I'm in your browser, pwning your stuff

75
I’m in your browser, pwning your stuff! Atakowanie poprzez rozszerzenia Google Chrome Krzysztof Kotowicz

description

Security B-Sides Polska, 2012 https://github.com/koto/xsschef/ http://blog.kotowicz.net

Transcript of I'm in your browser, pwning your stuff

Page 1: I'm in your browser, pwning your stuff

I’m in your browser,pwning your stuff!

Atakowanie poprzez rozszerzenia Google Chrome

Krzysztof Kotowicz

Page 2: I'm in your browser, pwning your stuff

/whoami

• IT security consultant @ SecuRing

• Web security research(BlackHat, BruCON, Confidence, ...)

• blog.kotowicz.net

• @kkotowicz

Page 3: I'm in your browser, pwning your stuff

Plan

• Po co atakować (poprzez) rozszerzenia Google Chrome?

• Jak to robić?

• Nie da się prościej?

Page 4: I'm in your browser, pwning your stuff

Po co?

Page 5: I'm in your browser, pwning your stuff

http://flic.kr/p/6xQTMD

Page 7: I'm in your browser, pwning your stuff

Same origin policy

• XSS - wykonanie kodu w ramach origin ofiary

• CSRF - wykonanie u ofiary akcji żądaniem z origin atakującego

x = new XMLHttpRequest()x.open(“POST”, “//victim.pl”)x.send(“delete_account&id=1”)

“><script>alert(document.cookie)</script>

Page 10: I'm in your browser, pwning your stuff
Page 11: I'm in your browser, pwning your stuff

http://flic.kr/p/aqEx5Y

Page 13: I'm in your browser, pwning your stuff

Rozszerzenia Chrome

• Aplikacje HTML5

• html, javascript, css

• Spakowane do pliku .crx

• podpisany zip

• Instalacja poprzez Chrome Web Store

• lub manualnie

Page 14: I'm in your browser, pwning your stuff

Rozszerzenia Chrome

• Uprawnienia określone w pliku manifest.json

• Dostęp do wielu ważnych API

• chrome.tabs

• chrome.bookmarks

• chrome.history

• chrome.cookies

• NPAPI plugins

Page 15: I'm in your browser, pwning your stuff

Rozszerzenia Chrome

• Rozszerzenia to aplikacje HTML

• Te same klasy podatności

• w tym XSS

Page 16: I'm in your browser, pwning your stuff

Rozszerzenia Chrome

• XSS w rozszerzeniu może oznaczać

• UXSS

• dostęp do historii URL

• dostęp r/w do cookies

• dostęp do plików

• wykonanie dowolnego kodu

Page 17: I'm in your browser, pwning your stuff
Page 18: I'm in your browser, pwning your stuff

Jak?

Page 19: I'm in your browser, pwning your stuff
Page 20: I'm in your browser, pwning your stuff

DOM

Page 21: I'm in your browser, pwning your stuff

DOM

js.js

Page 22: I'm in your browser, pwning your stuff

content script.js

DOM

js.js

Page 23: I'm in your browser, pwning your stuff

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

js.js

Page 24: I'm in your browser, pwning your stuff

view.html

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

js.js

Page 25: I'm in your browser, pwning your stuff

view.html

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

background.jsjs.js

Page 26: I'm in your browser, pwning your stuff

view.html

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

background.js

APIcookies, history, tabs, plugins, ...

js.js

Page 27: I'm in your browser, pwning your stuff

view.html

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

Page 28: I'm in your browser, pwning your stuff

view.html

content script.js

getElementById(),

createElement(),

innerHTM

L

DOM

chro

me.exte

nsion

.

sendR

eque

st

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

Page 29: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

API

js.js

Page 30: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

API

js.js

Page 31: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

API

js.js

Page 32: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

API

js.js

Page 33: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

API

js.js

chrome.tabs.executeScript

Page 34: I'm in your browser, pwning your stuff

Podatności

Page 35: I'm in your browser, pwning your stuff

XSS w content script

• content script otrzymuje dane

• z view

• z DOM

• umieszcza je bez escape’owania w DOM

Page 36: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 37: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 38: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 39: I'm in your browser, pwning your stuff

