1 / 33

Crossing Origins by Crossing Formats

Crossing Origins by Crossing Formats. Jonas Magazinius, Andrei Sabelfeld – Chalmers University of Technology Billy K. Rios – Cylance Inc . About. PhD Student, Chalmers until Nov 1st then Dr. Magazinius Securing the mashed up web 10:00 HA4 – Hörsalsvägen , Chalmers

carson
Download Presentation

Crossing Origins by Crossing Formats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Crossing Origins by Crossing Formats Jonas Magazinius, Andrei Sabelfeld – Chalmers University ofTechnology Billy K. Rios – CylanceInc.

  2. About • PhD Student, Chalmers • until Nov 1st then Dr. Magazinius • Securing the mashed up web • 10:00 HA4 – Hörsalsvägen, Chalmers • Co-leaderof OWASP Gothenburg • Part of Cure53 • @internot_ • Father– as someofyoumightremember

  3. Language-based security • Using programming language theory for finding and mitigating security vulnerabilities • Static vs. dynamic analysis • Information-flow monitoring • Declassification • Decentralized • Crossing origins by crossing formats • Byproduct of research • Joint work with Billy K. Rios • Greatly inspired by the work of Julia Wolf

  4. Background • GIFAR – content smuggling attack • Billy Rios (@XSSniper), Petko D. Petkov (@pdp) • Attacker uploads GIF/JAR file • Cross-origin CSS attack • Chris Evans (@scarybeasts) et al. • Attacker injects fragments of CSS into HTML • Content-typesniffing attacks • Adam Barth (@adambarth) et al. • Attacker uploads PS/HTML file

  5. Things in common… • … mixing formats • … re-interpretation of the content

  6. Polyglot • Definition: • ”…a person who speaks several languages.” • ”…a program that is valid in multiple programming languages.” • Content that can be interpreted as multiple formats • Example 1 – HTML / JavaScript • data:text/html,alert('<script src="%23"></script>') • Example 2 – C / Pascal / PostScript / TeX / Bash / Perl / Befunge98 • (*a/*/ % #)(PostScript)/Helvetica 40 selectfont 9 400 moveto show%v"f"a0 true showpage quit%#) 2>/dev/null;echobash;exit #*/);int main()/*>"eb"v %a*0)unless print"perl\n"__END__*/{printf("C\n");/*>>#;"egnu">:#,_@;,,,< *)begin writeln(*\output={\setbox0=\box255}\eject\shipout\hbox{\TeX}\end *)('pascal');end.{*/return 0;}

  7. Malicious Polyglots • Two formats (or more) • One benign • One malicious • GIFAR – GIF/JAVA • Cross-origin CSS – HTML/CSS • Content-type sniffing – PS/HTML • Preferred format characteristics • Widespread, commonly used format • Error tolerant parsing, or other ways to hide foreign syntax • Cross-origin communication

  8. Polyglot attacks • Infiltrate • Syntax injection – Cross-origin CSS attack • Content smuggling – GIFAR • Embed • Context based re-interpretation • The content-type provided by the server is overridden • Tags that allow re-interpretation of content: • CSS – <link>-tag • Java – <applet>-tag • Content sniffing – <iframe>-tag • <object> and <embed> allows arbitrary interpretation based on type attribute

  9. Attack vectors – Syntax injection • A vulnerable webservice reflects parameters into content • Fragments of syntax is injected resulting in a polyglot • Polyglot is embedded under the origin of the attacker • The polyglot has origin of, and can communicate with vulnerable service • Visitors of the attackers domain are exploited • Known attack instances • Cross-origin CSS attack • (Cross-site scripting) vulnerable.com (1) (2) attacker.com (3) (4)

  10. Attack vectors – Content smuggling • A vulnerable webservice allows users to upload content • Attacker uploads a polyglot to the vulnerable origin • Polyglot is embedded under the origin of the attacker • The polyglot has origin of, and can communicate with vulnerable service • Visitors of the attackers domain are exploited • Known attack instances • GIFAR • Content sniffing attack vulnerable.com (2) (3) attacker.com (4) (5) (1)

  11. Payloads – Exploiting the origin • Cross-origin information leakage • Request sensitive user information • Leak to attacker across origins • Cross-site request forgery • Traditionally, issue requests with the credentials of the victim • Protect using tokens • Impact is far greater if it is possible to read the response • Extract token • Make request

  12. Portable Document Format • Display text • Render 2D/3D graphics • Animations • Forms • Launch commands (restricted) • Execute JavaScript • Embed Flash – just fantastic • Issue HTTP-request • With cookies!! • Standardized document format – ISO32000-1 • Container format • Embed related resources • Contain foreign syntax by design • Error tolerant parsing • Powerful capabilities

  13. DocumentStructure • Cross-reference xref 00000012 0000 n endxref • Trailer • startxref105 • trailer << /Root 1 0 R >> • %%EOF • Header %PDF-1.7 • Objects 1 0 obj<< /Length 14>>stream Contentstream endstream endobj

