User Interface Spoofing

User Interface Spoofing

The issues discussed in this chapter to this point are those in which an attacker causes problems to a program s logic. UI spoofing, on the other hand, is a special class of spoofing that enables an attacker to present information in the legitimate program s UI in a way that the information would not normally be presented so as to mislead the user. Although attackers prefer attacks that avoid user (victim) interaction, this is not always possible. Sometimes an attack requires the victim to perform certain actions. It can seem very difficult to coerce a victim into performing these actions. UI spoofing provides a great method for manipulating users into performing actions necessary for an attack to be successful. Following are some common ways to perform UI spoofing:

  • Reformatting or rewording dialog boxes

  • Modifying the Z-order

  • Providing misleading URLs and filenames

Rewording Dialog Boxes

Commonly, security dialog boxes ask the user whether or not an action should be taken. Sometimes the dialog box includes information that is controlled by an attacker. For example, you might receive a document or e-mail message ( potentially from an untrusted source) that contains links. When you click links that could be specified by the attacker, many programs will display a dialog box asking you to verify whether you want to visit the link. Often the link URL is included in the dialog box. In scenarios like this, it is sometimes possibly for the attacker to reword or reformat the dialog box.

The dialog box in Figure 6-1 asks whether the link http://www.microsoft.com/ should be opened. This figure was generated by a sample program named LinkDialogSpoof.exe that is included on this book s companion Web site. You can use this program to practice UI spoofing as demonstrated in this chapter.

image from book
Figure 6-1: Dialog box asking whether the link to http://www.microsoft.com should be opened

Locate the sample program LinkDialogSpoof.exe on the companion Web site. Make sure that the supporting file named LinkDialogSpoof.txt is in the same directory as LinkDialogSpoof .exe. Open LinkDialogSpoof.txt in a text editor such as Notepad. You should see the following text contained in the file:

 Link=http://www.microsoft.com/ 

For this example, assume that the attacker controls the contents of LinkDialogSpoof.txt and the dialog box is presented to confirm that links aren t opened without the user s explicit consent . A user should choose to open only links that look safe.

Suppose an attacker wants to trick the victim into loading http://www.example.com . How can an attacker trick the user using the data displayed in this dialog box? Notice the URL is enclosed in single quotation marks. What if an attacker includes a single quotation mark as part of the URL? The dialog box would start getting a little confusing as shown in Figure 6-2.

image from book
Figure 6-2: A single quotation mark included in the URL to create a confusing UI

The attacker can close off the URL and add a sentence to reassure the user it is a good idea to open the link. For example, the attacker can supply http://www.example.com/' This link has been verified and is safe and digitally signed by 'Microsoft as the input. The result would be a somewhat convincing dialog box, as shown in Figure 6-3.

image from book
Figure 6-3: Reassuring the user with a sentence claiming the link is safe
Important  

When examining security dialog boxes, verify the default selection is the most secure choice. Users often assume the default is secure and accept the default choice without much thought. The example dialog box in Figure 6-1 has an insecure default.

This could work, but the URL http://www.example.com is on the same line as the added text. Also, the attacker s data (the link) is indented in the dialog box, which separates the program s text and the attacker s data. This might not convince as many people as the attacker would like because it looks somewhat suspicious. An attacker can work around this problem by actually reformatting the dialog box.

Reformatting Using Control Characters

Most dialog boxes in the Windows operating system allow programmers to format the text that is displayed. In Figure 6-1, the dialog box contains three separate lines of text and the second line is indented. An attacker can take advantage of this by including formatting characters to change the layout of the dialog box. For example, if the attacker includes a carriage return/ line feed (CR/LF) in data, the input could be http://www.example.com/' <CR/LF> This link has been verified and is safe and digitally signed by 'Microsoft' . The resulting dialog box is shown in Figure 6-4. This is much more convincing.

image from book
Figure 6-4: Adding text on a separate line by including a CR/LF in the input
Tip  

When entering control characters such as CR/LFs, nulls, and tabs, it is helpful to use a binary editor instead of a text editor. This preserves any binary characters in the remainder of the input while allowing easy insertion of the control characters you want to test.

The attacker can format the URL so that it is virtually invisible. For example, if the attacker uses this data:

http://www.microsoft.com' <CR/LF><CR/LF>Press Enter to open this link. <50 or more CR/ LFs>@example.com

The text now contains more lines than can fit on the screen. The last several lines aren t visible, including the line that contains the server name . The dialog box for this input is shown in Figure 6-5.

image from book
Figure 6-5: Adding so many CR/LFs that some of the text and Yes/No buttons scroll off the bottom of the screen and aren t viewable. This link actually loads http://www.example.com not http://www.microsoft.com.

This type of input takes advantage of the username @ syntax, which is discussed in the section titled Username @ URL Syntax Attacks later in this chapter, and wildcard DNS.

Important  

The techniques used to reformat dialog boxes can often be used to reformat other items.

