Saturday, November 24, 2012

The end of Windows sidebar gadgets



So... after doing the con-tour at Blackhat, Defcon, Brucon and BsidesPDX
(which was AWESOME!!! btw)
It is time to summarise it all and share the knowledge, below are the links and the short description of all the relevant files.


  1. Demo Proxy code - Source code for the simple http python proxy, modified to intercept clear text JS requests and replace with a custom payload. Link to file holding the decoded payloads, makes it easy to understand quickly
  2. Demo gadgets - These are not zipped files, they are actual folders of the gadgets as they appear in the windows file system. To install the gadgets, download+zip+rename to '.gadget' and double click.
The interesting technical part is located in the gadget.html, thats where the code resides.

  • Gmail demo gadget - Gadget that opens a gmail URL assuming the user never logs out, then the gadget uses keyboard short cuts to send an email to all the user's contacts.
  • Wire transfer demo gadget - Gadget that opens a URL to a demo web page of a banking web site, the assumption here is that a user stores theirs credentials in the browser, leaving the gadget to simply hit 'Enter' and log in. Look in gadget.html to see the commented source code.
  • Open calc gadget - This one opens calculator by only sending key strokes to the OS, take a look in the gadget.html for a giggle :)

Tuesday, July 10, 2012

XSS in iPhone iOS

I am going to share my thoughts on an XSS vulnerability I discovered in Apple iPhone iOS,


Question: What is the "Content-disposition" header in HTTP response?
Answer: Simply put, it tells your browser what kind of content it is receiving so it can choose how to handle it being displayed,  
For example: Content-Disposition: attachment;filename="test.html";filename*=UTF-8''test.html 
which means that the server is telling the client: "Yo!, here is that thing you requested, by the way... it is a file"



Now, Back on topic:

iPhone iOS safari will ignore the content disposition  header and display the content if it is clicked, to display this in a POC I have created a file called:
test.pleasedonttouchme 
And I emailed it to myself, when I opened the attachment in my iPhone's safari, the server told the iPhone that this is a file and not an HTML page but still the safari app opened the file as an html, and here is the picture:

At first I thought this might be a google bug, but no, Google servers send this header in the response:
Content-Disposition: attachment; filename="test.pleasedonttouchme"

which means that the receiving application should handle this content as type of "pleasedonttouchme" but instead is handeling it like it is HTML.

But wait!
There is more...

When googling for similar CVE's I found this:
and in that page you can see this interesting piece of data:
SafariAvailable for: iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
Impact: Opening maliciously crafted files on certain websites may lead to a cross-site scripting attack
Description: iOS did not support the 'attachment' value for the HTTP Content-Disposition header. This header is used by many websites to serve files that were uploaded to the site by a third-party, such as attachments in web-based e-mail applications. Any script in files served with this header value would run as if the file had been served inline, with full access to other resources on the origin server. This issue is addressed by loading attachments in an isolated security origin with no access to resources on other sites.
CVE-ID
CVE-2011-3426 : Christian Matthies working with iDefense VCP, Yoshinori Oota from Business Architects Inc working with JP/CERT
Ok, Cool, This is exactly what I am talking about... but wait... i am using iOS 5.1.1 and this is relating to iOS 5... wait... what???
I have verified this on all iOS versions from 4.2.1 and up to 5.1.1  (Not iOS 6 beta yet)
The end.

Monday, May 7, 2012

Python proxy - Custom reply to requests with pattern in headers

I have been doing some research and i needed to reply to certain requests for specific domains in a constant and certain way,What I normally did was use ZAP or fiddler to MitM the requests and reply with my own self modified requests but i quickly got tired of the manual sisyphic work and decided to look for a simple thin and limber proxy i can modify to my own use.

And so i googled and came across this: Simple python http proxy post by Mitko Haralanov, in the post it mentions that it is based on Suzuki Hisao's Tiny HTTP Proxy. ( I hope i didn't miss anyone, they deserve credit).
Anyway, as I was saying, I found this piece of python code and hacked it to deliver specific responses to specific requests.

