• Save
Crossing Origins by Crossing Formats
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Crossing Origins by Crossing Formats

  • 856 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
856
On Slideshare
856
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. CROSSING ORIGINS BY CROSSING FORMATSJonas Magazinius – Chalmers University of Technology Hacker Praktikum 2012 OWASP Norway 2013
  • 2. RELATED WORK• GIFAR – content smuggling attack • Billy Rios (@XSSniper), Petko D. Petkov (@pdp)• Cross-origin CSS attack • Chris Evans (@scarybeasts) et al.• Content-type sniffing attacks • Adam Barth (@adambarth) et al.
  • 3. CROSS-ORIGIN CSS ATTACK• Minimal amount of CSS-syntax injected in target HTML-page • {}#f{font-family:’ • … arbitrary HTML content … • ’}• Attacker uses HTML-page as style-sheet in his page• Victim visits attackers page • Attacker can extract the arbitrary content from imported style-sheet
  • 4. GIFAR – CONTENT SMUGGLING ATTACK• GIF-image • Parsed top-down, content after trailer ignored• JAR-file • Based on ZIP-archives • Parsed bottom-up, content before header ignored• GIF + JAR = GIFAR • copy /b benign.gif + malicious.jar gifar.gif• The GIFAR is uploaded to a vulnerable service,• The GIFAR is mbedded from the vulnerable service on attackers page as an applet• Any visitor to the attackers page will execute the applet
  • 5. CONTENT SNIFFING ATTACK• Browser performs content sniffing when server provides unknown content-type• Content is matched against a series of signtures• If a match is found the content is interpreted as the matched type• Attacker creates a “chameleon” file • Benign format + HTML • The file is crafted to match HTML signature• The chameleon is uploaded to a vulnerable service• The chameleon is embedded in an iframe on the attackers page• Any visitors will trigger the content sniffing and render the HTML
  • 6. GENERALIZING• One thing in common… • … the browser re-interprets the content in a different format based on the context• The content-type provided by the server is overridden• Tags that allow re-interpretation of content: • CSS – <link>-tag • Java – <applet>-tag • Content sniffing – <iframe>-tag • <object> and <embed> allows arbitrary interpretation based on type attribute
  • 7. POLYGLOT• Definition: • ”…a person who speaks several languages.” • ”…a program that is valid in multiple programming languages.” • Content that can be interpreted as multiple formats• Example 1 – HTML / JavaScript • data:text/html,alert(polyglot)//<script src="%23"></script>• Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98 • (*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echo bash;exit #*/);int main()/*>"eb"v %a*0)unless print"perln"__END__*/{printf("Cn");/*>>#;"egnu">:#,_@;,,,< *)begin writeln(*output={setbox0=box255}ejectshipouthbox{TeX}end *)(pascal);end.{*/return 0;}
  • 8. MALICIOUS POLYGLOTS• Two formats (or more) • One benign • One malicious• Prefered format characteristics • Widespread, commonly used format • Error tolerant parsing, or other ways to hide foreign syntax • Issue same-origin requests including the credentials (cookies) of the victim
  • 9. ATTACK VECTORS – SYNTAX INJECTION• A vulnerable webservice reflects parameters into content• Fragments of syntax is injected resulting in a polyglot• Polyglot is embedded under the origin of the attacker• The polyglot has origin of, and can communicate with vulnerable service• Visitors of the attackers domain are exploited (1)• Known attack instances • Cross-origin CSS attack (2) attacker.com • (Cross-site scripting) (3) (4) vulnerable.com
  • 10. ATTACK VECTORS – CONTENT SMUGGLING• A vulnerable webservice allows users to upload content• Attacker uploads a polyglot to the vulnerable origin• Polyglot is embedded under the origin of the attacker• The polyglot has origin of, and can communicate with vulnerable service• Visitors of the attackers domain are exploited (2)• Known attack instances (3) • GIFAR attacker.com • Content sniffing attack (4) (5) (1) vulnerable.com
  • 11. PAYLOADS – EXPLOITING THE ORIGIN• Cross-origin information leakage • Request sensitive user information • Leak to attacker across origins• Cross-site request forgery • Traditionally, issue requests with the credentials of the victim • Protect using tokens • Impact is far greater if it is possible to read the response • Extract token • Make request
  • 12. PORTABLE DOCUMENT FORMAT• Standardized document format – ISO32000-1• Container format • Embed related resources • Contain foreign syntax by design• Error tolerant parsing• Powerful capabilities
  • 13. CAPABILITIES• Display text• Render 2D/3D graphics• Animations• Forms• Launch commands (restricted)• Execute JavaScript• Embed Flash• Issue HTTP-request • With cookies!!
