Security researcher finds 'cookiejacking' risk in IE 報告者：劉旭哲

Rosario Valotta (Italy) 在本月於瑞士及阿姆斯 特丹舉辦的資安會議上展示研究發現 – Could enable hackers to steal cookies from a PC and then log onto password-protected Web sites. – Internet Explorer – 社群網路 – Cookiejacking

Overview IE security zones – IE have 5 default zone: ( 特權高至低 ) Local Machine Zone Local Intranet Zone Trusted Sites Zone Internet Zone Restrited Sites Zone

If Web page want to access local machine file, it will. So it should be impossible for a web content to access local machine files.

So, how to “Cookiejacking” ? 1.Load cookie file to iframe 2.Find a way to access cookie 3.Guess Victim’s Username 4.Guess Victim’s OS

2.Find a way to access cookie: Use Javascript – Same Origin Policy will block any programmatic access to a local iframe content from web domains Use Clickjacking – Iframes overlapping » Iframe properly positioned – CSS opacity » Iframe made invisible – User clicks “hijacked” Advanced Clickjacking – content extraction

Content extraction: 1.Third party iframe is positioned on the start point of the selection (A) 2.The victim starts to select content (e.g. text or html) 3.Third party iframe is positioned on the end point of the selection (B) 4.The victim stops selecting 5.Third party iframe is positioned somewhere between A and B 6.The victim drags the selected content into an attacker controlled iframe

VIDEO Information that attacker wanted 欺騙受害者的圖片 ( 球 ) 受害者試圖把球拖到籃框實際上是選擇了攻擊者要的文字 攻擊者控制的 iframe

3.Guess Victim’s Username file:///C:/Documents and Settings/ Username /Cookies/ The path of the cookie folder depends on the username currently logged on IE supports access to file system objects on SMB shares – Uses UNC (Universal Naming Convention) paths to reference them – Can be used without restrictions inside web pages in the Internet zone or above

Access a img file: – force victim's browser to retrieve a resource like – it will start a NTLM challenge-response negotiation with the remote server – as a part of this negotiation, it sends Windows Username in clear plain text – Attacker only use a script to sniff data on TCP port 445 in order to grab the username.

4.Guess Victim’s OS The OS version can be retrieved through a little JS: – XP = navigator.userAgent.indexOf("Windows NT 5.1"); – Vista= navigator.userAgent.indexOf("Windows NT 6.0"); – Win7= navigator.userAgent.indexOf("Windows NT 6.1"); Different OSs store cookies in different paths: – Windows XP  » C:/Documents and Settings/user/Cookies/ – Vista and 7  » C:/Users/user/AppData/Roaming/Microsoft/Windows/Cookies /Low/ Only define iframes to load valid cookies (1 iframe loads 1 cookie)

Cookiejacking DEMO VideoVideo

Conclusion Allows an attacker to steal session cookies, no XSS needed Web site independent: it’s a browser flaw No clickjacking, no cookiejacking Valotta 實驗結果： – Facebook with 150 friends. – got above 80 cookies in 3 days But Microsoft consider ： – 仰賴相當程度的互動 ( 欺騙 + 拖曳 ) ，因此認為用戶 受攻擊可能性不大

Reference html?part=rss&tag=feed&subj=News- Security html?part=rss&tag=feed&subj=News- Security