And then i thought: "Well, I can make this a little bit more generic for others to use"

and so I did :)

Here is the python script:  TinyHTTPProxy.py

And here is the config file: Config.xml

How to use:
(It is extremely simple to use, so just run it and you will figure it out.)
- First: edit the config.xml file (needs to be in the same dir as the .py file), now the only thing i need to say is that the response part of the xml is the response, so you need to place it there with "\r\n" as needed

Example XML:
    <attack lookInRequestForThis="www.google.co.il" replyWithThis="\r\nKAKA\r\n"/>

What this means is that the proxy will look for the "www.google.co.il" string in all of the requests headers (if it appears more than once than the first occurrence will be identified), once found the proxy will reply with the response given in the "replyWithThis" attribute.

After you configured the XML, you can run the proxy with the command line below as an example, but note, for performance reasons the XML will load when the proxy starts and not per request so if you want to change the data on the fly you will need to stop+start the proxy.

command line to run it:
                 python TinyHTTPProxy.py -l proxy.log -i 10.0.0.1 -p 2222


Enjoy :)

Friday, March 9, 2012

MSRC patch Tuesday March 2012

Hi all,
In March 2012 Microsoft patched 2 vulnerabilities i discovered, one in visual studio and the other in Microsoft expression blend.

Now before I begin diving into the technical side of things, let me give you some background of why did I take a look into MS products.
it is actually quite funny and childish, but it makes me smile so I'll share it any way :)
last august I had the fortune of attending Black-hat and defcon, during my touring of the booths at Black-hat I stumbled upon the Microsoft booth and had a very nice chat with the nice folks over there, during which I learned that Microsoft has an annual party that they throw at Black-hat, so I was thinking => I want to go to that party, after all I am a nice guy and I like parties so I'll ask for a ticket.
but I didn't get an invite... turns out you need to find a security vulnerability in one of Microsoft's products to get in to that party.

Challenge accepted :)


Now let us dive a bit into the technical, shall we? :)
(I will be talking about http://technet.microsoft.com/en-us/security/bulletin/ms12-mar )

I will start with Bulletin 5
(Microsoft Expression Design) which I personally aren't too proud of finding, since it was way too easy to find, total effort was like 30 minutes late at night including the email to Microsoft.
back on topic than, this Bulletin is classified as "Remote Code Execution" , a more low level description will be "DLL Hijacking",
For those who don't know what "DLL Hijacking" is, here is a quick intro:
Sometimes an application needs to load libraries to handle the opening of a file, for example: a file that has a file association set in the Windows operating system will opened with a predefined application whether it is on a local folder on the user hard drive or on a network location.
These libraries are sometimes libraries that are installed in the operating system when the user first installs a program, now if the developer of that app did not follow Microsoft guidelines and did not follow the steps at:http://technet.microsoft.com/en-us/security/advisory/2269637 the application is vulnerable for remote code execution attacks via DLL Hijacking.

Now back to the bulletin:
When opening specific files with Microsoft Expression Blend from a network location, a certain DLL is called first at the network location, allowing an attacker to do what they want on the user machine.
(I wanted to specify the DLL name but it is late and I am too lazy to dig for the original mail I sent to MS)

Now to my favorite: Bulletin 4
MSRC has this under "Elevation of Privilege"
(I will be talking about VS2008,  VS2010 does not have this vulnerability manifesting the same way)
This is similar to the concept of a DLL Hijacking only this time the thing being "Highjacked" is a visual studio Add-in.
Yes, a Malicious Add-in for your visual studio! (me thinks it is cool)
How does this happen?
Simple, when a developer opens specific files associated with visual studio (there are plenty) the visual studio will load first and then after the development environment has loaded will it load the specified file.
The magic happens when the Visual studio loads, because when it does it will load it's add-ins from that network location, Yes... every time a VS2008 instance opens a file from a network location it looks for add ins in that location first before rolling back to the default location on the user's hard drive.
under VS2008 you can just put any add in you like and the development environment will load it and list it as one of the add ins, this does not affect VS2010.
in VS2010 there is a predefined list of add ins, I did not research this any further simply because I still have a day job and all this was done on my own time. and yes, I do have a life, so research_time--;

Conclusion:
To sum things up, I am not proud of finding the DLL Hijacking vulnerability simply because any kid with a windows box and a sysinternals procmon could find it and exploit it.
The one I am really proud of is the VS vulnerability, not because of "how" i found it, but simply because I had to sit down and code a VS add in that will pop a "PWND" message-box, it was a quick and interesting challenge :)

P.S.
When I say "Proud" I don't mean "first born proud", just proud of a completion of a challenge  :)