how to protect your browser 0 day
play

How to protect your browser 0-day Codenamed #IRONSQUIRREL - PowerPoint PPT Presentation

Jul 28, 2023 •160 likes •711 views

How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs MRG Effitas 2017 November Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool Idea later(?)

  2. How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs – MRG Effitas 2017 November

  3. Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool • Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Played with crappy IoT devices https://jumpespjump.blogspot.hu/2015/09/how-i-hacked-my-ip-camera-and-found.html https://jumpespjump.blogspot.hu/2015/08/how-to-secure-your-home-against.html

  4. Table of contents Introduction to ECDH / #IRONSQUIRREL Attacker model Why is this different/new Defense/offense

  5. Win Hacker Pschorr Find Cyber on the slides

  6. How did it all begin? I had this “discussion” with nextgen/breach-detection vendors that their network appliance can be bypassed in a way that they can’t even see an exploit happened or malware was delivered They told me it is impossible

  8. Why should you listen to this talk? Exploit brokers and law enforcement • Effective way to prevent the 0-day exploit code being leaked Pentesters/red team members • Bypass perimeter defenses, some host IDS Blue team members, forensics investigators, exploit kit researchers • How current defenses can be bypassed via #IRONSQUIRREL browser exploit delivery Rest of you • Learning about elliptic curve cryptography is always fun

  9. Introduction to Exploit kits, targeted attacks with 0-dayz DH key agreement ECDH key agreement Encrypted browser exploit delivery My idea implemented by the bad guys

  10. Browser exploits, exploit kits “An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.” https://en.wikipedia.org/wiki/Exploit_kit

  11. Lost 0-day exploit => $$$-- Targeting of Ahmed Mansoor with iOS Safari 0-day exploit • http://www.5z8.info/malicious-cookie_z2m5jd_mydick • iOS 0-day exploit • 100 000 USD – 1 500 000 USD • Mansoor still in prison L Tor browser 0-day exploit used by law enforcement on pedophile site • http://www.5z8.info/twitterhack_u3o2ex_this-page-will- steal-all-of-your-personal-data • Tor Browser 0-day : 30 000 USD https://www.zerodium.com/program.html Both exploit leaked, burnt

  12. Diffie-Hellman key agreement - 1976 http://mathhombre.blogspot.hu/2014_05_01_archive.html https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

  13. E lliptic C urve based D iffie- H ellman (ECDH) key agreement ECDH key agreement 5-10 times faster on same CPU [citation needed] DH key agreement is too slow for JS It is like you know the start and end position of the billiard ball on the table, but god knows the way it took to get there http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/1/

  14. #IRONSQUIRREL

  15. Demo with test JavaScript in Chrome

  16. Implementation details Original Node.JS POC – 2 June, 2015 New Ruby POC compatible and tested with • Edge • IE11 (older IE just sucks, can’t crypto) • Firefox (Tor Browser) • Chrome • Opera • Mobile Safari • Mobile Chrome • Android built-in browser

  17. DH implemented in exploit kits FireEye analysis – Angler exploit kit • “First” in-the-wild DH encrypted exploit • Only shellcode was protected by encryption https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html “You might think this is coincidental, but I assure you it is not …” https://www.youtube.com/watch?v=XeDq GwQkDk8

  19. DH implemented in exploit kits “Several days ago analysts found the usage of the Diffie-Hellman cryptographic protocol in the Angler Exploit Kit, … that is the first known case of its usage in an exploit kit.” Weakness demonstrations • Use of DH instead of ECDH • Short keys suspected to be factorized 2017 May: Astrum/Stegano exploit kit back with DH exploit delivery https://securelist.com/blog/research/72097/attacking-diffie- hellman-protocol-implementation-in-the-angler-exploit-kit/

  21. Attacker model Who is my attacker? • The reverse engineer (RE), who tries to reverse the precious 0-day exploit • The nextgen/breach-detection system What is the capability of the attacker? • See next slides

  22. RE can record (and replay) network traffic

  23. RE can debug in browser – JavaScript level Has access to DOM in browser

  24. RE can debug the browser – Assembly level This is not always trivial – e.g. if you can’t jailbreak iOS

  25. Network forensics When checking IRONSQUIRREL network traffic, you see • Bunch of crypto libraries • Public key exchange • Encrypted blobs • Without the shared key, you can’t do much • Unless you have a kick-ass quantum computer • Attackers: just use quantum resistant key exchange Debugging in browser is possible – but I will recommend some tricks to make this harder

  26. Why is this different, new? Protecting the browser exploit code was so far obfuscation only • It was encryption with keys known to the attacker • Now, it is encryption with keys not know to the attacker Why is this different then SSL/TLS ? How does this affect exploit replay? Why is this different then StegoSploit?

