I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions

7,276 views

Published on

My OWASP AppSec Europe 2013 talk.

Published in: Technology, Design
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,276
On SlideShare
0
From Embeds
0
Number of Embeds
69
Actions
Shares
0
Downloads
84
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions

  1. 1. Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org I'm in ur browser, pwning your stuff Attacking (with) Google Chrome extensions Krzysztof Kotowicz SecuRing kkotowicz@securing.pl
  2. 2. OWASP About me Security research client side security HTML5 UI redressing Chrome extensions Black Hat USA, BruCON, Hack in Paris, CONFidence, ... IT security consultant @ SecuRing web app, mobile pentests security code reviews 2
  3. 3. OWASP Plan 3 Chrome Extensions architecture Exploiting legacy (v1) extensions Manifest v2 fixes Exploiting v2 extensions "Break The Batman Part 3" by Eric Merced / Eric Merced aka stickfiguredancer
  4. 4. OWASP Chrome Extensions  Not plugins (Java, Flash, ...)  HTML5 applications  html, javascript, css Installed from Chrome Web Store  Access to privileged API  chrome.tabs  chrome.bookmarks  chrome.history  chrome.cookies 4
  5. 5. OWASP Chrome Extensions - components  UI pages  background page  option pages  extension UI Content scripts  run alongside website  interaction with websites 5
  6. 6. OWASP 6 Diagram by Wade Alcorn. Thanks!
  7. 7. OWASP Chrome Extensions - manifest Manifest lists permissions, UI pages, content scripts 7 { "manifest_version": 2, "name": "Sample Extension", "content_scripts": [ { "matches": ["http://www.google.com/*"], "js": ["jquery.js", "myscript.js"] } ], "background": { "page": "background.html" }, "permissions": [ "tabs", "bookmarks", "cookies" "http://*/*", "https://*/*", ] }
  8. 8. OWASP Chrome Extensions - restrictions 8 scheme websites chrome API UI page content script chrome- extension:// - ✔ limited by permissions http:// ✔ limited by URL -
  9. 9. OWASP Isolated worlds 9 DOM content script JS website JS
  10. 10. OWASP Exploiting v1 extensions 10
  11. 11. OWASP UI page DOM XSS  content-script takes data off website DOM  sends it to UI page  view fails to escape data upon viewing it  cross-zone DOM XSS 11
  12. 12. OWASP 12
  13. 13. OWASP 12
  14. 14. OWASP 12
  15. 15. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  16. 16. OWASP UI page DOM XSS  Consequences  XSS in chrome-extension://  access to chrome.* API 13 <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> Slick RSS: feed finder 1.3 document.getElementById("heading").innerHTML = "Subscribed to '<strong>" + title + "</strong>'";
  17. 17. OWASP Exploiting UI page XSS  Chrome Extension Exploitation Framework  BEEF for Chrome extensions 14 https://github.com/koto/xsschef
  18. 18. OWASP XSS ChEF 15
  19. 19. OWASP XSS ChEF 16
  20. 20. OWASP XSS ChEF 17
  21. 21. OWASP XSS ChEF 18
  22. 22. OWASP Chrome extensions v1 summary  UI page XSS is very common  note taking  developer tools  RSS readers  Each XSS has big impact  How do you eradicate XSS without relying on developers? 19
  23. 23. OWASP 20
  24. 24. OWASP Manifest v2 fixes 21
  25. 25. OWASP Manifest v2 22  Content Security Policy obligatory for UI pages  no eval()  no inline scripting  no external scripts  XSS exploitation very difficult  Manifest v1 extensions slowly deprecating  Jan 2014 - Chrome stops running them  All fixed? script-src 'self'; object-src 'self'
  26. 26. OWASP Exploiting v2 extensions 23
