Your SlideShare is downloading. ×
0
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
I'm in your browser, pwning your stuff
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

I'm in your browser, pwning your stuff

1,502

Published on

Security B-Sides Polska, 2012 …

Security B-Sides Polska, 2012
https://github.com/koto/xsschef/
http://blog.kotowicz.net

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,502
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. I’m in your browser, pwning your stuff!Atakowanie poprzez rozszerzenia Google Chrome Krzysztof Kotowicz
  • 2. /whoami• IT security consultant @ SecuRing• Web security research (BlackHat, BruCON, Confidence, ...)• blog.kotowicz.net• @kkotowicz
  • 3. Plan• Po co atakować (poprzez) rozszerzenia Google Chrome?• Jak to robić?• Nie da się prościej?
  • 4. Po co?
  • 5. http://flic.kr/p/6xQTMD
  • 6. http://www.flickr.com/photos/hans905/4124897248/in/photostream/
  • 7. Same origin policy• XSS - wykonanie kodu w ramach origin ofiary “><script>alert(document.cookie)</script>• CSRF - wykonanie u ofiary akcji żądaniem z origin atakującego x = new XMLHttpRequest() x.open(“POST”, “//victim.pl”) x.send(“delete_account&id=1”)
  • 8. http://www.flickr.com/photos/dimi15/707990005/in/photostream/Text
  • 9. SOP bypass• //superevr.com/blog/2012/top-level- universal-xss/• //blog.detectify.com/post/32947196572/ universal-xss-in-opera• Rzadkie, ograniczone zastosowanie• Polegają na błędach w przeglądarkach
  • 10. http://flic.kr/p/aqEx5Y
  • 11. http://www.flickr.com/photos/iloveblue/3302032125/in/photostream/
  • 12. Rozszerzenia Chrome• Aplikacje HTML5 • html, javascript, css• Spakowane do pliku .crx • podpisany zip• Instalacja poprzez Chrome Web Store • lub manualnie
  • 13. Rozszerzenia Chrome• Uprawnienia określone w pliku manifest.json• Dostęp do wielu ważnych API • chrome.tabs • chrome.bookmarks • chrome.history • chrome.cookies • NPAPI plugins
  • 14. Rozszerzenia Chrome• Rozszerzenia to aplikacje HTML• Te same klasy podatności • w tym XSS
  • 15. Rozszerzenia Chrome• XSS w rozszerzeniu może oznaczać • UXSS • dostęp do historii URL • dostęp r/w do cookies • dostęp do plików • wykonanie dowolnego kodu
  • 16. Jak?
  • 17. DOM
  • 18. DOMjs.js
  • 19. DOMjs.js content script.js
  • 20. content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  • 21. view.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  • 22. background.jsview.html content script.js (), yId tB (), en ent em m L tEl Ele M ge ate rHT cre inneDOM js.js
  • 23. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.jsjs.js en ent tB (), yId (), content script.js API cookies, history, tabs, plugins, ...
  • 24. DOM view.html ge ate rHT tEl Ele M cre inne em m L background.jsjs.js en ent tB (), yId (), chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 25. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 26. DOM view.htmljs.js background.js content script.js API
  • 27. DOM view.htmljs.js background.js content script.js API
  • 28. DOM view.htmljs.js background.js content script.js API
  • 29. DOM view.htmljs.js background.js content script.js API
  • 30. chrome.tabs.executeScript DOM view.htmljs.js background.js content script.js API
  • 31. Podatności
  • 32. XSS w content script• content script otrzymuje dane • z view • z DOM• umieszcza je bez escape’owania w DOM
  • 33. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 34. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 35. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 36. XSS w content script • Skutki: • dostęp do DOM • nieograniczony XHR DEMO - zzzap-itchrome.tabs.executeScript(null, { code: "(" + funcLaunchZzzapIt.toString() + ")(" + tab.url.replace("","") + ", " + tab.title.replace("","") + ", open)"});
  • 37. XSS w view• content-script bierze dane z DOM strony• wysyła je do view• view wyświetla je bez escape’owania
  • 38. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 39. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 40. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API cookies, history, tabs, plugins, ...
  • 41. XSS w view • Skutki • możliwość persystencji w tle • dostęp do chrome.* API (limitowany uprawnieniami) DEMO - Slick RSS: feed finder<link rel="alternate" type="application/rss+xml"title="hello <img src=x onerror=payload>"href="/rss.rss">
  • 42. Podatności w NPAPI• Zawartość ze strony trafia do view• View przekazuje ją do pluginu NPAPI• Wywołanie podatności w pluginie
  • 43. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 44. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 45. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 46. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API NPAPI
  • 47. Podatności w NPAPI • Przykład: cr-gpg 0.7.8string cmd = "c:windowssystem32cmd.exe /c ";cmd.append(gpgFileLocation);cmd.append("-e --armor");cmd.append(" --trust-model=always");for (unsigned int i = 0; i < peopleToSendTo.size(); i++){ cmd.append(" -r"); cmd.append(peopleToSendTo.at(i));}
  • 48. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 49. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 50. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 51. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 52. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 53. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 54. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 55. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 56. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 57. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 58. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 59. DOM view.html ge ate rHT tEl Ele M cre inne em m L n. background.jsjs.js en ent tB (), n sio yId te est (), e .ex qu om dRe c hr sen chrome.* content script.js API gpg.exe cmd.exe NPAPI
  • 60. Prościej?
  • 61. • alert(1) - i co dalej?• Potrzebne narzędzie do automatyzacji• Jak BeEF, ale do eksploitacji rozszerzeń Chrome http://www.flickr.com/photos/josephwuorigami/3165180003/
  • 62. Eksploitacja• Monitorowanie tabów• Wykonanie JS na każdym tabie• Wyciąganie HTML• Odczyt/zapis cookies• Manipulacja historią• Ustawienia proxy
  • 63. Uruchamianie serwera$ php -vPHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42)Copyright (c) 1997-2012 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans$ php server.php 2>command.logXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot comUsage: php server.php [port=8080] [host=127.0.0.1]Communication is logged to stderr, use php server.php [port] 2>log.txt2012-07-22 12:40:06 [info] Server created2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:80802012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1...
  • 64. Hook code
  • 65. Konsola
  • 66. Wybór sesji
  • 67. Payloady
  • 68. Screenshoty
  • 69. Pytania?• https://github.com/koto/xsschef• krzysztof@kotowicz.net• @kkotowicz

×