Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Let's pwn a chinese web browser!

502 views

Published on

Workshop held at Disobey 2019

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Let's pwn a chinese web browser!

  1. 1. LET'S PWN A CHINESELET'S PWN A CHINESE WEB BROWSER!WEB BROWSER! DISOBEY 2019 — JUHO NURMINENDISOBEY 2019 — JUHO NURMINEN
  2. 2. DISCLAIMERSDISCLAIMERS I'm not my employer. My opinions aren't necessarily theirs. They haven't contributed to this workshop, do not endorse it, and should not be held responsible for any outcomes. The browsers we're about to look at are literally "made in China". Install and run them at your own responsibility. They may invade your privacy, they may install other unwanted so ware, and they may be difficult to uninstall properly. Using a disposable VM is highly recommended. In fact, anything you do in this workshop is at your own responsibility. Even if I tell you to do so. I don't have permission from any vendors and I Am Not A Lawyer. Any vulnerabilities you find are yours to keep. I suggest reporting them to the vendor and/or a CERT of your choice. I can help in finding the right contacts, but it's your call.
  3. 3. YOUR INSTRUCTORYOUR INSTRUCTOR Web & mobile hacker — Specialist @ 2NS Browser hacker — several CVEs in Chrome, Firefox, Safari Antivirus hacker — Disobey 2018
  4. 4. CHINESE WEBCHINESE WEB BROWSERS?BROWSERS?
  5. 5. THE TARGETSTHE TARGETS Platform Market share     (StatCounter Oct 2018) Windows macOS Linux Android iOS In China Globally UC Browser http://www.ucweb.com/ Yes No No Yes Yes 15.79 % 7.39 % QQ Browser https://browser.qq.com/ Yes Yes No Yes No 11 %; 0.27 %; Sogou Explorer https://ie.sogou.com/ Yes No No Yes Yes 2.05 % 0.06 % http://www.maxthon.com/ Yes Yes Yes Yes Yes 0.56 % 0.05 % https://browser.360.cn/ Yes No No Yes Yes 0.17 % 0.03 % Baidu Browser https://liulanqi.baidu.com/ Yes No No Yes Yes < 0.06 % < 0.1 %
  6. 6. INSTALLING MAXTHON ON KALIINSTALLING MAXTHON ON KALI Additional packages: libcurl3 (conflicts with libcurl4), libgcrypt11, libssl1.0.0 Running as root: maxthon --user-data-dir=userdata --no-sandbox
  7. 7. BROWSER ARCHITECTUREBROWSER ARCHITECTURE
  8. 8. IE LOGICAL COMPONENTSIE LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  9. 9. CHROME LOGICAL COMPONENTSCHROME LOGICAL COMPONENTS (X41 Browser Security Whitepaper)
  10. 10. CHROME + IE = ???CHROME + IE = ??? (yours truly & mspaint)
  11. 11. SECURITY CONCEPTSSECURITY CONCEPTS
  12. 12. COMPARTMENTALIZATIONCOMPARTMENTALIZATION Web content: Same-Origin Policy & Site Isolation Extensions: Isolated Worlds & Privilege Separation OS/Browser: Privilege Separation, Sandboxing & Hardening
  13. 13. ENCRYPTIONENCRYPTION Regular web traffic External resources in internal UI Sharing, sync, safe browsing & other APIs Automatic updates
  14. 14. PORT BANNINGPORT BANNING Protects against Inter-Protocol Exploitation IE: 19, 21, 25, 110, 119, 143, 220, 993 Chrome: 1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 37, 42, 43, 53, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 115, 117, 119, 123, 135, 139, 143, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 556, 563, 587, 601, 636, 993, 995, 2049, 3659, 4045, 6000, 6665, 6666, 6667, 6668, 6669, 6697
  15. 15. SAFE BROWSING, SMARTSCREENSAFE BROWSING, SMARTSCREEN & BLACKLISTING& BLACKLISTING Blacklisting and reputation based mechanisms protect agains malware & phishing Malicious & compromised websites Executable and other potentially harmful file types
  16. 16. VULNERABILITIES ANDVULNERABILITIES AND EXPLOITSEXPLOITS
  17. 17. ATTACK VECTORSATTACK VECTORS Web content Automatic updates Extensions and built-in extra features File downloads Plugins: PDF, Flash, Java, ActiveX?
  18. 18. SOP BYPASSESSOP BYPASSES Leaky APIs Universal XSS Code execution inside renderer sandbox Accessing privileged APIs via XCS
  19. 19. CROSS-CONTEXT SCRIPTINGCROSS-CONTEXT SCRIPTING XSS in a privileged context Access to privileged APIs Additional attack surfaces, pivoting deeper O en leads to RCE
  20. 20. CONTEXT ISOLATION ISSUESCONTEXT ISOLATION ISSUES Missing context isolation Logic running in wrong contexts Unsafe cross-context messaging Overwriting properties on shared objects Variable clobbering
  21. 21. TOOLSTOOLS
  22. 22. CHROME DEVTOOLS & F12CHROME DEVTOOLS & F12 DEVELOPER TOOLSDEVELOPER TOOLS Launch from a menu item or press F12 Great for exploring the JavaScript environment Debugger is handy, too
  23. 23. PORTSWIGGER'S RENDERINGPORTSWIGGER'S RENDERING ENGINE HACKABILITY PROBEENGINE HACKABILITY PROBE https://portswigger-labs.net/hackability/ "Rendering Engine Hackability Probe performs a variety of tests to discover what the unknown rendering engine supports." Helps you quickly spot non-standard APIs
  24. 24. BADSSL.COM & SSLLABS.COMBADSSL.COM & SSLLABS.COM Badssl.com: contains lots of subdomains that should trigger an SSL error SSL labs' client test: lists the ciphers and other features your SSL client supports
  25. 25. PROCESS EXPLORER, NETSTAT,PROCESS EXPLORER, NETSTAT, LSOF...LSOF... The usual stuff for that can help you understand a native app Figure out what processes an app is launching, what files it's accessing and who it's talking to Is your browser running a TCP server? It probably shouldn't
  26. 26. MITM PROXY APPS & PACKETMITM PROXY APPS & PACKET SNIFFERSSNIFFERS Burp Suite, OWASP ZAP, Fiddler, mitmproxy Wireshark, tcpdump Pick your poison
  27. 27. LET'S GET HACKING!LET'S GET HACKING!
  28. 28. Architecture: Chrome with extras glued on top? Custom browser with Blink? Chrome version? Custom features: What are there? How are they implemented? Error messages: origin, exposed APIs, XCS Browser-internal URI schemes Restricted URI schemes Framing settings pages, error messages? Extensions: Are they supported? WebExtensions or something else? Custom APIs? APIs exposed to web (Hackability & external object) Privileged web pages: Extension gallery? Sync and sharing features?

×