The Hidden XSS - Attacking the Desktop & Mobile Platforms

The Hidden XSS
Attacking the Desktop & Mobile Platforms

Kos (Kyle Osborn)
@theKos

alert(self)

» ToorCon Seattle, » Oh, and this guy
BlackHat, BSidesLV
& DefCon

» Red Team guy (or so
I
pretend)

» Pentester

» http://kos.io/

XSS within the browser

» Usually considered a web browser based attack.
» Users fire up their web browsers
» Navigate to website with persistent XSS
» Open up link with payload in the URL
(bank.com?XSS)
» iFrame with embedded vulnerable website
» etc., etc.

» But... not really browser specific...

XSS

Definition for xss:

Cross-site scripting is a security hazard that allows crackers to
interfere with your program’s logic by inserting their own
logic into your HTML. ....
http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html

XSS without the browser

» So what's the big deal?

» Not really able to steal cookies.

» Phishing doesn't make sense.

» Content spoofing?

» Ad injection?

» Meh...

XSS without the browser

» Local filesystem access?

» XMLHttpRequest()

» WebKit does not block XHR requests to file:///

» OS X, iOS, Android versions of WebKit
» Except for Chrome

So... the fun stuff

» Demos!

Demo #1
» Skype (5.0.x to <= 5.0.914) on Mac OS X
» HTML not filtered in
an instance, allowing
an attacker to inject
malicious JavaScript.

» http://kos.io/skype
for more info

Demo #2

» Adium <= 1.4.2 (OS X)

» Unfiltered HTML in file transfer dialogue.

» Almost the same as Skype.

» http://www.noptrix.net/advisories/adium_inject.txt

Demo #3

» Skype on iOS 3.0.1 (Fixed as of 3.0.2)

» Again, basic Cross Site Scripting

» Discovered by while testing Skype on OS X

» More info at
https://superevr.com/2011/xss-in-skype-for-ios/

Introducing WebOS

» Truly web-driven
operating system
» Easy application
development
» Posed to compete
with iOS / Android

» Oh yeah, apps
are HTML5 /
JavaScript

WebOS

» WebOS. Because most apps are HTML/JS, many
are susceptible to attacks.

» However... actually more secure than previous
vulns.

» Security (kind-of) done right on it.

Demo #5

» Android's GMail app

» Reported a few months ago...

» Android (like iOS) uses separate users per
application, limiting what each app can reach.

Demo #5 - Continued

» GMail.apk allows HTML files to be downloaded.

» Handles it in "HTML Viewer" properly, without JS.

» However, XSS inside Gmail.app allows attacker
to
force download file.

» Then force browser to open file:///..../attack.html

For my next trick... Choose an OS

» Linux

» Windows

» OS X

» iOS

Demo #6

» Google Earth

» Multi-platform - OS X, iOS, Linux & Windows

» Payloaded KML file (Google Earth XML file)

» Uses HTML for info-boxes

» Uses vulnerable WebKit versoin

Tool!

» To make it easier, wrote a tool.

» JSON arrays for
discovery functions() [what users, app]
and files

» base64 encodes & exfiltrates

Tool!
fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them,
what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } }

fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them,
what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview.
db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com.
google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.
db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'.
config/chromium/Default/Bookmarks' } }

Conclusion

» XSS is bad, mkay?

» Developers don't know how / aren't trained to filter
client side.

» Easy to exploit.

» Ping me at
@theKos
kos@kos.io
http://kos.io/

The Hidden XSS - Attacking the Desktop & Mobile Platforms

More Related Content

The Hidden XSS - Attacking the Desktop & Mobile Platforms