  27. 27. OWASP UI page XSS - new vectors  eval() used in JS templating libraries  mustachejs  underscorejs  jQuery template  hoganjs  ...  Possible to relax CSP to allow unsafe-eval  Some extensions use it 24
  28. 28. OWASP Content script XSS  Content scripts not subject to CSP  Go figure... 25
  29. 29. OWASP 26
  30. 30. OWASP 26
  31. 31. OWASP 26
  32. 32. OWASP Content script XSS  XSS in http://  chrome-extension CSP bypass  access to DOM  access to cookies 27
  33. 33. OWASP As sexy as self XSS... 28
  34. 34. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29
  35. 35. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ]
  36. 36. OWASP Content script XSS  website CSP bypass  “Content scripts can also make cross-site XMLHttpRequests to the same sites as their parent extensions”  http://developer.chrome.com/extensions/ content_scripts.html 29 "permissions": [ "http://*/*", "https://*/*", ] 40%
  37. 37. OWASP Content script XSS  Introducing Mosquito  (Another) Chrome Extension XSS Exploitation tool  XSS-Proxy for the new era 30 http://www.growingherbsforbeginners.com/growing-herbs-for-mosquito-season/ https://github.com/koto/mosquito
  38. 38. OWASP Mosquito 31 XSS ws:// HTTP/S proxy  inspired by MalaRIA by Erlend Oftedal  and BeEF tunneling proxy by @antisnatchor x = new XMLHttpRequest(); x.open("GET", 'http://gmail.com', false); x.setRequestHeader('X-Mosquito', 'yeah!'); x.send(null); GET http://gmail.com HTTP/1.1 Host: gmail.com X-Mosquito: yeah!
  39. 39. OWASP DEMO TIME  v 1.0.3.3  https://chrome.google.com/webstore/detail/ anydo/kdadialhpiikehpdeejjeiikopddkjem  0.5 mln users  found by Sergey Belov 32
  40. 40. OWASP NPAPI plugins vulnerabilities  UI page gets the payload  Forwards it to NPAPI plugin  Binary vulnerability in plugin  buffer overflow  command injection  ...  Code run with OS user permission  No sandbox! 33
  41. 41. OWASP 34
  42. 42. OWASP 34
  43. 43. OWASP 34
  44. 44. OWASP 34
  45. 45. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4
  46. 46. OWASP NPAPI plugins vulnerabilities 35 FB::variant gmailGPGAPI::encryptMessage(const FB::variant& recipients,const FB::variant& msg) { string gpgFileLocation = """+m_appPath +"gpg.exe" "; //... vector<string> peopleToSendTo = recipients.convert_cast<vector<string> >(); string cmd = "c:windowssystem32cmd.exe /c "; cmd.append(gpgFileLocation); cmd.append("-e --armor"); cmd.append(" --trust-model=always"); for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i)); } cmd.append(" --output "); CR-GPG 0.7.4 -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (GNU/ Linux) hQIOA5iUCyMfX/ D2EAgAhikRs40xo05gNu9XSIO2jrjTI ShwfWK2d7+9xlv9UjDN ... -----END PGP MESSAGE-----
  47. 47. OWASP Bonus  CSP bypass through filesystem: API  Filesystem API - virtual filesystem for HTML app  filesystem:http://example.com/file.png  filesystem:chrome-extension://<id>/path.html  Postman - REST client  v 0.8.1  180K users  including @webtonull 36
  48. 48. OWASP Summary  Chrome extensions v2 still XSSable  CSP should be treated as mitigation, not prevention  New tools for attack 37
  49. 49. OWASP EOF  @kkotowicz  http://blog.kotowicz.net  https://github.com/koto  More research:  Kyle Osborn, Matt Johansen – Hacking Google ChromeOS (Black Hat 2011)  http://www.eecs.berkeley.edu/~afelt/extensionvulnerabilities.pdf  http://kotowicz.net/bh2012/advanced-chrome-extension- exploitation-osborn-kotowicz.pdf  Thanks: @0x[0-9a-f]{10}, @webtonull, @wisecwisec, @johnwilander, @garethheyes, @antisnatchor, @freddyb,@internot_, @pdjstone, .... 38

×