Window Shopping Browser - Bug Hunting in 2012

Window Shopping:
Browser Bug Hunting in 2012
Roberto Suggi Liverani / Scott Bell –
Security-Assessment.com
HITB2012AMS

Who Are We?

 Roberto Suggi Liverani (@malerisch)
 Principal Security Consultant
 Security-Assessment.com – www.security-assessment.com
 Blog and research: http://blog.malerisch.net/p/security-research.html

 Scott Bell
 Principal Security Consultant
 Security-Assessment.com - www.security-assessment.com

Agenda

 Introduction
 Our approach and why

 Window Shopping!
 Bugs showcase
 Fun, pain and results
 Demos

 Conclusions

Introduction

 Why target browsers?
 Predominant desktop application
 Tech shifting towards client-side
 Chances to find cool bugs

 Approach
 Wide angle - not limited to memory corruption bugs
 Injection attacks and policy/rules bypass

Window Shopping!

Anyone who lives within their means suffers from a lack of imagination. ~Oscar Wilde

Firefox - Use-After-Free < 11

 Severity:
 Exploit: Remote Code Execution (no DEP)
 Credits: Scott Bell & Blair Strang
 Status: Patched in FF 11 (win7)
 CVE: 2012-0454
 Vendor Response:
 Bug fixed but took a long time
 Mozilla developers struggled to replicate and fix this bug
 Approach: modded version of cross_fuzz
 cross_fuzz - http://lcamtuf.coredump.cx/cross_fuzz/

What product are you selling me?

 UAF (Use-After-Free)
 Referencing memory after it has been freed can cause a program to:
 Crash
 Use unexpected values
 Execute arbitrary code

FF Use-After-Free

 Modified cross_fuzz
 Added more entropy via:
 Randomising call parameter
count
 Removing toggle_gc()
 Changing ‘document.
designMode=on'
be controlled by the parent
window
 Changing fuzz variables

FF Use-After-Free

 Modified cross_fuzz
 Implemented HTMLGen to generate different HTML each run
 Waited for the DOM to load in child windows before crawling.
 This cuts out timing issues/different fuzz path results.
 Removed phases - only leaving some e.g. tweak_properties()

using only
one phase

FF Use-After-Free

 Minimising
 JSLOG – Firefox Extension (Blair Strang)
 Used JSLOG to dump DOM operations
 Observed browser behaviour around the time of crash
 Followed browser behaviour in the debugger
 A lot of late nights :)

FF Use-After-Free

 Minimising
 Noted consistencies at the time of crash
 Referenced consistencies with JSLOG output
 Manually tried various scenarios based upon what we observed
 Result
 Reduced very complex HTML test case to a simple HTML template
 Thousands of JavaScript DOM operations reduced to few

FF Use-After-Free - PoC 1/3

 Parent.html

FF Use-After-Free – PoC 2/3

 Child.html

FF Use-After-Free – PoC 3/3

3. Parent closes child while
File open dialog is open
PARENT
1. Parent spawns child

CHILD

2. Parent performs click on form
file open dialog spawns

FF Use-After-Free Analysis

 Analysing
 An obvious Use-after-free
 Windows heap manager writes the pattern 0xFEEEFEEE to
HeapFree'd locations
 Looks pretty exploitable too, crashes on a CALL :)

FF Use-After-Free - Analysis

 Analysing
 Crazy unknown stack trace - doesn't really help
 Speculation: seems to be going through some Windows internals

FF Use-After-Free

 Conclusion
 Very ‘timing sensitive’
 Need for specific heap layout
 No DEP/ASLR bypass

DEMO – Firefox Use After Free Code Execution

If anyone is interested in improving current exploit, please contact us

Maxthon - XCS and SOP Bypass

 Severity:
 Exploit: Remote Code Execution
 Credits: Roberto Suggi Liverani
 CVE: n/a
 Status: Unpatched!
 13/02/2012 - bugs reported to multiple contacts
 21/02/2012 - reception of report confirmed but no further reply
 21/02/2012 - chased them, no reply
 02-05/2012 - 11 new releases following the report – 1 bug silently fixed
 Approach: targeted – looking for injection points

What product are you selling me?