Entries in log files can sometimes be spoofed by using the same techniques used to reformat dialog boxes. Suppose a Web server log file has the file format shown in Figure 6-6.

image from book
Figure 6-6: Log file format

To attempt to spoof a log entry you might try inserting a CR/LF so that the log entry wraps to the next line. For example, the HTTP request http://server//addUser?ID=100%09192.0.2.144%0D%0A2006-02-17%0902:10:36%09GET%09/smiley.jpg might result in the log file entries shown in Figure 6-7. Note that %0D%0A is a CR/LF character and %09 is a tab character. The highlighted text shows the attacker-supplied data (from the URL).

image from book
Figure 6-7: Spoofing a log entry using control characters

Wildcard DNS

Wildcard DNS allows mapping all possible host names for a domain to an IP address without explicitly specifying each host name on the DNS server. For example, www.alpineskihouse.com and something.alpineskihouse.com would map to the same IP address if wildcard DNS is set up for alpineskihouse.com. The wildcard host names can contain null characters and other control characters that are not usually allowed in host names. An attacker can take advantage of this capability to use control characters in a host name. Table 6-1 lists control characters that can be used in UI spoofing.

Table 6-1: Useful Characters for UI Spoofing

Character

Hexadecimal representation

Description

Carriage return/line feed (CR/LF)

0D0A

Used to force text onto the next line. The line following the CR/LF can surreptitiously contain attacker-supplied data. The user viewing the dialog box might not realize that the text on the line after the CR/LF is part of the attacker s input.

Carriage return

0D

If the application filters out carriage return/line feed characters, sometimes a carriage return character can be used alone to achieve the same result.

Line feed

0A

If the application filters out carriage return/line feed characters, sometimes a line feed character can be used alone to achieve the same result.

Tab

09

Can be used to force text to the next line. The tab character is useful if CR/LF, CR, and LF are blocked.

Space

20

Accepted almost everywhere. Many spaces together can be used to wrap text to the next line.

Backspace

08

Sometimes can be used to erase characters in the UI or in files to help hide or change information. Particularly useful when the data is sent to a console window.

NULL

00

Often used to truncate strings. This character can be used to hide the remainder of a string.

Tip  

Rewording and reformatting spoofing attacks can be mitigated significantly if the UI makes a clear distinction between the program s text and text provided by a potential attacker. Common ways to achieve this include using a different color or font for attacker data and ensuring attacker data cannot wrap to another line, truncate important parts , or scroll off the side of the screen.

Z-Order Spoofing

Sometimes it is not possible to reformat a dialog box. However, sometimes attackers can control windows that might cover parts of a dialog box and in that way trick a user into making a bad decision that jeopardizes security. For example, in HTML, it is possible to create pop-up windows. Also, Microsoft Internet Explorer has a pop-up object that gives the caller great control, including specifying the order of layers of windows on the screen (known as the Z-order).

In 2001, Georgi Guninski found that it was possible to use pop-up windows programmatically to appear on top of the browser s normal UI, including any security dialog boxes that are displayed. The original advisory is available on his Web site at http://www.guninski.com/popspoof.html . Andrew Clover created a very convincing demo of this problem, which is available at http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie/activex.html .

For example, the dialog box shown in Figure 6-8 is displayed. The pop-up text makes the user believe there is only the option to click Yes. In reality, clicking Yes is a bad security decision. Figure 6-9 shows the pop-up separated from the original dialog box to reveal that the legitimate dialog box is actually warning the user that untrusted code might be run.

image from book
Figure 6-8: Z-order spoofing, which can help fool the user into clicking Yes in this dialog box
image from book
Figure 6-9: Using pop-up windows to cover the normal security warning and insert conflicting text

If your application allows untrusted users to display pop-up windows programmatically, verify that the windows cannot be placed on top of areas outside of your application, dialog boxes inside your application, and areas in which user data isn t normally displayed. Also, test to see whether the window contains a hard-coded border that identifies the window as coming from a certain source (application, URL, etc.). Such identifying information can help a victim realize that the pop-up is not part of the legitimate program and might be controlled by an untrusted party. A big part of the problem with the Internet Explorer example (Figure 6-8) is that there is no border around the pop-up window, which makes it difficult for the victim to realize a pop-up window is present.

Important  

Phishing is a type of attack in which an attacker contacts a victim, pretends to be a trustworthy entity, such as a representative from the victim s bank, and asks the victim to disclose private information (user names and passwords, credit card information, etc.). Spoofing bugs like the ones discussed in this chapter are often used to make a phishing attack more convincing. If an application contains a spoofing bug, an attacker can exploit it to increase the chance of success in a phishing expedition.

Misleading URLs and Filenames

Another form of UI spoofing is when attackers modify data so that it appears as something other than it actually is, and then present this to users. Modified URLs and filenames are especially useful for causing confusion. Some ways to spoof URLs and filenames include homograph attacks, URL redirection, and username @ URL syntax attacks.

Homograph Attacks

Which Web site would you expect to see if you clicked the link http://www.microsoft.com ? You would probably expect to see the official Microsoft Web site, but you wouldn t. Evgeniy Gabrilovich and Alex Gontmakher registered the domain mi?ros?ft.com using Russian Cyrillic characters for the c and o. Although the characters look similar to the Latin c and o , they aren t the same, and the URL that uses the Cyrillic characters takes you to a completely different place than you would expect.