XSS w content script

• Skutki:

• dostęp do DOM

• nieograniczony XHR

DEMO - zzzap-itchrome.tabs.executeScript(null, { code: "(" + funcLaunchZzzapIt.toString() + ")('" + tab.url.replace("'","\\'") + "', '" + tab.title.replace("'","\\'") + "', 'open')"});

Page 40: I'm in your browser, pwning your stuff

XSS w view

• content-script bierze dane z DOM strony

• wysyła je do view

• view wyświetla je bez escape’owania

Page 41: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 42: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 43: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

APIcookies, history, tabs, plugins, ...

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

Page 44: I'm in your browser, pwning your stuff

XSS w view

• Skutki

• możliwość persystencji w tle

• dostęp do chrome.* API (limitowany uprawnieniami)

<link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>"href="/rss.rss">

DEMO - Slick RSS: feed finder

Page 45: I'm in your browser, pwning your stuff

Podatności w NPAPI

• Zawartość ze strony trafia do view

• View przekazuje ją do pluginu NPAPI

• Wywołanie podatności w pluginie

Page 46: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPI

Page 47: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPI

Page 48: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPI

Page 49: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPI

Page 50: I'm in your browser, pwning your stuff
Page 51: I'm in your browser, pwning your stuff

Podatności w NPAPI

• Przykład: cr-gpg 0.7.8

string cmd = "c:\\windows\\system32\\cmd.exe /c ";cmd.append(gpgFileLocation);cmd.append("-e --armor");cmd.append(" --trust-model=always");for (unsigned int i = 0; i < peopleToSendTo.size(); i++) { cmd.append(" -r"); cmd.append(peopleToSendTo.at(i));}

Page 52: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 53: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 54: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 55: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 56: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 57: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 58: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 59: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 60: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 61: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 62: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 63: I'm in your browser, pwning your stuff

view.html

content script.js

DOM

background.js

chrome.*

API

js.js

getElementById(),

createElement(),

innerHTM

L

chro

me.exte

nsion

.

sendR

eque

st

NPAPIcmd.exegpg.exe

Page 64: I'm in your browser, pwning your stuff

Prościej?

Page 65: I'm in your browser, pwning your stuff

• alert(1) - i co dalej?

• Potrzebne narzędzie do automatyzacji

• Jak BeEF, ale do eksploitacji rozszerzeń Chrome

http://www.flickr.com/photos/josephwuorigami/3165180003/

Page 66: I'm in your browser, pwning your stuff
Page 67: I'm in your browser, pwning your stuff

Eksploitacja

• Monitorowanie tabów

• Wykonanie JS na każdym tabie

• Wyciąganie HTML

• Odczyt/zapis cookies

• Manipulacja historią

• Ustawienia proxy

Page 68: I'm in your browser, pwning your stuff

Uruchamianie serwera$ php -vPHP 5.3.12 (cli) (built: Jun 7 2012 22:49:42) Copyright (c) 1997-2012 The PHP GroupZend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans

$ php server.php 2>command.logXSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot com

Usage: php server.php [port=8080] [host=127.0.0.1]Communication is logged to stderr, use php server.php [port] 2>log.txt2012-07-22 12:40:06 [info] Server created2012-07-22 12:40:06 ChEF server is listening on 127.0.0.1:80802012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Connected2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Performing handshake2012-07-22 12:40:06 [info] [client 127.0.0.1:60431] Handshake sent2012-07-22 12:40:06 New hook c3590977550 from 127.0.0.1...

Page 69: I'm in your browser, pwning your stuff

Hook code

Page 70: I'm in your browser, pwning your stuff

Konsola

Page 71: I'm in your browser, pwning your stuff

Wybór sesji

Page 72: I'm in your browser, pwning your stuff

Payloady

Page 73: I'm in your browser, pwning your stuff

Screenshoty

Page 74: I'm in your browser, pwning your stuff