Cross Context Scripting attacks & exploitation

  • 1,849 views
Uploaded on

Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser …

Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.

XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.

To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.

This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,849
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
31
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/http://mozdev.org/pipermail/greasemonkey/2005-July/004022.html
  • Split in two slides
  • Increase font size for each screen shot
  • Bug id 288164 -> in the thread, no one mentions about the fact that chrome:// is used by addons too and not just within the bookmark zoneRef: https://bug338459.bugzilla.mozilla.org/attachment.cgi?id=222524http://www.agarri.fr/op00.html

Transcript

  • 1. From alert(‗xss‘) to Meterpreter with a single click Roberto Suggi Liverani Ruhr-Universität Bochum HackPra 2012/2013 1
  • 2. Who am I? A guy who likes to find bugs  Speaker at various cons:  DefCON, EUSecWest, HITB, OWASP Twitter: @malerisch Research blog: blog.malerisch.net 2
  • 3. Outline Cross Context Scripting (XCS) Past research Recent discoveries Further attack surface 3
  • 4. Cross Context Scripting (XCS) 4
  • 5. Some concepts Same origin policy (SOP)  Policy designed to govern interaction between different web sites ○ Domain name ○ Application protocol ○ Port W3C definition  Although the same-origin policy differs between APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the users session with honest web sites 5
  • 6. Cross Context Scripting (XCS) XCS or Cross-zone scripting  Cross Zone Scripting coined for IE http://en.wikipedia.org/wiki/Cross-zone_scripting  XCS coined for Firefox and injection in chrome:// What is XCS?  An XSS in a privileged browser zone  An indirect Same-Origin Policy (SOP) bypass ? Each browser has a trusted/privileged zone:  FF - chrome://  Chrome - chrome://  Opera - opera://  Maxthon - mx://  Avant - browser:// 6
  • 7. 7
  • 8. XCS Browser privileged/trusted zone  Access to internal API interfaces: ○ Browser  Browser settings  Bookmarks, storage, etc. ○ OS  File system – I/O  Example ○ Firefox model  Firefox addons can run privileged code 8
  • 9. FF Addon Example - FireFTP 9
  • 10. Google Chrome – SettingsPage 10
  • 11. Opera History 11
  • 12. XCS exploitation XCS exploits are 100% reliable  No memory corruption Trusted zone  Allows possible direct or indirect invokation of special functions/objects Challenge  1st - find injection point in trusted zone  2nd - make use of privileged functions/object to achieve code execution 12
  • 13. Past Research 13
  • 14. Past research Pioneers  2005 - Mark Pilgrim - Greasemonkey bug  2006 - Pdp & Michael Daw – publishing Sage xss  2008 - Kuza55 & Stefano Di Paola – Attacking rich internet applications – Tamper Data XSS demo My research  Opera XSS found in opera:history ○ RCE exploit in opera:config (Kuza55 / Stefano Di Paola / Aviv Raff)  Firefox extensions research with Nick Freeman ○ Multiple RCE exploits released in FF extensions 14
  • 15. Opera XSS history (1/3) Opera XSS history – CVE 2008-4696 Metasploit - egypt, # msf module Step 1 - Injection in opera:history via the fragment part 15
  • 16. Opera XSS Exploit (2/3) Step 2 - Force redirection to opera:history to trigger execution  Note : SOP bypass 16
  • 17. Opera XSS Exploit (3/3) Step 3 – Execute exploit payload 17
  • 18. DEMOhttp://www.youtube.com/watch?v=IFejbd03 jls 18
  • 19. Firefox extensions Firefox and extensions security model  Extension code is fully trusted by Firefox  No security boundaries between extensions  Extensions vulnerabilities are platform independent  Lack of security policies to allow/deny Firefox access to internal API, XPCOM components, etc. After 3 years…  No much change  A vulnerable extension can still be used to compromise a system 19
  • 20. Cool Previews Vulnerable version: 2.7.2 Injection point: ○ Add to stack function (right-click) Exploit:  Link with a data: uri + base64 encoded payload ○ <a href=‗data:text/html,base64;payload‘>A</a> 20
  • 21. Remote Code Execution Invoking cmd.exe 21
  • 22. DEMOhttp://www.youtube.com/watch?v=7dJPOR acvXg 22
