Upload
roberto-suggi-liverani
View
1.924
Download
5
Embed Size (px)
DESCRIPTION
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone. XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible. To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload. This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Citation preview
1
CROSS CONTEXT SCRIPTING (XCS)ATTACKS & EXPLOITATION
From alert(‘xss’) to Meterpreter with a single click
Roberto Suggi LiveraniRuhr-Universität Bochum
HackPra 2012/2013
2
Who am I?
A guy who likes to find bugs
Speaker at various cons:DefCON, EUSecWest, HITB, OWASP
Twitter: @malerisch Research blog: blog.malerisch.net
3
Outline
Cross Context Scripting (XCS)
Past research
Recent discoveries
Further attack surface
4
Cross Context Scripting (XCS)
5
Some concepts Same origin policy (SOP)
Policy designed to govern interaction between different web sites○ Domain name○ Application protocol○ Port
W3C definitionAlthough the same-origin policy differs between
APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites
6
Cross Context Scripting (XCS)
XCS or Cross-zone scriptingCross Zone Scripting coined for IE
http://en.wikipedia.org/wiki/Cross-zone_scriptingXCS coined for Firefox and injection in chrome://
What is XCS?An XSS in a privileged browser zone An indirect Same-Origin Policy (SOP) bypass ?
Each browser has a trusted/privileged zone:FF - chrome://Chrome - chrome://Opera - opera://Maxthon - mx://Avant - browser://
7
8
XCS
Browser privileged/trusted zoneAccess to internal API interfaces:
○ BrowserBrowser settingsBookmarks, storage, etc.
○ OSFile system – I/O
Example○ Firefox model
Firefox addons can run privileged code
9
FF Addon Example - FireFTP
10
Google Chrome – Settings Page
11
Opera History
12
XCS exploitation XCS exploits are 100% reliable
No memory corruption
Trusted zoneAllows possible direct or indirect invokation of
special functions/objects
Challenge1st - find injection point in trusted zone2nd - make use of privileged functions/object to
achieve code execution
13
Past Research
14
Past research Pioneers
2005 - Mark Pilgrim - Greasemonkey bug2006 - Pdp & Michael Daw – publishing Sage xss2008 - Kuza55 & Stefano Di Paola – Attacking rich
internet applications – Tamper Data XSS demo My research
Opera XSS found in opera:history○ RCE exploit in opera:config (Kuza55 / Stefano Di
Paola / Aviv Raff)Firefox extensions research with Nick Freeman
○ Multiple RCE exploits released in FF extensions
15
Opera XSS history (1/3)
Opera XSS history – CVE 2008-4696 Metasploit - 'egypt', # msf module Step 1 - Injection in opera:history via the
fragment part
16
Opera XSS Exploit (2/3)
Step 2 - Force redirection to opera:history to trigger executionNote : SOP bypass
17
Opera XSS Exploit (3/3)
Step 3 – Execute exploit payload
18
DEMO http://www.youtube.com/watch?v=IFejbd03jls
19
Firefox extensions Firefox and extensions security model
Extension code is fully trusted by FirefoxNo security boundaries between extensionsExtensions vulnerabilities are platform
independentLack of security policies to allow/deny Firefox
access to internal API, XPCOM components, etc. After 3 years…
No much changeA vulnerable extension can still be used to
compromise a system
20
Cool Previews
Vulnerable version: 2.7.2 Injection point:
○ Add to stack function (right-click)
Exploit:Link with a data: uri + base64 encoded
payload○ <a
href=‘data:text/html,base64;payload’>A</a>
21
Remote Code Execution
Invoking cmd.exe
22
DEMO
http://www.youtube.com/watch?v=7dJPORacvXg
23
FireFTP
Vulnerable version: <1.1.4 Injection point:
Server’s welcome message
Exploit:Simple HTML and JavaScript payload
directly evaluated in chrome://
24
Feed Sidebar
Vulnerable version: 3.2 Injection point:
RSS feed