More Info  

For more information about homograph attacks, see Gabrilovich and Gontmakher s paper titled The Homograph Attack at http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf .

It is very difficult to distinguish a legitimate site s URL from a homographed look-alike. Some programs, such as FireFox, display the Punycode equivalent of URLs that include Unicode characters like Russian Cyrillic characters. The Punycode version of the microsoft.com look-alike site is http://www.xn--mirsft-yqfbx.com .

Tip  

Punycode is defined in RFC 3492 as a simple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms a Unicode string into an ASCII string. ASCII characters in the Unicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels ( letters , digits, and hyphens).

When testing, it is useful to see how the target application behaves when homographed URLs are used. Often, it is helpful for applications to draw attention to URLs that potentially might be homographed for users by displaying them in Punycode.

Tip  

Sometimes programmers call the SHGetFileInfo function (part of shell32.dll) to determine how a filename should be displayed to the user. If the SHGFI DISPLAYNAME flag is used and the Hide Extensions For Known File Types folder option is enabled, the application programming interface (API) recommends files such as test.txt.bat should be displayed simply as test.txt. The Hide Extensions For Known File Types folder option is enabled by default. As a result, programmers might believe the full filename will be returned if they have changed this setting on their machine. To find issues like this, you can look at the source code for references to SHGetFileInfo , or you can test with the Hide Extensions For Known File Types option enabled and use filenames such as test.txt.bat to see whether just test.txt is displayed.

URL Redirection Attacks

Which Web page would you expect to see when you type http://www.fourthcoffee.com into your browser? You probably expect to see a coffee- related Web site. However, you notice that http://www.microsoft.com is now displayed in the browser address bar. How did that happen? This is called URL redirection. When you request the first URL, the server responds with HTTP response code 302, which tells the browser to load a different URL, http://www.microsoft.com in this case.

A user might not want to allow a URL to be loaded from a certain domain, but might unknowingly load the URL if HTTP redirection is performed. A victim is more likely to trust a recognizable or well-known URL. Often pages on reputable Web sites accept a URL through the query string and redirect to it. For example, http://www.msn.com/redir.asp?URL=http://www.example.com .

Important  

Pages on reputable sites that allow arbitrary redirection are often used in phishing attacks. If the Web application you are testing allows an attacker to specify an arbitrary URL value and force HTTP redirection on that value, talk with the programmer about removing or limiting this functionality. To help mitigate this issue Web programmers can limit the URLs that are allowed for HTTP redirection.

If the user reads the beginning of that long URL, he or she might expect to be delivered to the MSN site, but instead the user s browser is redirected to the example.com site. An attacker can cause even more confusion by obfuscating the redirection URL by using other tricks discussed in this chapter and in Chapter 12, Canonicalization Issues.

Important  

HTTP redirection is also important in testing for cross-domain and zone issues, discussed in Chapter 10, HTML Scripting Attacks. Many APIs that retrieve URLs silently follow redirects without alerting the caller. For this reason, a program might believe it is receiving data from one domain when actually it receives it from another.

Many programs ask the user whether the user wants to load a Web page from a certain URL. Often, the program will prompt the user only for the original URL and will not prompt if a redirect is performed.

To create a test Active Server Pages (ASP) page that performs an HTTP redirection, use the following code:

 <% Server.Redirect "http://www.example.com" %> 
Important  

HTTP redirection is different from HTML meta tag refresh and HTML script redirection (using client-side script to change the browser s URL). HTTP redirection is done at the protocol level and is supported by system APIs. For this reason, applications often get HTTP redirection behavior without including additional code (and sometimes without knowing it). HTML meta tag refresh and HTML script redirection are contained in the contents of the HTML, not at the protocol level. These types of redirection are performed after the contents of the HTML are parsed by the application, and they require the application to support refresh and script redirection.

Important  

Similar to trusted Web sites allowing redirection to arbitrary URLs through attacker-supplied data, some Web sites accept attacker-supplied data and use it as the source URL of an HTML frame. When this occurs, it is hard for the user (victim) to realize that an attacker controls one of the frames .

Username@URL Syntax Attacks

RFC 2396 ( http://www.ietf.org/rfc/rfc2396.txt ) specifies that URLs can include a user name using the following syntax:

 <userinfo>@<host>:<port> 

This syntax enables an attacker to insert arbitrary text before the server name (host) in the URL. For example: http://www.microsoft.com@www.example.com would connect to www.example.com and uses www.microsoft.com as the user name. However, because www.example.com doesn t require a password, the user name part of this URL won t be used. Further obfuscation can be applied to the real server name to cause even more confusion. For example, if the IP address of example.com is used, the URL could look like http://www.microsoft.com@192.0.34.166 or http://www.microsoft.com@3221234342 (which uses a dotless IP address as discussed in Chapter 12). Both of these URLs look as if they would load the Microsoft Web site, but instead they load example.com.

Many attackers use this syntax to confuse their victims. For this reason, in security update MS04-04 Internet Explorer turned off this syntax by default for http and https . If you are testing an application that supports URLs, consider disabling support of this syntax to prevent the associated attacks.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net