  27. IRONSQUIRREL exploit delivery VS exploit kits using SSL/TLS If you control the client (the analysis machine), TLS MiTM is trivial Deep Packet Inspection • TLS MiTM at enterprises • TLS MiTM with intercept proxies like Burp or Fiddler at home or your lab

  28. Traditional browser exploits forensics Reproducible exploit replay with Fiddler or similar SSL/TLS exploit delivery can be replayed if MiTM is possible IRONSQUIRREL exploit delivery cannot be replayed • The client will generate different public/private key • Client will send different public key to replay server • Replay server either sends the encrypted data with the old key, or can’t generate new ECDH key thus fails to replay

  29. Exploit replay with and without IRONSQUIRREL

  31. Astrum EK replay broken Fun fact: even if exploit is not 0-day, other threat groups can’t steal your exploit code http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/

  32. IRONSQUIRREL exploit delivery VS Stegosploit “Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files” … “image based exploit delivery - Steganography and Polyglots” Stegosploit is good at hiding your exploit. But it is replayable, thus easy to analyse once recorded/identified http://stegosploit.info/ It is possible to combine Stegosploit with IRONSQUIRREL

  33. IRONSQUIRREL exploit delivery VS Heartbleed TLS Heartbeet can be sent either • In clear-text before handshake finished • Encrypted, after handshake It is harder to create IDS signatures for the encrypted payload. Heartbleed exploit uses encryption as part of the protocol. IRONSQUIRREL exploit delivery uses encryption as an additional module to make reversing harder

  34. Defense and offense Prevention and detection on the network level Analysis on the endpoint How to make endpoint analysis (a lot) harder

  35. Anti-analysis improvements One-time URLs (URL is dead after one use) • In Law Enforcement mode, use one-time URL per logged in user! Time-limits to prevent manual debugging Remove full DOM after exploit runs

  36. Case study – Tor browser exploit

  37. Prevent the IRONSQUIRREL exploit attacks via network defenses IRONSQUIRREL specific blocking/detection • Detection of (EC)DH encrypted traffic • Will lead to False Positives (FP) Non IRONSQUIRREL specific blocking/detection • Block uncategorized/new domains • Domain white-listing

  38. Web ISOLATION Web Isolation is • Something like a proxy • Code runs on a remote server • Rendered data is forwarded to client browser • Exploit code “runs” on remote server • Tested, it blocked Firefox and IE exploits • If you have Chrome 0-day targeting Linux, let me know

  39. Delivery method improvements To bypass uncategorized/new domain prevention/detection • Use of watering hole • Quantum insert techniques • Warning, might not be available in your attacker capability

  40. Analyze IRONSQUIRREL exploits on the endpoint Log the shared key and/or client private key “Fix” the random generator – generate same client private keys always “Hook” the JS code to immediately return with the same client secret key Remote debugging iOS Safari on OS X Detailed JS execution Tracelog • https://github.com/szimeus/evalyzer --> check out this great project!

  41. Evalyzer MS16-051 demo

  42. Anti-analysis improvements Detect debug window (client-side protection L ) https://github.com/zswang/jdetects Proper fingerprinting of the target before exploit delivery Code obfuscation – effective against MiTM * Generate multiple DH private keys and check if it is the same * http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit- operators-are-misusing-diffie-hellman-key-exchange/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia Bielova @nataliabielova September 17 th =21 st , 2018 Web Privacy course University of Trento Nataliia Bielova

857 views • 20 slides
Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site

Firefox Security Sid Stamm <sid@mozilla.com> Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

560 views • 43 slides
Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect

Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect

Competition Law Strategies: - Protect Your Brand - - Protect Your Retail Partners - - Protect Your Revenue - Brussels, Geneva Luxury Law New York Summit David Hull 14 November 2018

461 views • 19 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many <script> tags with hidden ordering dependencies Very

362 views • 15 slides
Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does Standard Tor is easy to block GetTor helps you get Tor Browser GetTor helps you get Tor Browser Tor Browser ships with default

567 views • 24 slides
ITS ALL ABOUT YOUR SURVIVAL HEALTH INSURANCE Doctors protect your life, you protect your

ITS ALL ABOUT YOUR SURVIVAL HEALTH INSURANCE Doctors protect your life, you protect your

ITS ALL ABOUT YOUR SURVIVAL HEALTH INSURANCE Doctors protect your life, you protect your investments. I&I will protect your Survival! PRESENTATION Policy that suits every pocket any medical emergency. Medi-claim, Accidental Death,

65 views • 3 slides
THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North & Associates LONG LIVE THE BROWSER! Dan North Dan North & Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the built in browser create an Intent and start the Activity 2 WebView A View that display web pages basis for creating your own web browser OR

1.28k views • 54 slides
Today s class How to configure your browser to protect

Today s class How to configure your browser to protect

05. Protection from Web Tracking Nataliia Bielova @nataliabielova September 17 th -21 st , 2018 Web Privacy course University of Trento Today s class How to configure