Exploit:Use of data: uri + base64 encoded payload
○ <iframe src="data:text/html;base64,base64encodedjavascript"></iframe>
25
Sage Vulnerable Version: <=1.4.3
Injection point:RSS feed <description> and <link> tags
Exploit:Use of HTML encoded JavaScript payload
○ <description><script>dosomethingbad();<script></description>
Use of data: uri + base64 encoded payload○ <link>data:text/html;base64,payload</link>
26
InfoRSS
Vulnerable version: <= 1.1.4.2
Injection point:RSS feed <description> tag
Exploit:Use of data: uri + base64 encoded payload
○ <iframe src="data:text/html;base64,base64encodedjavascript"></iframe>
27
Yonoo Vulnerable Version: 6.1.1
Injection point:Drag & dropping a malicious image into the
preview window
Exploit:Use event handler e.g. onload
○ <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’>
28
Password stealing
29
Local File Disclosure
30
Compromising NoScript
Whitelisting malicious site
31
Reverse VNC using XHR
32
Recent Discoveries
33
Maxthon – case study Developed by: Maxthon International (China)
Architecture○ Supports Trident and Webkit layout engines○ Focus on performance and extra features
Some stats - according to Maxthon130 million usersUsers spread over 120 countries500,000,000 downloads in 2k10
34
Maxthon: XCS via location.hash
Status: UNPATCHED!
Maliciouspage.html – performs redirection
Injected payload executes in about:history
35
Maxthon: XCS via RSS
Status: UNPATCHED! Injection via <title>, <link>,
<description> tags
36
Exploitation issues
Maxthon major changesDOM Program object removed in latest
versions○ Cannot invoke exe directly anymore○ Can only read/write files via maxthon.io
Personal exploit challengeNo user interactionTargets: Windows XP and Windows 7
37
XCS Exploit – Windows XP Windows XP
Overwrite any exe which can be directly invoked via HTML/Javascript○ e.g. Outlook express (wab.exe)
Then use window.location=“ldap://blabla” Works perfectly!
38
XCS Exploit – Windows 7
In Windows 7 (universal approach)User is prompted using WinXP approachOverwrite registry hives?Touch registry?Dirty approach but effective:
○ Overwrite one of the exe when Java applet is rendered
○ jp2launcher.exe is a good candidateThen point to an iframe with a java applet =
WIN!
39
Metasploit modules https://
github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb
40
DEMO
Maxthon – about:history
http://www.youtube.com/watch?v=N-5BkgJX8sI
41
Demo
Maxthon XCS – RSS
http://www.youtube.com/watch?v=d-55asVLqNI
42
Maxthon: Trusted site over HTTP
Status: PATCHED i.maxthon.com
sets privileged DOM objects○ runtime○ maxthon
43
Exploit Leveraging XSS in a trusted “internet” page Design Issues
i.maxthon.com = trusted domain i.maxthon.com allows direct access to privileged APIs No control on resolution of IP address No use of SSL
MiTM Bug DNS poisoning
○ Force resolution of i.maxthon.com to a controlled IP address HTTP MiTM
○ i.maxthon.com served over HTTP – malicious proxy which alters page content
Other implications XSS in real i.maxthon.com site
44
DEMO – i.maxthon.com (DNS compromised)
http://www.youtube.com/watch?v=1IqZBS0O2Hs
45
Avant Browser
Avant Browser - Avant Force (China)Custom web browser application Designed to expand services provided by IE
Two versions: lite (only IE) & ultimate (IE, FF, Chrome)
More downloads than Chrome, IE and Opera in CNET
46
A bit about Avant (1/3)
Firefox wrapped version Arguments
passed to firefox.exe
Avant.exe - parent of firefox.exe
47
A bit about Avant (2/3) Interesting files
"C:\Program Files\Avant Browser\res" folder:
Observations home.tpl is rendered at browser:home rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed Such pages use privileged JavaScript function
window.AFRunCommand() Pages provided examples on how to call privileged functions and aided
