1

CROSS CONTEXT SCRIPTING (XCS)ATTACKS & EXPLOITATION

From alert(‘xss’) to Meterpreter with a single click

Roberto Suggi LiveraniRuhr-Universität Bochum

HackPra 2012/2013

2

Who am I?

A guy who likes to find bugs

Speaker at various cons:DefCON, EUSecWest, HITB, OWASP

Twitter: @malerisch Research blog: blog.malerisch.net

3

Outline

Cross Context Scripting (XCS)

Past research

Recent discoveries

Further attack surface

4

Cross Context Scripting (XCS)

5

Some concepts Same origin policy (SOP)

Policy designed to govern interaction between different web sites○ Domain name○ Application protocol○ Port

W3C definitionAlthough the same-origin policy differs between

APIs, the overarching intent is to let users visit untrusted web sites without those web sites interfering with the user's session with honest web sites

6

Cross Context Scripting (XCS)

XCS or Cross-zone scriptingCross Zone Scripting coined for IE

http://en.wikipedia.org/wiki/Cross-zone_scriptingXCS coined for Firefox and injection in chrome://

What is XCS?An XSS in a privileged browser zone An indirect Same-Origin Policy (SOP) bypass ?

Each browser has a trusted/privileged zone:FF - chrome://Chrome - chrome://Opera - opera://Maxthon - mx://Avant - browser://

7

8

XCS

Browser privileged/trusted zoneAccess to internal API interfaces:

○ BrowserBrowser settingsBookmarks, storage, etc.

○ OSFile system – I/O

Example○ Firefox model

Firefox addons can run privileged code

9

FF Addon Example - FireFTP

10

Google Chrome – Settings Page

11

Opera History

12

XCS exploitation XCS exploits are 100% reliable

No memory corruption

Trusted zoneAllows possible direct or indirect invokation of

special functions/objects

Challenge1st - find injection point in trusted zone2nd - make use of privileged functions/object to

achieve code execution

13

Past Research

14

Past research Pioneers

2005 - Mark Pilgrim - Greasemonkey bug2006 - Pdp & Michael Daw – publishing Sage xss2008 - Kuza55 & Stefano Di Paola – Attacking rich

internet applications – Tamper Data XSS demo My research

Opera XSS found in opera:history○ RCE exploit in opera:config (Kuza55 / Stefano Di

Paola / Aviv Raff)Firefox extensions research with Nick Freeman

○ Multiple RCE exploits released in FF extensions

15

Opera XSS history (1/3)

Opera XSS history – CVE 2008-4696 Metasploit - 'egypt', # msf module Step 1 - Injection in opera:history via the

fragment part

16

Opera XSS Exploit (2/3)

Step 2 - Force redirection to opera:history to trigger executionNote : SOP bypass

17

Opera XSS Exploit (3/3)

Step 3 – Execute exploit payload

18

DEMO http://www.youtube.com/watch?v=IFejbd03jls

19

Firefox extensions Firefox and extensions security model

Extension code is fully trusted by FirefoxNo security boundaries between extensionsExtensions vulnerabilities are platform

independentLack of security policies to allow/deny Firefox

access to internal API, XPCOM components, etc. After 3 years…

No much changeA vulnerable extension can still be used to

compromise a system

20

Cool Previews

Vulnerable version: 2.7.2 Injection point:

○ Add to stack function (right-click)

Exploit:Link with a data: uri + base64 encoded

payload○ <a

href=‘data:text/html,base64;payload’>A</a>

21

Remote Code Execution

Invoking cmd.exe

22

DEMO

http://www.youtube.com/watch?v=7dJPORacvXg

23

FireFTP

Vulnerable version: <1.1.4 Injection point:

Server’s welcome message

Exploit:Simple HTML and JavaScript payload

directly evaluated in chrome://

24

Feed Sidebar

Vulnerable version: 3.2 Injection point:

RSS feed

Exploit:Use of data: uri + base64 encoded payload

○ &lt;iframe src=&quot;data:text/html;base64,base64encodedjavascript&quot;&gt;&lt;/iframe&gt;