374 views • 33 slides
Description and the merits of M-Protect A new software, M-Protect, based on a U.S. Patent #

Description and the merits of M-Protect A new software, M-Protect, based on a U.S. Patent #

Description and the merits of M-Protect A new software, M-Protect, based on a U.S. Patent # 7571220, delivers many powerful commercial features. The new product will not only stop the spam mails, it will also offer auto-sorting of incoming

81 views • 4 slides
How to Protect: How to Protect: Water Farmlands & Forests Farmlands & Forests

How to Protect: How to Protect: Water Farmlands & Forests Farmlands & Forests

How to Protect: How to Protect: Water Farmlands & Forests Farmlands & Forests Farms as Viable Businesses 1 Land Policy Task Force y Virginia Tech Build-out Analysis of Floyd County Subdivision Trends in FC

489 views • 22 slides
PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated

PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated

PROTECT WP6 Extension /Validation of Benefit-Risk Methods, Tools and Processes Evaluated in PROTECT- WP5 Presented by: Andrea Beyer, EMA Outline Challenges in medical decision making About IMI-PROTECT PROTECT Work Package 5

591 views • 29 slides
GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard girard.d@sfeir.com Sfeir CTO Member of OSSGTP Before starting, some questions Who knows javascript ? Who is a javascript expert ? Who knows java ?

1.57k views • 93 slides
FCIC-112798 1. Protect the United States from terrorist attack 2. Protect the United States

FCIC-112798 1. Protect the United States from terrorist attack 2. Protect the United States

FCIC-112798 1. Protect the United States from terrorist attack 2. Protect the United States against foreign intelligence operations and . espionage 3. Protect the United States against cyber-based attacks and high- technology crimes 4. Combat

670 views • 29 slides
Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc. Beginnings A new browser... a new opportunity A modern platform for web applications Objective: An Invisible Browser Deliver a transparent experience:

557 views • 9 slides
Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel

Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel

Bi-Continuous Domains and Some Old Problems in Domain Theory Talk at Domains IX Klaus Keimel October 21, 2008 Warning: These Notes contain the contents of my Talk at Domains IX. There may be mistakes. References are incomplete. Comments are

142 views • 11 slides
Semantic spaces in Priestley form Mohamed El-Zawawy PhD work - Birmingham (UK) Supervisor:

Semantic spaces in Priestley form Mohamed El-Zawawy PhD work - Birmingham (UK) Supervisor:

Semantic spaces in Priestley form Mohamed El-Zawawy PhD work - Birmingham (UK) Supervisor: Prof. Achim Jung Inst of Cybernetics Estonia Dec 4, 2008 Semantics of programming languages : is about developing techniques for designing and

1.07k views • 25 slides
A Z 2 -Bratteli-Vershik model Ian F. Putnam, University of Victoria 1 I will first describe the

A Z 2 -Bratteli-Vershik model Ian F. Putnam, University of Victoria 1 I will first describe the

A Z 2 -Bratteli-Vershik model Ian F. Putnam, University of Victoria 1 I will first describe the Bratteli-Vershik model for Z -actions due to R. Herman, IFP, C. Skau, building heavily on the work of A. Vershik (quite successful) and then

514 views • 32 slides
= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

The logic of quantum mechanics - take II arXiv:1204.3458 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice Bob not pregroup grammar genesis genesis

978 views • 79 slides
Interprofessional and Integrative Pain Management Joanna G Katzman, MD, MSPH Associate Professor

Interprofessional and Integrative Pain Management Joanna G Katzman, MD, MSPH Associate Professor

Interprofessional and Integrative Pain Management Joanna G Katzman, MD, MSPH Associate Professor University of New Mexico School of Medicine Director, UNM Pain Center Project ECHO Pain Disclosure No Conflict of Interest Nothing to

540 views • 27 slides
Some contemporary and speculative theology about where and how God may fit into the worlds

Some contemporary and speculative theology about where and how God may fit into the worlds

Some contemporary and speculative theology about where and how God may fit into the worlds suffering and pain. God does not directly send or will pain, death, suffering and disease. God does not punish us. God does not actively will or

128 views • 8 slides
Assumption-based Argumentation Xiuyi Fan, Claudia Schulz, Francesca Toni Department of Computing,

Assumption-based Argumentation Xiuyi Fan, Claudia Schulz, Francesca Toni Department of Computing,

Assumption-based Argumentation Xiuyi Fan, Claudia Schulz, Francesca Toni Department of Computing, Imperial College London, UK August 27, 2015 Outline Assumption-based Argumentation (ABA) as a form of structured argumentation with roots in

352 views • 9 slides
What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally

What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally

What is a What are Support Vector Machines Support Vector Machine? Used For? An optimally defined surface Classification Typically nonlinear in the input space Regression and data-fitting Linear in a higher dimensional

577 views • 8 slides

More recommend