  • 23. FireFTP Vulnerable version: <1.1.4 Injection point:  Server‘s welcome message Exploit:  Simple HTML and JavaScript payload directly evaluated in chrome:// 23
  • 24. Feed Sidebar Vulnerable version: 3.2 Injection point:  RSS feed Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt; 24
  • 25. Sage Vulnerable Version: <=1.4.3 Injection point:  RSS feed <description> and <link> tags Exploit:  Use of HTML encoded JavaScript payload ○ <description>&lt;script&gt;dosomethingbad();&lt;sc ript&gt;</description>  Use of data: uri + base64 encoded payload ○ <link>data:text/html;base64,payload</link> 25
  • 26. InfoRSS Vulnerable version: <= 1.1.4.2 Injection point:  RSS feed <description> tag Exploit:  Use of data: uri + base64 encoded payload ○ &lt;iframe src=&quot;data:text/html;base64,base64enco dedjavascript&quot;&gt;&lt;/iframe&gt 26
  • 27. Yonoo Vulnerable Version: 6.1.1 Injection point:  Drag & dropping a malicious image into the preview window Exploit:  Use event handler e.g. onload ○ <img src=‗http://somewebsite.tld/lolcatpicture.jpg‘ onLoad=‗evilJavaScript‘> 27
  • 28. Password stealing 28
  • 29. Local File Disclosure 29
  • 30. Compromising NoScript Whitelisting malicious site 30
  • 31. Reverse VNC using XHR 31
  • 32. Recent Discoveries 32
  • 33. Maxthon – case study Developed by: Maxthon International (China) Architecture ○ Supports Trident and Webkit layout engines ○ Focus on performance and extra features Some stats - according to Maxthon  130 million users  Users spread over 120 countries  500,000,000 downloads in 2k10 33
  • 34. Maxthon: XCS via location.hash Status: UNPATCHED! Maliciouspage.html – performs redirection Injected payload executes in about:history 34
  • 35. Maxthon: XCS via RSS Status: UNPATCHED! Injection via <title>, <link>, <description> tags 35
  • 36. Exploitation issues Maxthon major changes  DOM Program object removed in latest versions ○ Cannot invoke exe directly anymore ○ Can only read/write files via maxthon.io Personal exploit challenge  No user interaction  Targets: Windows XP and Windows 7 36
  • 37. XCS Exploit – Windows XP Windows XP  Overwrite any exe which can be directly invoked via HTML/Javascript ○ e.g. Outlook express (wab.exe)  Then use window.location=―ldap://blabla‖ Works perfectly!  37
  • 38. XCS Exploit – Windows 7 In Windows 7 (universal approach)  User is prompted using WinXP approach  Overwrite registry hives?  Touch registry?  Dirty approach but effective: ○ Overwrite one of the exe when Java applet is rendered ○ jp2launcher.exe is a good candidate  Then point to an iframe with a java applet = WIN!  38
  • 39. Metasploit modules https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_history_xcs.rb https://github.com/malerisch/metasploit- framework/blob/maxthon3/modules/exploits/windows/browser/maxt hon_rss_xcs.rb 39
  • 40. DEMO Maxthon – about:historyhttp://www.youtube.com/watch?v=N- 5BkgJX8sI 40
  • 41. Demo Maxthon XCS – RSShttp://www.youtube.com/watch?v=d- 55asVLqNI 41
  • 42. Maxthon: Trusted site overHTTP Status: PATCHED i.maxthon.com  sets privileged DOM objects ○ runtime ○ maxthon 42
  • 43. Exploit Leveraging XSS in a trusted ―internet‖ page Design Issues  i.maxthon.com = trusted domain  i.maxthon.com allows direct access to privileged APIs  No control on resolution of IP address  No use of SSL MiTM Bug  DNS poisoning ○ Force resolution of i.maxthon.com to a controlled IP address  HTTP MiTM ○ i.maxthon.com served over HTTP – malicious proxy which alters page content Other implications  XSS in real i.maxthon.com site 43
  • 44. DEMO – i.maxthon.com (DNS compromised)http://www.youtube.com/watch?v=1IqZBS0 O2Hs 44
  • 45. Avant Browser Avant Browser - Avant Force (China)  Custom web browser application  Designed to expand services provided by IE Two versions: lite (only IE) & ultimate (IE, FF, Chrome) More downloads than Chrome, IE and Opera in CNET 45
  • 46. A bit about Avant (1/3) Firefox wrapped version Arguments passed to firefox.exeAvant.exe- parent offirefox.exe 46
  • 47. A bit about Avant (2/3) Interesting files  "C:Program FilesAvant Browserres" folder: Observations  home.tpl is rendered at browser:home  rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed  Such pages use privileged JavaScript function window.AFRunCommand()  Pages provided examples on how to call privileged functions and aided exploitation 47