 XCS or Cross-zone scripting
 Cross Zone Scripting coined for IE
http://en.wikipedia.org/wiki/Cross-zone_scripting
 XCS coined for Firefox and injection in chrome://
 What is XCS?
 An XSS in a privileged browser zone
 An intrinsic Same-Origin Policy (SOP) bypass :-)
 Each browser has a privileged zone:
 FF - chrome://
 Chrome - chrome://
 Opera - opera://
 Maxthon - mx://
 Avant - browser://

XCS

 Browser privileged/trusted zone
 Access to internal API interfaces:
 File system, browser settings, bookmarks, storage, etc.
 Some references from the past
 Opera XSS found in opera:history
 RCE exploit in opera:config (Kuza55 / Stefano Di Paola / Aviv Raff)
 FF addons research with Nick Freeman
 Multiple RCE exploits released in FF addons

 XCS exploits are 100% reliable

A bit about Maxthon

 Developed by: Maxthon International (China)

 Architecture
 Supports Trident and Webkit layout engines
 Focus on performance and extra features

 Some stats - according to Maxthon
 130 million users
 Users spread over 120 countries
 500,000,000 downloads in 2k10

Maxthon – The bugs

 Cross Context Scripting
 about:history zone
 Feed Reader (about:reader) and RSS Viewer
 Bookmark Toolbar and Bookmark Sidebar
 Incorrect Executable File Handling
 Same-Origin Policy (SOP) Bypass
 DNS Poisoning/MiTM – i.maxthon.com

 Remote Code Execution possible in 5 different ways!

Maxthon - XCS via location.hash

 Injection via location.hash

 Maliciouspage.html – performs redirection

 Injected payload executes in about:history

Maxthon XCS in RSS

 Injection via <title>, <link>, <description> tags

Maxthon – Further bugs

 External Tools Direct Invokation
 Maxthon can invoke executables
 window.open("file://C:/windows/system/cmd32.exe");
 pop up blocker -> but if user accepts, exe is called
 SOP Bypass
 Tested window.open() with following results:
 From: http:// - window.open(‘file://….’)
Prompts a popup blocker, if the user allows the pop up, the file://
window is opened
 From: http:// - window.open(‘about://*’)
spawns a new window
 From: http:// - window.open(‘mx://res/*’)
forbidden by SOP

Maxthon – i.maxthon.com (1/2)

 i.maxthon.com
 sets
interesting DOM
objects
 runtime
 Maxthon

Maxthon – i.maxthon.com (2/2)

 Design Issues
 i.maxthon.com = trusted domain
 i.maxthon.com allows direct access to privileged APIs
 No control on resolution of IP address
 No use of SSL
 MiTM Bug
 DNS poisoning
 Force resolution of i.maxthon.com to a controlled IP address
 HTTP MiTM
 i.maxthon.com served over HTTP – malicious proxy which alters
page content
 Other implications
 XSS in real i.maxthon.com site

DEMO - Maxthon multiple vulnerabilities

Avant Browser – XCS & SOP Bypass

 Severity:
 Exploit: History Stealing, XSS, misc
 CVE: n/a
 Status: Unpatched!
 07/03/2012 - had to post 10 posts to a forum to get a contact!
 14/03/2012 - reception of report confirmed but no further reply
 14/03/2012 - chased them, no reply
 03-05/2012 - 2 new releases following the report, one bug silently fixed
 Approach: targeted - looking for injection points