25

Sage Vulnerable Version: <=1.4.3

Injection point:RSS feed <description> and <link> tags

Exploit:Use of HTML encoded JavaScript payload

○ <description>&lt;script&gt;dosomethingbad();&lt;script&gt;</description>

Use of data: uri + base64 encoded payload○ <link>data:text/html;base64,payload</link>

26

InfoRSS

Vulnerable version: <= 1.1.4.2

Injection point:RSS feed <description> tag

Exploit:Use of data: uri + base64 encoded payload

○ &lt;iframe src=&quot;data:text/html;base64,base64encodedjavascript&quot;&gt;&lt;/iframe&gt

27

Yonoo Vulnerable Version: 6.1.1

Injection point:Drag & dropping a malicious image into the

preview window

Exploit:Use event handler e.g. onload

○ <img src=‘http://somewebsite.tld/lolcatpicture.jpg’ onLoad=‘evilJavaScript’>

28

Password stealing

29

Local File Disclosure

30

Compromising NoScript

Whitelisting malicious site

31

Reverse VNC using XHR

32

Recent Discoveries

33

Maxthon – case study Developed by: Maxthon International (China)

Architecture○ Supports Trident and Webkit layout engines○ Focus on performance and extra features

Some stats - according to Maxthon130 million usersUsers spread over 120 countries500,000,000 downloads in 2k10

34

Maxthon: XCS via location.hash

Status: UNPATCHED!

Maliciouspage.html – performs redirection

Injected payload executes in about:history

35

Maxthon: XCS via RSS

Status: UNPATCHED! Injection via <title>, <link>,

<description> tags

36

Exploitation issues

Maxthon major changesDOM Program object removed in latest

versions○ Cannot invoke exe directly anymore○ Can only read/write files via maxthon.io

Personal exploit challengeNo user interactionTargets: Windows XP and Windows 7

37

XCS Exploit – Windows XP Windows XP

Overwrite any exe which can be directly invoked via HTML/Javascript○ e.g. Outlook express (wab.exe)

Then use window.location=“ldap://blabla” Works perfectly!

38

XCS Exploit – Windows 7

In Windows 7 (universal approach)User is prompted using WinXP approachOverwrite registry hives?Touch registry?Dirty approach but effective:

○ Overwrite one of the exe when Java applet is rendered

○ jp2launcher.exe is a good candidateThen point to an iframe with a java applet =

WIN!

39

Metasploit modules https://

github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb

https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb

40

DEMO

Maxthon – about:history

http://www.youtube.com/watch?v=N-5BkgJX8sI

41

Demo

Maxthon XCS – RSS

http://www.youtube.com/watch?v=d-55asVLqNI

42

Maxthon: Trusted site over HTTP

Status: PATCHED i.maxthon.com

sets privileged DOM objects○ runtime○ maxthon

43

Exploit Leveraging XSS in a trusted “internet” page Design Issues

i.maxthon.com = trusted domain i.maxthon.com allows direct access to privileged APIs No control on resolution of IP address No use of SSL

MiTM Bug DNS poisoning

○ Force resolution of i.maxthon.com to a controlled IP address HTTP MiTM

○ i.maxthon.com served over HTTP – malicious proxy which alters page content

Other implications XSS in real i.maxthon.com site

44

DEMO – i.maxthon.com (DNS compromised)

http://www.youtube.com/watch?v=1IqZBS0O2Hs

45

Avant Browser

Avant Browser - Avant Force (China)Custom web browser application Designed to expand services provided by IE

Two versions: lite (only IE) & ultimate (IE, FF, Chrome)

More downloads than Chrome, IE and Opera in CNET

46

A bit about Avant (1/3)

Firefox wrapped version Arguments

passed to firefox.exe

Avant.exe - parent of firefox.exe

47

A bit about Avant (2/3) Interesting files

"C:\Program Files\Avant Browser\res" folder:

Observations home.tpl is rendered at browser:home rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed Such pages use privileged JavaScript function

window.AFRunCommand() Pages provided examples on how to call privileged functions and aided

exploitation

48

A bit about Avant (3/3) Testing AFRunCommand()

Undocumented Avant browser functionTry{}/Catch{} no outputBruteforce only option – passing a single parameter:

○ 60003 - window.external.HistoryUrls() - [used in exploit]○ 60011 - prompt for download○ 10021 - add to ad block specified site○ 3 - spawns an empty tab○ 10010 - reloads the page○ 10013 - search for keywords○ 10014 - pop up blocker○ 10016 - download a video (argument passed as URL)○ 10017 - add task for download scheduler○ 10025 - search keywords

49

Avant Browser – SOP Bypass

Status: UNPATCHED! Works if Firefox is set as the rendering

engine

50

Avant BeEF Module

https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history

51

DEMO – BeEF Module In Action

http://www.youtube.com/watch?v=I4LiSfTmuM0

52

Avant Browser – XCS in browser:home Status: UNPATCHED Injection via <title> HTML element

Cross Site Scripting Payload Rendered In browser:home Privileged Zone

53

DEMO – Avant Browser – XCS in browser:home via <title>

http://www.youtube.com/watch?v=cHHtsOpYGH4

54

Avant Browser – Stored XSS via RSS Injection via <title>, <link> and

<description> tags

55

DEMO – Avant Browser – RSS Stored XSS

http://www.youtube.com/watch?v=-mShxsspxy8

56

Further attack surface

57

Injection in bookmarks Attack based on:

Origin inheritance – injection using javascript: uri Input validation – injecting into bookmark trusted zone

Injection via bookmarks using javascript: Ancient bug reported in 2k5 by M. Krax User is lured into bookmarking a malicious javascript: URI + payload

User clicks on malicious bookmark Focus on standard web page – Impact: XSS Focus on privileged browser zone – Impact: XCS

Many ways to fool users: Security controls on status bar can be partially fooled JavaScript can be compressed and obfuscated

58

javascript: I invented the javascript: URL along with JavaScript in

1995, and intended that javascript: URLs could be used as any other kind of URL, including being bookmark-able. In particular, I made it possible to generate a new document by loading, e.g. javascript:'hello, world', but also (key for bookmarklets) to run arbitrary script against the DOM of the current document, e.g.javascript:alert(document.links[0].href). The difference is that the latter kind of URL uses an expression that evaluates to the undefined type in JS. I added the void operator to JS before Netscape 2 shipped to make it easy to discard any non-undefined value in a javascript: URL.

—Brendan Eich

59

Firefox Case

Firefox 10.0.2 vulnerableMalicious bookmark clicked while using an

extension (from chrome://)Payload will execute in chrome://

Issue fixed in FF >11

60

Demo – Firefox XCS via bookmark

http://www.youtube.com/watch?v=gSuLV9RjhGQ

61

Opera

Opera 12.10javascript: can be bookmarkedOrigin inheritance - opera:config vulnerable

to XCS if javascript:// bookmarklet is triggered

Mail app handler can be set with a UNC path e.g. \\myremote\meterpreter.exe

62

Demo – Opera XCS via Bookmarks

http://www.youtube.com/watch?v=wWtLHi4Imr4

63

Maxthon - XCS in bookmarks

64

Demo – Maxthon XCS in bookmarks

http://www.youtube.com/watch?v=YR0RQz45t3M

65

Conclusions

More browser capability/functionalityincreased attack surface for XCS

Untrusted content - rendering optionsabout:blank

Security model for extensions/addonsSandbox

66

Questions?

Roberto Suggi Liverani - @malerisch

blog.malerisch.net

67

References

Blog – Roberto Suggi Liveranihttp://blog.malerisch.net/

Twitter account - @malerischhttps://twitter.com/malerisch

Security-Assessment.com Researchhttp://www.security-assessment.com/page/a

rchive.htm Nick Freeman – Publications

http://atta.cked.me/publications

68

References

Cross Context Scripting with Firefox - http://malerisch.net/docs/cross_context_scripting/cross_context_scripting_with_firefox.pdf

Opera - XCS in opera:historyhttp://malerisch.net/docs/advisories/opera_stored_cross_site_scripting.html

Firefox addon Coolpreviews – XCS - http://malerisch.net/docs/advisories/coolpreviews_chrome_privileged_code_injection.html

69

References

Firefox addon Update Scanner - XCS - http://malerisch.net/docs/advisories/updatescanner_chrome_privileged_code_injection.html

Exploiting XCS in Firefox - http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf

HITB2012AMS - Browser Bug Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf