Logical Vulnerabilities in Web Browsers
Xiaoyin Liu Independent Security Researcher
Moscow, 18 June 2019
1 About Me
• Independent bug bounty hunter • Graduated from University of North Carolina at Chapel Hill, United States • Recognized by Microsoft, Google, Tor Project, Alibaba and more • Areas of interest: Windows applications, web browsers
2 Outline
• Two bypasses of a fixed fingerprinting attack in Chrome • Microsoft Edge CSP bypass (CVE-2017-0135) • Brave Browser script blocker bypass (CVE-2018-1000815) • Tor Browser UI language fingerprinting vulnerability • Takeaways
3 Browser Fingerprinting Issues
• Fingerprinting is privacy issues • Some browser vendors, like Tor Browser, are more interested in fixing fingerprinting issues than Chrome, Firefox, Edge, etc. • Examples: HSTS super cookie, CSS Visited, etc.
4 Sniffly Attack
• Discovered by Yan Zhu in 2015 • Abusing HSTS/301 redirect and CSP to probe user’s browsing history • CVE-2016-1617
5 HTTP Strict Transport Security (HSTS)
• A browser security feature that enforces HTTPS for all connections for particular domains • Strict-Transport-Security: max-age=604800
6 Content Security Policy (CSP)
• Security feature to mitigate XSS attacks • Content-Security-Policy: script-src 'self' www.google.com; img-src 'self'; default-src 'none’ • CSP is also used to enable other security features, like Upgrade Insecure Requests
7 How Sniffly Works
• Attacker embeds an image tag • Attacker knows that example.com is either a HSTS domain or 301 redirects to HTTPS • If a visitor has never visited http://example.com:
https://github.com/diracdeltas/sniffly 8 • If a visitor has visited http://example.com:
9 • If we can time how long it takes to receive the redirect response, we can distinguish if it’s an in-browser redirect or a network redirect • Use CSP to allow http requests but block https requests: • Content-Security-Policy: img-src http://example.com
10 • If the error event is triggered within a threshold (10ms), it’s an internal redirect. Then this URL has been visited before; otherwise, it has not been visited.
11 The Code Snippet of the Patch
https://github.com/chromium/chromium/commit/568075bbc5d16239a5cbdeb579a8768f9836f13e
12 • Content-Security-Policy: img-src http://example.com now matches both http://example.com and https://example.com
13 Bypassing the Fix
• The code only considers the protocol, not port • Consider this CSP rule: Content-Security-Policy: img-src http://example.com:80 • Does it match https://example.com?
14 • It turns out this CSP matches http://example.com:80 and https://example.com:80 • It doesn’t match https://example.com:443 • So we can exploit Sniffly again! • CVE-2016-5137: https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • CVE-2016-9071: https://bugzilla.mozilla.org/show_bug.cgi?id=1285003 • $1000 bounty
15 Patch
https://github.com/chromium/chromium/commit/e6d181417ea462ac221d768c960a21018266a4a8
16 Change in CSP Specification
https://github.com/w3c/webappsec-csp/commit/22d08b990290e49f5a666fad08de16d75bb369e7 17 Second Bypass
• So far both attacks use CSP to block the redirect • Are there other ways to achieve the same? • Use Fetch API
18 Fetch API
19 Fetch API
20 Fetch API
• Reported in 2016. Not updated for more than 2 years. • Silently fixed in 2018. • In current Chrome, “no-cors” can’t be used together with “manual” redirect
21 Microsoft Edge CSP Bypass Vulnerability
22 CVE-2017-0135
• Inspired by paper “Abusing Internet Explorer 8's XSS Filters”, written by Eduardo Vela Nava and David Lindsay • How IE XSS Filter works: it checks if any URL parameter seems to be a XSS payload and then checks if the parameter is contained in HTML response • http://example.com/index.php?id= • If HTML body contains , then it’s changed to
23 CVE-2017-0135
• What if it’s not a reflected XSS, but an expected JS code • E.g. example.com/index.php? •
24 CVE-2017-0135
• Abuse XSS Filter to disable CSP • • example.com/xss.html?
25 CVE-2017-0135
26 CVE-2017-0135
27 CVE-2017-0135
• Reported on December 2, 2016. Fixed on March 14, 2017. • Bounty: $1500 • Microsoft removed XSS Filter in Edge in October 2018 Update
28 Brave Browser Script Blocker Bypass Vulnerability
29 Brave Browser
• Brave Browser is a free and open sourced browser. • Brave Browser used to be based on Muon, which was based on Electron. It moved to a Chromium-based browser in late 2018. • Brave Browser has built-in HTTPS Everywhere and JavaScript blocker.
30 Brave Browser Script Blocker Bypass
• This vulnerability existed in the old Muon-based codebase. • This bypass abuses the fact that only external scripts are blocked, and inline scripts are not blocked. • Inspired by Tor Browser’s NoScript bypass vulnerability (CVE-2018- 16983) • Discovered in September 2018 by David Albert and me independently, and fixed in October 2018. • CVE-2018-1000815 • Bounty: $1000
31 Brave Browser Script Blocker Bypass
32 Brave Browser Script Blocker Bypass
33 Brave Browser Script Blocker Bypass
34 Tor Browser UI Language Fingerprinting Vulnerability
35 Tor Browser
• Tor Browser takes privacy and security very seriously • Tor Browser hides user’s IP address and tries to mitigate as many fingerprinting attacks as possible • E.g. Time zones, UI language, local ports shouldn’t be discoverable by websites
36 Tor Browser UI Language Detection Vulnerability
• When you open a non-English Tor Browser and visit any website for the first time, it asks if you want websites to know your UI language.
37 Tor Browser UI Language Detection Vulnerability
• Even if you choose “don’t send”, your UI language is still detectable • The trick is to use “button” with default text: • Different languages have different default text
• They have different width, which can be detected in JavaScript: getComputedStyle(button_element, null).getPropertyValue("width");
38 Tor Browser UI Language Detection Vulnerability
39 Tor Browser UI Language Detection Vulnerability
• Reported in October 2017 and fixed in August 2018. • https://hackerone.com/reports/282748 (already disclosed) • CVE-2019-12383 • Bounty: $200
40 Bypass of the First Fix
• The FTP directory UI is localized in Tor Browser • If ftp://example.com/poc/poc.html frames ftp://example.com/poc/, poc.html can read entire HTML source of ftp://example.com/poc/.
41 Bypass of the First Fix
42 Bypass of the First Fix
• Reported in May 2019. Not fixed yet. • https://trac.torproject.org/projects/tor/ticket/30427 • Bounty: $300
43 Conclusion
44 Takeaways
• Reading other researchers' bug reports, papers, and the patches really help you find new vulnerabilities. • Looking for corner cases that developers may neglect to handle correctly (e.g. explicit port, inline scripts, etc). • Security feature bypass is an interesting attack surface to explore.
45 References
• https://chromium.googlesource.com/chromium/src/+/master/do cs/security/faq.md • https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf • https://bugs.chromium.org/p/chromium/issues/detail?id=544765 • https://bugs.chromium.org/p/chromium/issues/detail?id=625945 • https://fetch.spec.whatwg.org/ • http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf • https://blogs.windows.com/windowsexperience/2018/07/25/ann ouncing-windows-10-insider-preview-build-17723-and-build-18204/
46 References
• https://twitter.com/Zerodium/status/1039127214602641409 • https://github.com/brave/browser-laptop/issues/15232
47 Q & A
• Thank you for your listening!
48