  • 14. DOCUMENT STRUCTURE• Header • %PDF-1.7• Objects• Cross-reference • xref• Trailer • startxref [number of bytes to cross-reference section] • %%EOF
  • 15. SYNTAXObjects Types• Direct • Booleans – true, false • Inlined in the code • Integers• Indirect • Strings – (A string 43) • Numbered for reference from • Names – /N#61me other objects • Arrays – [ 1 2 3 ] • 10R • Dictionaries – <</Name /Value>> • Streams1 0 obj (Some string)endobj 1 0 obj <</Length 0>>stream endstream endobj
  • 16. MINIMAL PDF (ACCORDING TO SPECIFICATION)%PDF-1.4 5 0 obj<< /Length 35 >>stream1 0 obj<< endstream /Type /Catalog endobj /Outlines 2 0 R 6 0 obj[/PDF] /Pages 3 0 R endobj>> xrefendobj 072 0 obj<< /Type Outlines/Count 0>> 0000000000 65535 fendobj 0000000009 00000 n3 0 obj<< 0000000074 00000 n /Type /Pages 0000000120 00000 n /Kids [4 0 R] 0000000179 00000 n /Count 1 0000000300 00000 n>> 0000000384 00000 nendobj trailer<<4 0 obj<< /Size 7 /Type /Page /Root 1 0 R>> /Parent 3 0 R startxref /MediaBox [0 0 612 792] 408 /Contents 5 0 R %%EOF /Resources << /ProcSet 6 0 R >>>>endobj
  • 17. MINIMAL PDF (ACCORDING TO INTERPRETER)Adobe Reader Google Chrome PDF Reader %PDF%PDF-1. 1 0 obj<</Pages<<>>>>trailer<</Root<</Pages<<>>>> trailer<</Root 1 0 R>>…or executing JavaScript… …or even shorter… %PDF trailer% 1 0 obj%PDF-1. <</Root 1 0 R/Pages<<>>>>trailer<</Root<</Pages<<>> …or even shorter…/OpenAction<</S/JavaScript /JS(app.alert(’PDF’))>> %PDF trailer<</Root% 1 0 obj<</Pages>> 1 0 R>>
  • 18. ERROR TOLERANT PARSINGThis text would also be a valid %PDF-1.With the condition that thetrailer %begins on a new line and that there isn’t<</too /much /garbage /in /Root<</Pages<<>>>> the dictionary.
  • 19. COMMUNICATION• PDF • URL Action – Redirects the browser• JavaScript • Inherits the origin of the document • Uses the cookies of the browser • launchURL() – Redirects the browser • getURL() – Redirects the browser • submitForm() – POST request via the browser • XML External Entity • Two-way communication • Patched in latest version of Adobe Reader• Embedded Flash • Inherits the origin of the document • Two-way communication • Uses its own set of cookies
  • 20. PDF POLYGLOTSSyntax injection Content smuggling• Easy to inject • Mixes well with just about any format• Token-set overlaps with HTML • Server can verify benign format • Context dependent• Can extract sensitive information • Impact • CSRF protection token • CSRF • User information • Cross-origin leakage• Impact • CSRF • Cross-origin leakage
  • 21. PDF-BASED SYNTAX INJECTION ATTACK
  • 22. PDF-BASED CONTENT SMUGGLING ATTACK
  • 23. POTENTIAL TARGETSSyntax injection Content smuggling• User supplied content reflected • PDF as the malicious format• XSS vulnerabilities • User provided content of any kind• JSON • PDF as the benign format• XML • CV database • Conference systems
  • 24. DEMO http://internot.noads.biz
  • 25. MITIGATION• Server-side • Syntax injection • Filtering? In general, no! • PDF tokens and keywords – { <, >, trailer } • Content-smuggling • Serve content from a sandboxed domain (www.googleusercontent.com)• Browser • Strict enforcement of server provided content-type • Disallow type-attribute• Interpreter • Strict parsing? • Improvements in latest version • Matching first bytes against know magic values • Already found a bypass!  • Limit communication methods further • Implemented in latest version, according to our recommendations
  • 26. THANK YOU!