Extreme Client Side Exploitation Notes

Here are my notes from the Black Hat USA 2008 presentation called ‘The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation‘ by Nathan McFeters, John Heasman, and Rob Carter.

• GIFAR
  • Hybrid .gif and .jar file
    • .gif header is in the beginning of the file
    • .jar header is in the end of the file
  • File will still render fine, and will execute fine when the applet is called
  • Will work with many other file formats as well (office docs, movie files, etc)
• Content ownership
  • Sub-domain should protect against same origin policy
  • Found ways using GIFAR technique to get to primary domain
  • Need to serve content from completely different domain
• HTTP IPC
  • Google Desktop, Google Picasa runs a local webserver
• Local Intranet Zones
  • Any UNC
  • Names that don’t have periods (localhost)
  • IE7 has this zone disabled by default
  • Same origin policy is not strictly enforced in this zone
• Utorrent CSRF
  • Ability to change the completed downloads folder
  • Ability to add and start downloading torrents
  • Threat vector – change downloads folder to the All Users Startup folder and auto download/extract your backdoor
• Java
  • 90% of desktops run Java SE
  • Applet loaded from file:// can read files from the same directory
  • Applet loaded by file or localhost
    • Can enumerate IP bound to each adapter
    • Can listen on a port > 1025 and accept data from localhost
• Google Docs (vulnerability now fixed)
  • doc_id parameter – semi random, but predictable
  • Can view and edit other people’s documents

All of the threat vectors discussed at the presentation was very interesting, but I really like the GIFAR attack. It has a lot of potential because so many sites accept uploading of image files. For more thoughts on the GIFAR attack, here are a few additional links:

• On GIFARs by John Heasman (one of the presenters during this talk)
• On GIFARs by Nathan McFeters (one of the presenters during this talk)
• GIFAR, JPGAR, DOCAR, what’s the deal with the new client side vulnerabilities by Security4all
• Black Hat: The Risks of Trusting Content by Rich Mogull