  • 48. A bit about Avant (3/3) Testing AFRunCommand()  Undocumented Avant browser function  Try{}/Catch{} no output  Bruteforce only option – passing a single parameter: ○ 60003 - window.external.HistoryUrls() - [used in exploit] ○ 60011 - prompt for download ○ 10021 - add to ad block specified site ○ 3 - spawns an empty tab ○ 10010 - reloads the page ○ 10013 - search for keywords ○ 10014 - pop up blocker ○ 10016 - download a video (argument passed as URL) ○ 10017 - add task for download scheduler ○ 10025 - search keywords 48
  • 49. Avant Browser – SOP Bypass Status: UNPATCHED! Works if Firefox is set as the rendering engine 49
  • 50. Avant BeEF Modulehttps://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_ history 50
  • 51. DEMO – BeEF Module In Actionhttp://www.youtube.com/watch?v=I4LiSfT muM0 51
  • 52. Avant Browser – XCS inbrowser:home Status: UNPATCHED Injection via <title> HTML element  Cross Site Scripting Payload Rendered In browser:home Privileged Zone 52
  • 53. DEMO – Avant Browser – XCS in browser:home via <title>http://www.youtube.com/watch?v=cHHtsO pYGH4 53
  • 54. Avant Browser – Stored XSSvia RSS Injection via <title>, <link> and <description> tags 54
  • 55. DEMO – Avant Browser – RSS Stored XSS http://www.youtube.com/watch?v=- mShxsspxy8 55
  • 56. Further attack surface 56
  • 57. Injection in bookmarks Attack based on:  Origin inheritance – injection using javascript: uri  Input validation – injecting into bookmark trusted zone Injection via bookmarks using javascript:  Ancient bug reported in 2k5 by M. Krax  User is lured into bookmarking a malicious javascript: URI + payload User clicks on malicious bookmark  Focus on standard web page – Impact: XSS  Focus on privileged browser zone – Impact: XCS Many ways to fool users:  Security controls on status bar can be partially fooled  JavaScript can be compressed and obfuscated 57
  • 58. javascript: I invented the javascript: URL along with JavaScript in 1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:hello, world, but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL. —Brendan Eich 58
  • 59. Firefox Case Firefox 10.0.2 vulnerable  Malicious bookmark clicked while using an extension (from chrome://)  Payload will execute in chrome:// Issue fixed in FF >11 59
  • 60. Demo – Firefox XCS via bookmarkhttp://www.youtube.com/watch?v=gSuLV9 RjhGQ 60
  • 61. Opera Opera 12.10  javascript: can be bookmarked  Origin inheritance - opera:config vulnerable to XCS if javascript:// bookmarklet is triggered  Mail app handler can be set with a UNC path e.g. myremotemeterpreter.exe 61
  • 62. Demo – Opera XCS via Bookmarkshttp://www.youtube.com/watch?v=wWtLHi 4Imr4 62
  • 63. Maxthon - XCS in bookmarks 63
  • 64. Demo – Maxthon XCS in bookmarkshttp://www.youtube.com/watch?v=YR0RQ z45t3M 64
  • 65. Conclusions More browser capability/functionality  increased attack surface for XCS Untrusted content - rendering options  about:blank Security model for extensions/addons  Sandbox 65
  • 66. Questions? Roberto Suggi Liverani - @malerisch blog.malerisch.net 66
  • 67. References Blog – Roberto Suggi Liverani  http://blog.malerisch.net/ Twitter account - @malerisch  https://twitter.com/malerisch Security-Assessment.com Research  http://www.security- assessment.com/page/archive.htm Nick Freeman – Publications  http://atta.cked.me/publications 67
  • 68. References Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scr ipting/cross_context_scripting_with_firefox. pdf Opera - XCS in opera:history http://malerisch.net/docs/advisories/opera_ stored_cross_site_scripting.html Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpre views_chrome_privileged_code_injection.h tml 68
  • 69. References Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatesca nner_chrome_privileged_code_injection.html Exploiting XCS in Firefox - http://www.security- assessment.com/files/whitepapers/Exploiting_ Cross_Context_Scripting_vulnerabilities_in_Fir efox.pdf HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security- assessment.com/files/documents/presentation s/window_shopping_browser_bug_hunting_in _2012_roberto_suggi_liverani_scott_bell.pdf 69