Avant Browser

 Avant Browser - Avant Force (China)
 Custom web browser application
 Designed to expand services provided by IE
 From FAQ: Is Avant Browser a secure browser? Yes, Avant Browser is
secure. Since it's based on Internet Explorer, Avant Browser is as
secure as Internet Explorer. Avant Browser supports all SSL secured
websites. Avant Browser's encryption length is the same as Internet
Explorer's.
 Two versions: lite (only IE) & ultimate (IE, FF, Chrome)
 More downloads than Chrome, IE and Opera in CNET

A bit about Avant (1/3)

Firefox
wrapped
version Arguments
passed to
firefox.exe

Avant.exe -
parent of
firefox.exe


 Interesting files
 "C:Program FilesAvant Browserres" folder:

 Observations
 home.tpl is rendered at browser:home
 rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed
 Such pages use privileged JavaScript function
window.AFRunCommand()
 Pages provided examples on how to call privileged functions and
aided exploitation


 Testing AFRunCommand()
 Undocumented Avant browser function
 Try{}/Catch{} no output
 Bruteforce only option – passing a single parameter:
 60003 - window.external.HistoryUrls() - [used in exploit]
 60011 - prompt for download
 10021 - add to ad block specified site
 3 - spawns an empty tab
 10010 - reloads the page
 10013 - search for keywords
 10014 - pop up blocker
 10016 - download a video (argument passed as URL)
 10017 - add task for download scheduler
 10025 - search keywords

Avant Browsers – The bugs

 Same-Origin Policy (SOP) Bypass
browser:home

 Cross Context Scripting
browser:home – Most Visited And History Tabs

 Stored Cross Site Scripting
Feed Reader (browser://localhost/lst?*)

Avant Browser – Showcase

 SOP Bypass - History Stealing

Avant Browser – Showcase

 XCS in browser:home – History Stealing
 Injection via <title> HTML element

 Cross Site Scripting Payload Rendered In browser:home Privileged
Zone

Avant Browser – Stored XSS via RSS

 Injection via <title>, <link> and <description> tags

nsIScriptableUnescapeHTML.parseFragment() Bypass

 Severity:
 Impact: Remote Code Execution
 Status: Patched in FF 3.6.14,
Thunderbird 3.1.8, and SeaMonkey 2.0.12
 CVE: 2010-1585

 Approach: investigating a Firefox addon developer’s doubt

Some background

 nsIScriptableUnescapeHTML.parseFragment()
 Critical function used to filter and sanitise data
 Mostly used in the context of filtering data in chrome:// priv zone
 Recommended and deemed safe to use for addons devs
 Wizzrss (FF addon) found to be vulnerable using a bypass

Standard Case - Filtering

 HTML Payload

 Processed by parseFragment() becomes:

 <script> is stripped out
 Only HTML payload remains
 Safe to append in chrome:// DOM

Bypass Test Case

 HTML payload

 Processed by parseFragment() becomes:

 With user interaction payload can be triggered in
privileged browser zone – chrome://

DEMO – Code Execution in WizzRSS FF addon -
nsIScriptableUnescapeHTML.parseFragment() bypass

demo video kindly provided by @0x7674 (Nick Freeman)

Opera Use-After-Free < 11.52

 Severity:
 Exploit: Crash
 CVE: 2011-4152
 Status: Patched in Opera 11.52
 Recognised as a memory corruption bug
 Not a security issue since no exploit is provided
 But Opera kept asking for an exploit
 Approach: using own fuzzers

Opera Use-After-Free < 11.52

 Simplified test-case
 Clone, remove, append
 Use of contenteditable
attribute for <em> and
<strong> lead to crash
 Crash works if heap spray()
occurs
 Couldn’t find an exploit 
 Opera’s position:
not exploitable

DEMO - Opera – Use-After-Free Crash

FF/Opera – XCS via bookmarks

 Severity:
 Impact: Code Execution

 Firefox - Status: Patched in FF 11
 Bug reported by someone else

 Opera - Status: Won’t fix
 Opera Vendor Response:
 Multiple exploit steps required – won’t fix
 Approach: looking at injection in and from bookmarks