  14. Minimal PDF (accordingtoSpecification) 5 0 obj<< /Length 35 >>stream endstream endobj 6 0 obj[/PDF] endobj xref 0 7 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000179 00000 n 0000000300 00000 n 0000000384 00000 n trailer<< /Size 7 /Root 1 0 R>> startxref 408 %%EOF %PDF-1.4 1 0 obj<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj<< /Type Outlines/Count 0>> endobj 3 0 obj<< /Type /Pages /Kids [4 0 R] /Count 1 >> endobj 4 0 obj<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] /Contents 5 0 R /Resources << /ProcSet 6 0 R >>>> endobj

  15. Minimal PDF (Accordingto Interpreter) Adobe Reader Google Chrome PDF Reader %PDF 1 0 obj<</Pages<<>>>> trailer<</Root 1 0 R>> …or evenshorter… %PDF trailer% 1 0 obj <</Root 1 0 R/Pages<<>>>> …or evenshorter… %PDF trailer<</Root% 1 0 obj<</Pages 1 0 R>> %PDF-1. trailer<</Root<</Pages<<>>>> …or executing JavaScript… %PDF-1. trailer<</Root<</Pages<<>> /OpenAction<</S/JavaScript /JS(app.alert(’PDF’))>> >>

  16. Error tolerant Parsing This text wouldalso be a valid %PDF-1. With the conditionthat the trailer %begins on a new line and thatthereisn’t <</too /much /garbage /in /Root<</Pages<<>>>> the dictionary.

  17. Communication • JavaScript • Inherits the originof the document • Uses the cookies of the browser • launchURL() – Redirects the browser • getURL() – Redirects the browser • submitForm() – POST request via the browser • XML ExternalEntity • Two-waycommunication • Patched in latest version of Adobe Reader (FINALLY) • PDF • URL Action – Redirects the browser • Embedded Flash • Inherits the originof the document • Two-waycommunication • Usesitsown set of cookies %PDF-1. trailer <</Root <</Pages<<>> /OpenAction <</S/URI/URI(javascript:alert(location))>> >>>>

  18. PDF polyglots Syntax injection Content smuggling • Mixes well with just about any format • Server can verify benign format • Impact • CSRF • Cross-origin leakage • Easy to inject • Token-set overlaps with HTML • Context dependent • Can extract sensitive information • CSRF protection token • User information • Impact • CSRF • Cross-origin leakage

  19. PDF-based Syntax injection attack

  20. PDF-based Content Smuggling Attack

  21. Potential targets Syntax injection Content smuggling • PDF as the malicious format • User provided contentofany kind • PDF as the benign format • CV database • Conference systems • Usersuppliedcontentreflected • XSS vulnerabilities • JSON • XML

  22. DEMO http://internot.noads.biz

  23. Evaluation • Syntax injection • Approach • Alexa top100 • Results • Content smuggling • Approach • Results • Responsible disclosure

  24. Alexa top100

  25. Mitigation approaches Forward notification approach • Determine context • Send expected content-type as header • Content-Type: application/pdf • Content-Type: image/* • Server decides whether content matches expected content-type • Gives server control the interpretation of contents • Error code (404, 500) • Alternate content

  26. MitigationApproaches Server side (application) Client side • Browser • Strictenforcementof server provided content-type • Disallowtype-attribute • Interpreter • Strict(er) parsing? • Limit communicationmethods • Syntax injection • Filtering? In general, no! • Content-smuggling • Serve content from a sandboxeddomain (googleusercontent.com)

  27. PDF mitigation approaches Server side Client side • Improvements in latest version • Matchingfirst bytes againstknowmagicvalues • Alreadyfound a bypass!  • Limit worstcommunicationmethod • Filtering • PDF tokens and keywords { <, >, trailer } • Content Security Policy • DO NOT!!!

  28. DO NOT!!! Content-Disposition: attachment; filename="fname.ext” Content-Type: application/octet-stream ”If this header is used in a response with the application/octet- stream content-type, the implied suggestion is that the user agent should not display the response, but directly enter a `save response as...' dialog.” • This is NOT respected by Adobe Reader

  29. Summary • Polyglot attacks – New breed of cross-origin attacks • Syntax injection • Content-smuggling • PDF-based polyglot attacks • Flexible error tolerant format • Powerful beyond necessity • Mitigation approaches • Forward notification approach • Specific approaches

  30. Thank you!

  31. Cross-origin CSS attack • Minimal amount of CSS-syntax injected in target HTML-page • {}#f{font-family:’ • … arbitrary HTML content … • ’} • Attacker uses HTML-page as style-sheet in his page • Victim visits attackers page • Attacker can extract the arbitrary content from imported style-sheet

  32. GIFar – Content smuggling attack • GIF-image • Parsed top-down, content after trailer ignored • JAR-file • Based on ZIP-archives • Parsed bottom-up, content before header ignored • GIF + JAR = GIFAR • copy /b benign.gif + malicious.jar gifar.gif • The GIFAR is uploaded to a vulnerable service, • The GIFAR is embedded from the vulnerable service on attackers page as an applet • Any visitor to the attackers page will execute the applet

  33. ContentSniffing attack • Browser performs content sniffing when server provides unknown content-type • Content is matched against a series of signtures • If a match is found the content is interpreted as the matched type • Attacker creates a “chameleon” file • Benign format + HTML • The file is crafted to match HTML signature • The chameleon is uploaded to a vulnerable service • The chameleon is embedded in an iframe on the attackers page • Any visitors will trigger the content sniffing and render the HTML

More Related