have you by the gadgets - black hat briefings€¦ · •“microsoft is aware of vulnerabilities...
TRANSCRIPT
![Page 1: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/1.jpg)
We have you by the gadgets
Hitting your OS below the belt
![Page 2: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/2.jpg)
Legal Notice
Our opinion is our own. It DOES NOT IN
ANY WAY represent the view of our
employers.
![Page 3: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/3.jpg)
whoami - Toby
![Page 4: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/4.jpg)
whoami - Mickey
![Page 5: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/5.jpg)
Agenda
• Who we are
• What are Gadgets o A little bit of history
o Why this matters
o How to develop gadgets
o Gadget security model
• What's wrong with them
• Attack Surface
• Problems found
• Demos
• What do you do about it?
![Page 6: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/6.jpg)
Thank you:
Itzik Kotler, FX, Ian Amit, Jayson Street,
SophSec, Wim Remes, Aviv Raff, Gal Diskin
#include <full_list.h>
![Page 7: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/7.jpg)
What are Gadgets
• Little applications that run on your Windows
desktop
• For instance:
![Page 8: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/8.jpg)
A little bit of history
• Windows XP - Concept first introduced as "Active Desktop" o Allowed you to put updating content on your desktop.
• Vista - Sidebar introduced, first mention of "gadgets" o Gadgets ran in the sidebar "container" couldn't be placed
randomly on the desktop
• Windows 7 - significant changes o Improvements in management:
o Gadgets now can be anywhere on the desktop
o All gadgets run in a single process
o Addition of the enterprise security features
o Also - New stuff to help in development
![Page 9: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/9.jpg)
Why this still matters
• Gadget use is in decline
• But! This style of app development is taking
off
o Container-based apps for smartphones that allow you
to do all your dev in HTML, XML, Javascript, etc…
![Page 10: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/10.jpg)
Windows Vista Sidebar
![Page 11: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/11.jpg)
Windows 7 Gadgets
![Page 12: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/12.jpg)
Creating Gadgets
• Just a zip file
![Page 13: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/13.jpg)
Creating Gadgets
• Usually just a
web app o html
o css
o javascript
o gadget specific
manifest file
• Can also be WPF
or Silverlight
![Page 14: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/14.jpg)
Gadget Security Model
MSFT provides a detailed explanation o (see references)
• Code signing is possible but not required
• Prompt for install similar to standard
applications:
![Page 15: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/15.jpg)
Gadget Security Model
• Most similar to HTA - HTML Applications
• Basically run in "Local Machine Zone" with
some differences:
o Can instantiate any installed ActiveX object
o UAC
Runs as standard user even if the user is part of
the admin group
Can't raise UAC prompts BUT! apps launched by a
gadget can
• Parental Controls apply
![Page 16: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/16.jpg)
Gadget Security Model
• Some enterprise controls available o Turn off Windows Sidebar.
o This policy allows administrators to completely disable the Windows Sidebar.
o Disable unpacking and installation of gadgets that are not digitally signed.
Only affects gadgets that are downloaded and installed by double-clicking on the gadget package. All previously installed gadgets, as well as those installed manually, will still function.
o Turn off user-installed gadgets.
o Override the "Get more gadgets online" link.
![Page 17: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/17.jpg)
Attack Surface
• Attacking with gadgets
• Attacking gadgets
![Page 18: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/18.jpg)
Attacking with gadgets
• Delivery:
o Install this gadget? Sure!
• Sidebar gadgets aren't perceived as being
dangerous software or even software at all
![Page 19: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/19.jpg)
Attacking with gadgets
• So I installed your gadget, so what?
• I can't do much, just this:
o Execute code
Game over
• Also:
o Open URLs
o Create files with arbitrary content
o Read files
o Make your computer speak
![Page 20: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/20.jpg)
Attacking with gadgets
• Demo time
![Page 21: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/21.jpg)
Attacking Gadgets
• Gadgets are code. Therefore gadgets are
vulnerable
• Step 1 - Search for gadgets
• Step 2 - Analyze
• Step 3 - ...
• Step 4 - Profit (and share the findings)
![Page 22: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/22.jpg)
Attacking Gadgets
• LOTS of malware claiming to be gadgets
• Minimal use of SSL
• Lots of ad server connections (no ads
displayed) o And domain parking sites
• A couple primary producers, shared code
between gadgets o If you find something in one, it's probably in the others
![Page 23: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/23.jpg)
Attacking Gadgets
• Poor security practices, easy targets o Multiple ways to inject code
o Default Permissions is "full"
• Traffic sniffing
• Easy to spot
o (x64)
![Page 24: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/24.jpg)
Attacking Gadgets – Traffic Sniffing
• SSL is haaaaard
• All downloaded gadgets pulled most of their
content w/o SSL
• Including updated gadget code in some
cases
![Page 25: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/25.jpg)
Attacking Gadgets - MitM
• There are not many gadgets out there,
capturing their requests is simple. (AirPwn)
• Using a custom simple proxy to automate
injection.
• Demo
![Page 26: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/26.jpg)
Attacking Gadgets – Code Injection
• Any web scripting language o Or powershell
• Demo
![Page 27: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/27.jpg)
What to do about it?
• Code is code o Remember not to take candy from strangers
• Write applications properly
• Microsoft’s solution
![Page 28: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/28.jpg)
•Security Advisory 2719662 • “Microsoft is aware of vulnerabilities in insecure Gadgets affecting
the Windows Sidebar on supported versions of Windows Vista and Windows 7”
•Fix It Solution • Engineering solution that removes the attack vector.
•Moving away from the Windows Sidebar and towards the Windows Store.
• Deprecated the Windows Gadget Gallery
• Updated developer documentation
Microsoft Solution
![Page 29: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/29.jpg)
Prior Work
Standing on the shoulders of giants
• CVEs o CVE 2007-3032
o CVE 2007-3033
o CVE 2007-3891
• Presentations o The Inherent Insecurity of Widgets and Gadgets -
Aviv Raff, Ian Amit
o Jinx - Malware 2.0 - Itzik Kotler, Jonathan Rom
![Page 30: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/30.jpg)
References
• Gadget Security Model o http://msdn.microsoft.com/en-us/library/ff486358.aspx
• Writing Secure Gadgets
o http://msdn.microsoft.com/en-
us/library/bb498012.aspx
![Page 31: Have You By The Gadgets - Black Hat Briefings€¦ · •“Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows](https://reader033.vdocument.in/reader033/viewer/2022060417/5f14930d060dd743a07c4f24/html5/thumbnails/31.jpg)
Please complete the
Speaker Feedback Surveys.