internet explorer turns your personal computer into a
play

Internet Explorer turns your personal computer into a public File - PowerPoint PPT Presentation

Dec 24, 2023 •218 likes •609 views

Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 | Jorge Luis Alvarez Medina 1 Jorge Luis Alvarez Medina | CORE Security Technologies | February 2010 Outline Attack results Internet Explorer

  1. Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 | Jorge Luis Alvarez Medina 1 Jorge Luis Alvarez Medina | CORE Security Technologies | February 2010

  2. Outline • Attack results • Internet Explorer internals: a review • Features (vulnerabilities) enumeration • Turning the features into vulnerabilities to build an attack • Overall Impact • Corrigenda • Demo (BeEF module as proof of concept) • Solutions and workarounds Black Hat DC 2010 | Jorge Luis Alvarez Medina 2

  3. Attack results • A successful compromise will result in an attacker being able to blindly read every single file in the local drive – Either text and binary files (thanks MSXML2.DOMDocument.3.0!) – Cross-domain information • Navigation history • Cookies – SAM backup files – Recently opened files – Personal pictures – Other files, depending on the computer compromised • wwwroot in IIS • Configuration files for other applications Black Hat DC 2010 | Jorge Luis Alvarez Medina 3

  4. Internet Explorer internals: a review • Every browser has its own idiosyncrasies • For the purposes of this presentation, it is convenient to review some design features of Internet Explorer – Security Zones – Zone Elevation – MIME type detection Black Hat DC 2010 | Jorge Luis Alvarez Medina 4

  5. Security Zones • Enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy Different treatment for web content depending on its source • Five different sets of privileges (zones) – Restricted Sites – Internet – Trusted Sites – Local Intranet – Local Machine Black Hat DC 2010 | Jorge Luis Alvarez Medina 5

  6. Zone Elevation • It occurs when a Web page in a given security zone loads a page from a less restrictive zone in a frame or a new window • Internet Explorer behaves different based on which is the less restrictive zone up to which is trying to elevate – to the Local Machine zone is blocked – to the Intranet or Trusted Sites zones prompts for a confirmation – from the Restricted Sites zone to the Internet zone is allowed • that is a bad idea Black Hat DC 2010 | Jorge Luis Alvarez Medina 6

  7. MIME type detection • Tests URL monikers through the FindMimeFromData method • Determining the MIME type proceeds as follows: – If the suggested MIME type is unknown, FindMimeFromData immediately returns this MIME type as the final determination – If the server-provided MIME type is either known or ambiguous, the buffer is scanned in an attempt to verify or obtain a MIME type • If a positive match is found this MIME type is immediately returned as the final determination, overriding the server-provided MIME type – If no positive match is obtained, and if the server-provided MIME type is known • if no conflict exists, the server-provided MIME type is returned • if conflict exist, the file extension is tried – Otherwise defaults to text/plain or application/octet-stream Black Hat DC 2010 | Jorge Luis Alvarez Medina 7

  8. Features (vulnerabilities) enumeration • Hiding the key under the doormat • A chip off the old block • Two zones, the same place • How to put HTML/script code in remote computers • Everything that glitters is not gold Black Hat DC 2010 | Jorge Luis Alvarez Medina 8

  9. Hiding the key under the doormat • Internet Explorer cookies and history files are stored in different files and folders under %USERPROFILE% • As a security measure, these files are stored inside randomly named folders with random file names • These random names and locations are logged inside different mapping files named index.dat ���������������������������������������������������������� ���������������������������������� �����!����������� �����������������"������������� Black Hat DC 2010 | Jorge Luis Alvarez Medina 9

  10. Hiding the key under the doormat (2) • These files are not entirely text formatted – sensitive information is stored in plain text! • As these files work as maps to other files, access to these files would reveal the actual locations of mapped files and folders Black Hat DC 2010 | Jorge Luis Alvarez Medina 10

  11. A chip off the old block • Internet Explorer resembles Windows Explorer in many aspects – both of them implement the Trident layout engine – both of them support UNC paths for SMB access • This way, Internet Explorer allows to access special files and folders, same as Windows Explorer does. Black Hat DC 2010 | Jorge Luis Alvarez Medina 11

  12. A chip off the old block (2) Black Hat DC 2010 | Jorge Luis Alvarez Medina 12

  13. A chip off the old block (3) Black Hat DC 2010 | Jorge Luis Alvarez Medina 13

  14. A chip off the old block (4) Black Hat DC 2010 | Jorge Luis Alvarez Medina 14

  15. A chip off the old block (5) • Any web page in the Internet zone or above can include an HTML tag as follows: #��� ���$%��&'(�))�*((�*++�������, �%- • It will trigger an SMB request against 208.77.188.166 • As part of the challenge-response negotiation, the client sends to the server the following information about itself: – Windows user name – Windows domain name – Windows computer name – A challenge value chosen by the web server ciphered with the LM/NTLM hash of this user’s password Black Hat DC 2010 | Jorge Luis Alvarez Medina 15

  16. Two zones, the same place • Internet Explorer will determine the security zone of a given UNC address as belonging to: – The Internet security zone if this path contains the IP address of the target machine – The Local Intranet security zone if this path contains the NetBIOS name of the target machine • It makes sense, as SMB names just can be resolved in the same network segment Black Hat DC 2010 | Jorge Luis Alvarez Medina 16

  17. Two zones, the same place (2) • But what about yourself? – \\NEGRITA is in the Local Intranet zone – \\127.0.0.1 is in the Internet zone • This is one of the root causes of the problems the Microsoft staff has into closing the attack vectors exposed here • After several discussions with MSRC team members, they stated this issue is kind of a dead end, and cannot be fixed Black Hat DC 2010 | Jorge Luis Alvarez Medina 17

  18. Two zones, the same place (3) • According to the Security Zones scheme, a page in a given zone can not redirect its navigation to a more privileged zone • This behavior is known as Zone Elevation • Now, consider the following dialog: GET /page.html HTTP/1.0 Host: evil.com HTTP 302 Found Location: \\127.0.0.1\resource.html • In this case Internet Explorer will erroneously (due to this ambiguity) apply Zone Elevation restrictions and the redirection will effectively occur Black Hat DC 2010 | Jorge Luis Alvarez Medina 18

  19. Two zones, the same place (4) • There is another way to bypass Security Zone restrictions • Suppose that example.com (10.1.1.1) was explicitly added to the Restricted Sites Security Zone • Then this URI will be treated with the privileges of that zone !�� .//���� ������/������!��� • However, if the same resource is requested using the UNC notation, it will be treated as belonging to the Internet Security Zone ��*'�*�*�*�������!��� • Restricted Sites restrictions to a given resource are bypassed if it can be accessed using a different protocol [ file: | https: | …] Black Hat DC 2010 | Jorge Luis Alvarez Medina 19

  20. Two zones, the same place (5) Black Hat DC 2010 | Jorge Luis Alvarez Medina 20

  21. How to put HTML/script code in remote computers • There are different ways for remote servers to write HTML/script code in clients hard drives – Navigation history files – Cookies – Mapping files ( Internet Explorer index.dat ) Black Hat DC 2010 | Jorge Luis Alvarez Medina 21

  22. How to put HTML/script code in remote computers (2) • Problems in the design/implementation of these feature – Contents are saved as they were received, with little or no sanitization/overhead, into these files • Including index.dat files – Internet Explorer allows rendering the contents of non-pure HTML files skipping the parts that can not be rendered Black Hat DC 2010 | Jorge Luis Alvarez Medina 22

  23. How to put HTML/script code in remote computers (3) GET /page.html HTTP/1.0 Host: evil.com HTTP 302 Found Set-Cookie: <script>alert('hello world!')</script> Cookie contents: ���� #���� �-�����01!���� 2����13#/���� �- *4&�*+(�*4+�*&4/ *+'' 5�+)''6'5& 5'*&65�( �&�4'++'( 5''��4&) 7 Black Hat DC 2010 | Jorge Luis Alvarez Medina 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal:

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal:

EXPLORER+300 Compact for individual usage EXPLORER+ 300 The smallest EXPLORER terminal: Weighs only 1.4 kg A single-user terminal: Ideal if your primarily need voice, or moderate speed internet access Compact:

203 views • 6 slides
1 2 3 4 If you are using Internet Explorer with compatibility mode turned on for army.mil

1 2 3 4 If you are using Internet Explorer with compatibility mode turned on for army.mil

1 2 3 4 If you are using Internet Explorer with compatibility mode turned on for army.mil sites, then Internet Explorer will not display the Google reCAPTCHA I am not a robot check box. If you do not see the I am not a robot

425 views • 8 slides
Literary Terms Jeopardy English 9 Directions for online viewing: Use the Internet Explorer

Literary Terms Jeopardy English 9 Directions for online viewing: Use the Internet Explorer

Literary Terms Jeopardy English 9 Directions for online viewing: Use the Internet Explorer Browser, not Netscape. When viewing in Internet Explorer, click the Slide Show button found in the lower-left corner of the screen to view as a

1.02k views • 56 slides
For personal use only ABN 96 124 562 849 Gold Focused Explorer with Gold Resources and Advanced

For personal use only ABN 96 124 562 849 Gold Focused Explorer with Gold Resources and Advanced

For personal use only ABN 96 124 562 849 Gold Focused Explorer with Gold Resources and Advanced Prospects Mining 2014 Important Information For personal use only Forward Looking Statements This presentation contains certain

462 views • 29 slides
For personal use only An Australian flake graphite explorer with substantial high quality assets

For personal use only An Australian flake graphite explorer with substantial high quality assets

For personal use only An Australian flake graphite explorer with substantial high quality assets and access to the worlds largest flake graphite end-user market. Disclaimer For personal use only Investment in Lamboo Resources Limited

425 views • 25 slides
May login with student login or parents login to register Firefox and Internet Explorer

May login with student login or parents login to register Firefox and Internet Explorer

May login with student login or parents login to register Firefox and Internet Explorer are recommended internet browsers for registration Google Chrome will not work for registration Go to Westlake High Schools Home, click

581 views • 17 slides
For personal use only Resources Limited 2007 AGM OUTLINE For personal use only Our Business

For personal use only Resources Limited 2007 AGM OUTLINE For personal use only Our Business

For personal use only Resources Limited 2007 AGM OUTLINE For personal use only Our Business Model Management Projects Capital Structure The Next 5 Years JINDALEE RESOURCES For personal use only Active junior explorer

439 views • 23 slides
Three Layers of Internet Governance protection of personal data illegal and harmful

Three Layers of Internet Governance protection of personal data illegal and harmful

Internet Governance Revisited: Think Decentralization ! Dr. Marc Holitscher, University of Zurich Presentation given at the ITU-workshop on Internet Governance February 26th 2004 Three Layers of Internet Governance protection of personal

407 views • 5 slides
Exploring iPads Apps for Student Learning by Holly Quaratella Turns the iPad into a personal

Exploring iPads Apps for Student Learning by Holly Quaratella Turns the iPad into a personal

Exploring iPads Apps for Student Learning by Holly Quaratella Turns the iPad into a personal whiteboard. Allows the user to create voice-over whiteboard tutorials and share them. Join the Show Me community to view and share lessons.

534 views • 12 slides
Kimi: A Personal Organizer in the internet event space. Stanislav Epifanov, Kirill Ivashov,

Kimi: A Personal Organizer in the internet event space. Stanislav Epifanov, Kirill Ivashov,

Kimi: A Personal Organizer in the internet event space. Stanislav Epifanov, Kirill Ivashov, Alexander Kolosov, Evgenii Tsvetkov, Vyacheslav Dimitrov Petrozavodsk State University Department of Computer Science AMICT Workshop, May 25-27, 2010,

301 views • 10 slides
EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant

EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant

EXPLORER+325 COMPACT VOICE AND BROADBAND SOLUTION FOR VEHICLES EXPLORER+ 325 Instant communication: Simply place the antenna on the roof, connect the antenna and your PC to the EXPLORER terminal, switch on the IP Handset and the vehicle

270 views • 10 slides
Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710

Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710

Introducing EXPLORER 710 Slide 2 - the bar is raised Cobham plc 2 Introducing the EXPLORER 710 A state of the art BGAN setting new standards in terms of speed, size and features. Radical improvement in video quality - the first and

110 views • 8 slides
Webmail Walkthrough Settings that need to be in place when connecting to webmail This is if you

Webmail Walkthrough Settings that need to be in place when connecting to webmail This is if you

4 Webmail Walkthrough Settings that need to be in place when connecting to webmail This is if you have a CACnot a token Webmail Walkthrough 4 You must use Internet explorer to use webmail. If an icon for Internet Explorer is not

362 views • 22 slides
EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility:

EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility:

EXPLORER+700 When versatility &amp; high-speed matters EXPLORER+ 700 Versatility: Provides multiple interfaces to support a wide range of applications. Ideal for video streaming applications and large file transfer. Smaller

286 views • 10 slides
For personal use only ANCHOR RESOURCES LIMITED Mining NSW 2011Conference Anchor Resources

For personal use only ANCHOR RESOURCES LIMITED Mining NSW 2011Conference Anchor Resources

For personal use only ANCHOR RESOURCES LIMITED Mining NSW 2011Conference Anchor Resources Limited For personal use only NEW SOUTH WALES &amp; QUEENSLAND EXPLORER ASX Share Code : AHR For personal use only Disclaimer This presentation has

248 views • 22 slides
Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet

Welcome to the Indian Prairie Librarys Internet Class I What Is the Internet? The Internet is the largest computer network in the world, connecting millions of computers. A network can also be a group of two or more computer systems linked

371 views • 13 slides
Real-World Performance of current Mesh Protocols in a small-scale Dual-Radio Multi-Link

Real-World Performance of current Mesh Protocols in a small-scale Dual-Radio Multi-Link

Real-World Performance of current Mesh Protocols in a small-scale Dual-Radio Multi-Link Environment Karl Jonas Manuel Hachtkemper Michael Rademacher manuel.hachtkemper@inf.h-brs.de karl.jonas@h-brs.de michael.rademacher@h-brs.de 22. ITG

450 views • 17 slides
Introduction 1989: a bug in the Internets core routing algorithm inconvenienced a few

Introduction 1989: a bug in the Internets core routing algorithm inconvenienced a few

Preliminaries Syllabus and lecture slides on web site Welcome to COS 461 assume youll keep up with the reading Computer Networks Send me an e-mail name, year, preferred email address jpeg image of yourself Larry

359 views • 7 slides
Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new

Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new

Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new applications spanning numerous domains. Each comes with its own requirements; combining these leads to complex (difficult to manage) and often

609 views • 22 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng

Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng

Can your site work on IE3? By: Chen Hui Jing @hj_chen Talk CSS #39 (22 May 2019) Yeo Kheng Meng @yeokm1 1 1 Agenda 1. Background 2. Quick Live Demo 3. How I got DOS 6.22, Win3.1 and networking to work 4. Live coding/debugging 2

146 views • 13 slides
LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno,

LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno,

LEDBAT A PPLICATIONS P RACTICES AND R ECOMMENDATIONS Presenter: Reinaldo Penno, rpenno@juniper.net Co-Authors: Joe Touch, touch@ISI.EDU Richard Woundy, richard_woundy@cable.comcast.com Vijay K. Gurbani, vkg@bell-labs.com Satish Raghunath,

642 views • 15 slides
Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check

Cyber@UC Meeting 79 Metasploit If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org SIGN IN! (Slackbot will post the link in #general every Wed@6:30) Feel free to get involved with one of

693 views • 12 slides
Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016

Software Security: Design, Privilege Separation CS 161: Computer Security Prof. David Wagner January 27, 2016 Robustness Security bugs are a fact of life How can we use access control to improve the security of software, so security bugs

695 views • 32 slides

More recommend