Logical Vulnerabilities in Web Browsers

Xiaoyin Liu Independent Security Researcher

Moscow, 18 June 2019

1 About Me

• Independent bug bounty hunter • Graduated from University of North Carolina at Chapel Hill, United States • Recognized by Microsoft, Google, Tor Project, Alibaba and more • Areas of interest: Windows applications, web browsers

2 Outline

• Two bypasses of a fixed fingerprinting attack in Chrome • Microsoft Edge CSP bypass (CVE-2017-0135) • Brave Browser script blocker bypass (CVE-2018-1000815) • Tor Browser UI language fingerprinting vulnerability • Takeaways

3 Browser Fingerprinting Issues

• Fingerprinting is privacy issues • Some browser vendors, like Tor Browser, are more interested in fixing fingerprinting issues than Chrome, Firefox, Edge, etc. • Examples: HSTS super cookie, CSS Visited, etc.

4 Sniffly Attack

• Discovered by Yan Zhu in 2015 • Abusing HSTS/301 redirect and CSP to probe user’s browsing history • CVE-2016-1617

5 HTTP Strict Transport Security (HSTS)

• A browser security feature that enforces HTTPS for all connections for particular domains • Strict-Transport-Security: max-age=604800

6 Content Security Policy (CSP)

• Security feature to mitigate XSS attacks • Content-Security-Policy: script-src 'self' www.google.com; img-src 'self'; default-src 'none’ • CSP is also used to enable other security features, like Upgrade Insecure Requests

7 How Sniffly Works

• Attacker embeds an image tag • Attacker knows that example.com is either a HSTS domain or 301 redirects to HTTPS • If a visitor has never visited http://example.com:

https://github.com/diracdeltas/sniffly 8 • If a visitor has visited http://example.com:

9 • If we can time how long it takes to receive the redirect response, we can distinguish if it’s an in-browser redirect or a network redirect • Use CSP to allow http requests but block https requests: • Content-Security-Policy: img-src http://example.com

10 • If the error event is triggered within a threshold (10ms), it’s an internal redirect. Then this URL has been visited before; otherwise, it has not been visited.

11 The Code Snippet of the Patch

https://github.com/chromium/chromium/commit/568075bbc5d16239a5cbdeb579a8768f9836f13e

12 • Content-Security-Policy: img-src http://example.com now matches both http://example.com and https://example.com

13 Bypassing the Fix

• The code only considers the protocol, not port • Consider this CSP rule: Content-Security-Policy: img-src http://example.com:80 • Does it match https://example.com?

14 • It turns out this CSP matches http://example.com:80 and https://example.com:80 • It doesn’t match https://example.com:443 • So we can exploit Sniffly again! • CVE-2016-5137: https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • CVE-2016-9071: https://bugzilla.mozilla.org/show_bug.cgi?id=1285003 • $1000 bounty

15 Patch

https://github.com/chromium/chromium/commit/e6d181417ea462ac221d768c960a21018266a4a8

16 Change in CSP Specification

https://github.com/w3c/webappsec-csp/commit/22d08b990290e49f5a666fad08de16d75bb369e7 17 Second Bypass

• So far both attacks use CSP to block the redirect • Are there other ways to achieve the same? • Use Fetch API

18 Fetch API

19 Fetch API

20 Fetch API

• Reported in 2016. Not updated for more than 2 years. • Silently fixed in 2018. • In current Chrome, “no-cors” can’t be used together with “manual” redirect

21 Microsoft Edge CSP Bypass Vulnerability

22 CVE-2017-0135

• Inspired by paper “Abusing Internet Explorer 8's XSS Filters”, written by Eduardo Vela Nava and David Lindsay • How IE XSS Filter works: it checks if any URL parameter seems to be a XSS payload and then checks if the parameter is contained in HTML response • http://example.com/index.php?id= • If HTML body contains , then it’s changed to alert(1)

23 CVE-2017-0135

• What if it’s not a reflected XSS, but an expected JS code • E.g. example.com/index.php? • • Then jquery.js won’t load • Seems harmless?

24 CVE-2017-0135

• Abuse XSS Filter to disable CSP • • example.com/xss.html?

25 CVE-2017-0135

26 CVE-2017-0135

27 CVE-2017-0135

• Reported on December 2, 2016. Fixed on March 14, 2017. • Bounty: $1500 • Microsoft removed XSS Filter in Edge in October 2018 Update

28 Brave Browser Script Blocker Bypass Vulnerability

29 Brave Browser

• Brave Browser is a free and open sourced browser. • Brave Browser used to be based on Muon, which was based on Electron. It moved to a Chromium-based browser in late 2018. • Brave Browser has built-in HTTPS Everywhere and JavaScript blocker.

30 Brave Browser Script Blocker Bypass

• This vulnerability existed in the old Muon-based codebase. • This bypass abuses the fact that only external scripts are blocked, and inline scripts are not blocked. • Inspired by Tor Browser’s NoScript bypass vulnerability (CVE-2018- 16983) • Discovered in September 2018 by David Albert and me independently, and fixed in October 2018. • CVE-2018-1000815 • Bounty: $1000

31 Brave Browser Script Blocker Bypass

32 Brave Browser Script Blocker Bypass

33 Brave Browser Script Blocker Bypass

34 Tor Browser UI Language Fingerprinting Vulnerability

35 Tor Browser

• Tor Browser takes privacy and security very seriously • Tor Browser hides user’s IP address and tries to mitigate as many fingerprinting attacks as possible • E.g. Time zones, UI language, local ports shouldn’t be discoverable by websites

36 Tor Browser UI Language Detection Vulnerability

• When you open a non-English Tor Browser and visit any website for the first time, it asks if you want websites to know your UI language.

37 Tor Browser UI Language Detection Vulnerability

• Even if you choose “don’t send”, your UI language is still detectable • The trick is to use “button” with default text: • Different languages have different default text

• They have different width, which can be detected in JavaScript: getComputedStyle(button_element, null).getPropertyValue("width");

38 Tor Browser UI Language Detection Vulnerability

39 Tor Browser UI Language Detection Vulnerability

• Reported in October 2017 and fixed in August 2018. • https://hackerone.com/reports/282748 (already disclosed) • CVE-2019-12383 • Bounty: $200

40 Bypass of the First Fix

• The FTP directory UI is localized in Tor Browser • If ftp://example.com/poc/poc.html frames ftp://example.com/poc/, poc.html can read entire HTML source of ftp://example.com/poc/.

41 Bypass of the First Fix

42 Bypass of the First Fix

• Reported in May 2019. Not fixed yet. • https://trac.torproject.org/projects/tor/ticket/30427 • Bounty: $300

43 Conclusion

44 Takeaways

• Reading other researchers' bug reports, papers, and the patches really help you find new vulnerabilities. • Looking for corner cases that developers may neglect to handle correctly (e.g. explicit port, inline scripts, etc). • Security feature bypass is an interesting attack surface to explore.

45 References

• https://chromium.googlesource.com/chromium/src/+/master/do cs/security/faq.md • https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf • https://bugs.chromium.org/p/chromium/issues/detail?id=544765 • https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • https://fetch.spec.whatwg.org/ • http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf • https://blogs.windows.com/windowsexperience/2018/07/25/ann ouncing-windows-10-insider-preview-build-17723-and-build-18204/

46 References

• https://twitter.com/Zerodium/status/1039127214602641409 • https://github.com/brave/browser-laptop/issues/15232

47 Q & A

• Thank you for your listening!

48