scripts/..%c0%af../winnt
/system32/cmd.exe?/c+dir+c:\
• Run any command remotely on the server
• Game over, Owned
www.casabasecurity.com
Demo: Microsoft IIS Unicode exploit
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Call it a vulnerable Web server product MyHTTP• An attacker exploits the buffer overrun to run
shellcode on the server//sizeof() returns the number of bytes in the
buffer, and we end up accepting twice as many chars as we should.
MultiByteToWideChar(CP_UTF8,0,buff,res
ult,mBuff,sizeof(mBuff));
• Game over
www.casabasecurity.com
Demo: MultiByteWideChar() buffer
overrun and code injection
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Cross-site scripting is the buffer overrun of the Web
• Many applications and WAF‟s implement filters to block dangerous user-input:
▫ <script>alert(„xss‟)</script>
▫ Javascript:alert(„xss‟)
▫ Onclick=alert(„xss‟)
• Vulnerability looks like this:
▫ <sc[U+FEFF]ript>
▫ java[U+FEFF]script:
▫ On[U+FEFF]click
www.casabasecurity.com
Demo: Safari BOM injection for XSS
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Vulnerability looks like this:<a href=#[U+180E]onclick=alert()>
• HTML 4.01 spec defines four whitespace characters and explicitly leaves handling other characters up to you to!
• HTML 5 explicitly defines five whitespace characters and no others.
www.casabasecurity.com
Demo: Opera white_space formatter
characters for XSS
32nd Internationalization & Unicode Conference Exploiting Unicode Enabled Software
• Products▫ Browsers (IE, Firefox, Opera, Safari, and Chrome)▫ Libraries (ICU, etc.)▫ Servers (Web, email, etc.)
• Test cases▫ Buffer overruns▫ Canonicalization▫ Over-consumption▫ Deletion / swallowing▫ Best-fit mappings▫ Absorption▫ Timing
www.casabasecurity.com
Further Testing
Questions?
Chris Weber
Casaba Security
www.casabasecurity.com
www.lookout.net