exploitation
48
A bit about Avant (3/3) Testing AFRunCommand()
Undocumented Avant browser functionTry{}/Catch{} no outputBruteforce only option – passing a single parameter:
○ 60003 - window.external.HistoryUrls() - [used in exploit]○ 60011 - prompt for download○ 10021 - add to ad block specified site○ 3 - spawns an empty tab○ 10010 - reloads the page○ 10013 - search for keywords○ 10014 - pop up blocker○ 10016 - download a video (argument passed as URL)○ 10017 - add task for download scheduler○ 10025 - search keywords
49
Avant Browser – SOP Bypass
Status: UNPATCHED! Works if Firefox is set as the rendering
engine
50
Avant BeEF Module
https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history
51
DEMO – BeEF Module In Action
http://www.youtube.com/watch?v=I4LiSfTmuM0
52
Avant Browser – XCS in browser:home Status: UNPATCHED Injection via <title> HTML element
Cross Site Scripting Payload Rendered In browser:home Privileged Zone
53
DEMO – Avant Browser – XCS in browser:home via <title>
http://www.youtube.com/watch?v=cHHtsOpYGH4
54
Avant Browser – Stored XSS via RSS Injection via <title>, <link> and
<description> tags
55
DEMO – Avant Browser – RSS Stored XSS
http://www.youtube.com/watch?v=-mShxsspxy8
56
Further attack surface
57
Injection in bookmarks Attack based on:
Origin inheritance – injection using javascript: uri Input validation – injecting into bookmark trusted zone
Injection via bookmarks using javascript: Ancient bug reported in 2k5 by M. Krax User is lured into bookmarking a malicious javascript: URI + payload
User clicks on malicious bookmark Focus on standard web page – Impact: XSS Focus on privileged browser zone – Impact: XCS
Many ways to fool users: Security controls on status bar can be partially fooled JavaScript can be compressed and obfuscated
58
javascript: I invented the javascript: URL along with JavaScript in
1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:'hello, world', but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL.
—Brendan Eich
59
Firefox Case
Firefox 10.0.2 vulnerableMalicious bookmark clicked while using an
extension (from chrome://)Payload will execute in chrome://
Issue fixed in FF >11
60
Demo – Firefox XCS via bookmark
http://www.youtube.com/watch?v=gSuLV9RjhGQ
61
Opera
Opera 12.10javascript: can be bookmarkedOrigin inheritance - opera:config vulnerable
to XCS if javascript:// bookmarklet is triggered
Mail app handler can be set with a UNC path e.g. \\myremote\meterpreter.exe
62
Demo – Opera XCS via Bookmarks
http://www.youtube.com/watch?v=wWtLHi4Imr4
63
Maxthon - XCS in bookmarks
64
Demo – Maxthon XCS in bookmarks
http://www.youtube.com/watch?v=YR0RQz45t3M
65
Conclusions
More browser capability/functionalityincreased attack surface for XCS
Untrusted content - rendering optionsabout:blank
Security model for extensions/addonsSandbox
66
Questions?
Roberto Suggi Liverani - @malerisch
blog.malerisch.net
67
References
Blog – Roberto Suggi Liveranihttp://blog.malerisch.net/
Twitter account - @malerischhttps://twitter.com/malerisch
Security-Assessment.com Researchhttp://www.security-assessment.com/page/a
rchive.htm Nick Freeman – Publications
http://atta.cked.me/publications
68
References
Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scripting/cross_context_scripting_with_firefox.pdf
Opera - XCS in opera:historyhttp://malerisch.net/docs/advisories/opera_stored_cross_site_scripting.html
Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpreviews_chrome_privileged_code_injection.html
69
References
Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatescanner_chrome_privileged_code_injection.html
Exploiting XCS in Firefox - http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf
HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf