Sunday, November 29, 2009

Breaking the Browser Sandbox and stealing some files

If you are using Internet Explorer and if it has the flash player plug-in installed then an attacker can steal files from your local file system through the browser. For this attack to be performed the victim and attacker should be part of the same private network, the best candidate for this is unsecured WiFi hotspot.
The attack is possible because of some unique characteristics of Internet Explorer and Flash player which in isolation don’t create so much of a problem. But you put them together and you end up with a real killer.

Internet Explorer will automatically load any resources from network shares with anonymous read access, it does not prompt the user for permission. If any website includes an iframe to a resource from a network share then it is loaded.
Flash files loaded from network shares can read files from the local file system even if they run within the browser. Such files must have the "Access local files only" setting for "Local playback security".
Though they can read files all networking capability for these files are restricted, well almost. Since the flash player considers network shares as local file system, flash files can read files placed in network shares as well. Reading a file from a network share requires making a SMB request over to the server containing the share. This request carries the name and location of the file to open, this can be of a maximum length of 259 bytes.

This feature can be used to send data as well by putting the data in the SMB request. For example a flash file from an anonymous share on the attacker's computer loads in the victim's browser in an iframe. This reads files from the victim's local file system and breaks down the file contents in to smaller chunks less than 259 bytes each. Now the flash file attempts to read files from the attacker’s anonymous share but instead of specifying a valid filename it gives one of the chunks as the filename. Now this chunk goes to attacker's system in a SMB packet. The attacker can sniff these packets, extract the chunks and assemble them together to get the entire file content out. It is possible to transfer data at the rate of 234.24 kbps using this technique.

Imposter can perform this attack but it has a slightly lower transfer rate since it includes some metadata in the request to help in reassembly. The whole attack is silent with no user interaction or alert. I would be giving more details on this attack in a whitepaper, should be out soon.

2 comments:

  1. Does this work if the victim use a VPN?

    ReplyDelete
  2. @anon
    You mean the victim connects to your open WiFi but then creates a VPN tunnel? No.

    However, if the victim opens his browser(which automatically loads the homepage) before the VPN tunnel is set-up then the attack would work.

    Check out the whitepaper for more details: http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf

    Hope this helps.

    ReplyDelete