In a few words

 Ancient bug: reported in 2k5 by M. Krax
 User is lured into bookmarking a:
 Malicious javascript: URI + payload

 User clicks on malicious bookmark
 Focus on standard web page – Impact: UXSS
 Focus on privileged browser zone – Impact: XCS
 Many ways to fool users:
 Security controls on status bar can be partially fooled
 JavaScript can be compressed and obfuscated
 Code can be hidden – e.g. Opera NULL byte issue in view source -
@Agarri_FR

DEMO - XCS via bookmarks
Opera and Firefox

Brendan Eich – 2k5
There’s nothing wrong with using javascript: URLs in chrome.
What’s good for content is good for chrome, often enough.

Conclusions

 Disclosure Fail
 Some browser vendors still do not understand how
reporting and security disclosure works

 Bug complexity vs. impact
 Injection bugs are simple but impact can be significant
 No need to find memory corruption bugs to achieve code execution

 Delegated security
 Presenting browsers as secure as IE or Chrome give false sense of
security to end-users

Special thanks

 Blair Strang
 Thanks to the SA team for inspiration

 Advisories and exploit code for today’s demonstrations
will be released in the near future
 Thanks for coming along, and enjoy the rest of the con

 If you have questions, come find us later on!
 Roberto Suggi Liverani - @malerisch
 http://blog.malerisch.net
 Scott Bell – scott.bell@security-assessment.com

References

 cross_fuzz
 http://lcamtuf.coredump.cx/cross_fuzz/
 http://lcamtuf.blogspot.co.nz/2011/01/announcing-crossfuzz-potential-
0-day-in.html
 Firefox Use-after-free
 http://www.mozilla.org/security/announce/2012/mfsa2012-12.html
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0454
 https://bugzilla.mozilla.org/show_bug.cgi?id=684555
 Firefox nsiscriptable CVE
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1585
 Opera Use After Free
 http://malerisch.net/docs/advisories/opera_use_after_free_crash_poc.
html

References

 Cross Context Scripting in Firefox addons
 http://malerisch.net/docs/cross_context_scripting/Cross_Context_Scrip
ting_with_Firefox.html
 Exploiting Firefox Extensions
 http://www.slideshare.net/robertosl81/exploiting-firefox-extensions
 WizzRSS – Security Advisory
 http://www.security-
assessment.com/files/advisories/WizzRSS_Firefox_Extension_Privileg
ed_Code_Injection.pdf
 Opera fail:
 José Antonio Vázquez (@0xde1) - http://www.enred20.org/node/27
 http://my.opera.com/securitygroup/blog/2011/10/19/about-the-svg-font-
manipulation-vulnerability-that-was-fixed-in-11-52#comments

References

 Spoof Status Bar:
 https://bug338459.bugzilla.mozilla.org/attachment.cgi?id=222524
 Don't allow bookmarking an evaluated+loaded javascript:
URL
 https://bugzilla.mozilla.org/show_bug.cgi?id=371179
 Opera Stored XSS
 http://seclists.org/fulldisclosure/2008/Oct/394
 Avant Forum Contact
 http://forum.avantbrowser.com/viewtopic.php?f=21&t=31119&p=18272
4&hilit=report+security#p182724
 Heap Spraying Demystified
 https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-
part-11-heap-spraying-demystified/

References

 Blog – Roberto Suggi Liverani
 http://blog.malerisch.net/
 Twitter account - @malerisch
 https://twitter.com/malerisch
 Security-Assessment.com Research
 http://www.security-assessment.com/page/archive.htm
 Nick Freeman – Publications
 http://atta.cked.me/publications

Window Shopping Browser - Bug Hunting in 2012

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Window Shopping Browser - Bug Hunting in 2012 (20)

More from Roberto Suggi Liverani (8)

Recently uploaded (20)

Window Shopping Browser - Bug Hunting in 2012